Analysis of the Document Exploit Targeting CVE-2017-11826

Zero-Days Exploit (cve-2017-11826)-Memory Corruption Vulnerability

File Details

Filename cve-2017-11826.doc.bin
Size 680,268 Bytes
MD5 B2AE500B7376044AE92976D9E4B65AF8
SHA1 7352EA59DCD83C3A72784DC381A7B6B5616C6629
SHA256 CB3429E608144909EF25DF2605C24EC253B10B6E99CBB6657AFA6B92E9F32FB5

 

Static Analysis

Basic information

Latest Patch of Microsoft brought patches for 62 vulnerabilities, including one that fixed СVE-2017-11826 critical zero-day vulnerability used to launch targeted attacks – in all versions of Microsoft Office.

To control the memory content at address 0x088888EC, the attackers apply the popular heap spraying technique with use of ActiveX components:

The exploit bypasses ASLR and DEP using ROP and gadgets from msvbvm60.dll. The msvbvm60.dll module is loaded from the RTF document with the help of a CLSID associated with this DLL:

Microsoft Office is prone to memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.

The exploit for this vulnerability is an RTF document containing a DOCX document that exploits СVE-2017-11826 in the Office Open XML parser, as shown in Figure 1

Technologies Affected

  • Microsoft Office Compatibility Pack SP3
  • Microsoft Office Online Server 2016
  • Microsoft Office Web Apps Server 2010 Service Pack 2
  • Microsoft Office Web Apps Server 2013 SP1
  • Microsoft Office Word Viewer
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft Word 2007 SP3
  • Microsoft Word 2010 Service Pack 2 (32-bit editions)
  • Microsoft Word 2010 Service Pack 2 (64-bit editions)
  • Microsoft Word 2013 RT Service Pack 1
  • Microsoft Word 2013 Service Pack 1 (32-bit editions)
  • Microsoft Word 2013 Service Pack 1 (64-bit editions)
  • Microsoft Word 2016 (32-bit edition)
  • Microsoft Word 2016 (64-bit edition)
  • Microsoft Word Automation Services

Structure of File

Attach compressed zip file in RTF with activeX1.bin embedded in it along with ROP-CHAIN and shell code as shown in the Figure (2&3) after the file structure below:

The following is the file structure of this document:

root:

rtf@:

hex@:

hex@:

hex@:

zip@:

zip:docProps/app.xml:

zip:docProps/core.xml:

zip:word/activeX/activeX1.bin:

Filename activeX1.bin
Size 2,095,616 Bytes
MD5 79c60e0e4bb6a01d29c995120701baa4
SHA1 6b26c3e41ed8bc37b10c5850cb0a06ffafb6fed8
SHA256 c6de846128c9ee10e7894af47c2855e1dc3c7c19f1db0c960f882ab60f522a2e

zip:word/activeX/activeX1.xml:

zip:word/activeX/activeX28.xml:

zip:word/activeX/activeX35.xml:

zip:word/activeX/_rels/activeX1.xml.rels:

zip:word/document.xml:

zip:word/fontTable.xml:

zip:word/media/image1.wmf:

zip:word/settings.xml:

zip:word/styles.xml:

zip:word/theme/theme1.xml:

zip:word/webSettings.xml:

zip:word/_rels/document.xml.rels:

zip:[Content_Types].xml:

zip:_rels/.rels:

Figure 2

Figure 3

ROP-CHAIN (Activity)

The first part of ROP sets the ESP register’s value:

The second part of ROP is ignored: it was used to set the EIP register at 0x088883EC. The last ‘pop eax; retn’ gadget moves the address 0x729410D0 into EAX. This is the address for the Virtual Protect pointer in the Imports area of msvbvm60.dll from Kernel32.dll:

 

The Virtual Protect pointer is used in the next ROP gadget to call the function Virtual Protect (0x8888C90, 0x201, 0x40, 0x72A4C045). After this, control is transferred to the shellcode at the address 0x8888F70, which decrypts and executes the embedded:

HEX-Byte Information

This document has exe and a blank document embedded into it. Both documents i.e., the exe and the blank document use the same algorithm to decrypt the payload – a one-byte XOR with the key incremented in each step and the first few hundred bytes swapped, and shell code that uses Windows Management Instrumentation functions to execute the payload.

The highlighted portion in the below screenshots shows(Figure 4&5) the identification of starting (“BABABABABABABA”) and end point (“BBBBBBBBBBBBBB”) of exe and also the decryption key for the exe “BE-BA-FF-CA”:

Figure 4  

Figure 5

 

Figure 6

Dynamic Analysis with SMA-LAB (sequretek Malware analysis Lab)

Some suspicious activity is capture by our SMA-LAB, while we run cve-2017-11826 inside our lab.

System Affected

Written files

  • C:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
  • C:\Documents and Settings\Administrator\Local Settings\Temp\4EEB5E.dmp
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{7F7A30BA-D748-46B2-A476-2D8E2782E6E3}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{28CD4C99-2601-4652-8A25-38B22AA1492C}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{FAF48C0C-A70D-4B7C-8E52-6DBFFEF62B44}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{076029AD-74CC-4088-9BA2-C5C85BEC58EA}.tmp

Registry keys written

  • HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\General\FirstRunTime

Registry keys read

  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Directories created

  • C:\Users\win7\AppData\Local\Microsoft\Office\12.0\

Processes created

  • /SOURCE 1 /LCID 1033 /WAITPID 2960
  • “C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE” -x -s 1392
  • /S /C {7BD29E01-76C1-11CF-9DD0-00A0C9034933} /I {000214E6-0000-0000-C000-000000000046} /X 0x401

Suspicious Activity Capture in memory

2 event capture, Allocate read-write-execute memory (Figure 7 explain API with Argument)

Figure 7

Detect Virtual machine (Usually used by attackers) (Figure 8 explain API with Argument)

Figure 8

Create 2 docx file in Temporary internet file folder (1st one is Malicious file with bin and 2nd one is clean with normal doc file), as shown in Figure 9

Exploit memory process

Indicators of Compromise (IoC’s)

 Filename cve-2017-11826.doc.bin
Size 680,268 Bytes
MD5 B2AE500B7376044AE92976D9E4B65AF8
SHA1 7352EA59DCD83C3A72784DC381A7B6B5616C6629
SHA256 CB3429E608144909EF25DF2605C24EC253B10B6E99CBB6657AFA6B92E9F32FB5

 

Filename ~WRO0000.doc (Figure 9)
Size 52,803 Bytes
MD5 614F47E459723F272447B99F1885C50E
SHA1 F1793587EEA532219DFBFD9C3D59C28FB9488CFE
SHA256 9209946F3012A37509CB703F55C58B552361F76507ACC4786F7B73F6C5092EAE

 

Filename activeX1.bin (Figure 3)
Size 2,095,616 Bytes
MD5 79c60e0e4bb6a01d29c995120701baa4
SHA1 6b26c3e41ed8bc37b10c5850cb0a06ffafb6fed8
SHA256 c6de846128c9ee10e7894af47c2855e1dc3c7c19f1db0c960f882ab60f522a2e

 

Recommendations

Run all software as a non-privileged user with minimal access rights.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Do not accept or execute files from untrusted or unknown sources.

Do not follow links provided by unknown or untrusted sources.

Implement multiple redundant layers of security.

 

Precautions

Updates are available.

We recommend that all Office users install the official patch as soon as possible.

[h**ps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11826]

No Comments

Post a Comment

Comment
Name
Email
Website