Oct 26 2017

Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability

McAfee Labs has performed frequent analyses of Office-related threats over the years: In 2015, we presented research on the Office OLE mechanism; in 2016 at the BlueHat conference, we looked at the high-level attack surface of Office; and this year at the SYSCAN360 Seattle conference, we presented deep research on the critical Office “Moniker” zero-day vulnerabilities.

This month, Microsoft released an update for an Office zero-day attack. We examined an in-the-wild sample, and with this post we share our findings to help others understand the threat.

The sample arrives as an RTF file, and embeds at least three objects (through the control word “\object”). This is a memory corruption vulnerability, so it needs additional steps to archive the full exploitation.

1. The first object, in the following figure, shows that it loads a COM object whose CLASSID is D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731.

 

If we look into the Windows registry, we see that the COM DLL C:\Windows\system32\msvbvm60.dll will be loaded. The purpose of loading this DLL is that msvbvm60.dll is not compatible with address space layout randomization (ASLR), thus it can be used to bypass ASLR and data execution prevention (DEP) on older Office versions. (We will explain later.) This is not a new trick; researcher Parvez Anwar described this process in 2015.

2. The second object is a .docx file that employs the ActiveX.bin technique to spray the heap, also not a new trick. McAfee Labs first identified this exploitation technique in a zero-day attack discovery in 2013; our colleague Debasish Mandal discussed this technique in one of his recent posts.

3. The third object is the cause of this vulnerability. It is an embedded .docx file. When this .docx is rendered, a memory corruption vulnerability is triggered. Specifically, we have identified the problem is due to mishandling of nested tags in the Office Open XML format. The key tags follow:

With help from the first and the second steps, an attacker can hijack the program’s control flow to a predictable address in msvbvm60.dll’s code by exploiting the memory corruption vulnerability. This is the classic step of “stack pivot” for defeating ASLR and DEP. (See the next figure.) Following the return-oriented programming chain and shellcode comes the main payload, which we will not discuss in this post.

This exploitation technique works only on older Office versions. Since Office 2013, Microsoft has employed the security feature Forced-ASLR. As its name suggests, the feature forces the randomization of a module’s loading address even if the DLL is not ASLR compatible. Thus this in-the-wild attack can work only on Office 2010 and older versions. Nonetheless, because the underlying vulnerability does affect newer versions of Office, we recommend that all Office users install the official patch as soon as possible.

For McAfee NSP customers, we have released signature 0x45219c00 (UDS-HTTP: Microsoft Office Memory Corruption Vulnerability (CVE-2017-11826)) to prevent this attack.

Thanks to my colleague Bing Sun for his help with the analysis.

The post Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability appeared first on McAfee Blogs.

Oct 31 2016

Trick or Treat! Google issues warning of critical Windows vulnerability in wild

Enlarge / Win32k.sys has some problems. Again.

Recently, Google’s Threat Analysis Group discovered a set of zero-day vulnerabilities in Adobe Flash and the Microsoft Windows kernel that were already being actively used by malware attacks against the Chrome browser. Google alerted both Adobe and Microsoft of the discovery on October 21, and Adobe issued a critical fix to patch its vulnerability last Friday. But Microsoft has yet to patch a critical bug in the Windows kernel that allows these attacks to work—which prompted Google to publicly announce the vulnerabilities today.

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released,” wrote Neel Mehta and Billy Leonard of Google’s Threat Analysis Group.”This vulnerability is particularly serious because we know it is being actively exploited.”

The bug being exploited could allow an attacker to escape from Windows’ security sandbox. The sandbox, which normally allows only user-level applications to execute, lets programs execute without needing administrator access while isolating what it can access on the local system through a set of policies.

Read 2 remaining paragraphs | Comments

Aug 26 2016

Trident: Trio of iOS zero-days being exploited in the wild

Users of iPhones and other iOS devices are advised to upgrade to the latest version of the operating system.

続きを読む
Aug 26 2016

Trident: Trio of iOS zero-days being exploited in the wild

Users of iPhones and other iOS devices are advised to upgrade to the latest version of the operating system.

続きを読む