Microsoft Outlook vulnerability: Allows Remote Code Execution

Microsoft Outlook vulnerability: Allows Remote Code Execution

Recently, Microsoft released a series of patches to fix some of the most influential and critical bugs in its products, including updating the Microsoft Office suite and solving some of the security issues. Security expert research found that one of the vulnerabilities (cve-2015-6172), the attacker through the "specially packaged Microsoft Office file" as an attachment, by Outlook to send mail to the target user, remote Code Execution is allowed.
As mentioned in Microsoft's Security Bulletin,
This update addresses Microsoft Office software security vulnerabilities. Vulnerabilities with the highest threat level allow remote code execution. If a user opens a specially crafted Microsoft Office file, attackers can exploit this vulnerability to run arbitrary code in the current user directory. A user account with lower permissions may be affected much less than a user with administrator permissions.
Impact Scope
This vulnerability mainly affects versions like Outlook 2007/2010/2013/2016.
Outlook Security Mechanism
Let's first take a look at the General Security Mechanism of Outlook,
1. Outlook has a Security Detection Method for attachments to emails. For example, Outlook automatically blocks executable files.

2. For file formats with security risks, Outlook will notify users by warning the pop-up window,

3. For attachments in Word, Excel, and PPT formats, Outlook opens these documents in its sandbox when you double-click them to run or preview them. The following shows the existence of the sandbox process by monitoring related processes.

Vulnerability discovery
As mentioned in the article "BadWinMali: enterprise-class attack vectors hidden in Microsoft Outlook" by security expert Li HaiFei (formerly HaiFei Li, attackers can exploit this vulnerability to send specific office documents via email and use Microsoft's object connection and embedding technology (OLE) and TNEF technology to bypass multiple security protection aspects of Outlook (such as file preview in the sandbox), and thus attack.
FreeBuf encyclopedia
Object connection and embedding technology (OLE)
OLE is an object-oriented technology that can be used to develop reusable software components or create composite documents. A composite document contains a composite application that is created in a different source application, there are different types of data, so it can combine text, sound, images, tables, applications, and so on. In short, it is usually used in Office Word, Excel, PPT, etc. For example, we insert an image in the PPT, and then you can double-click to open the image, and call the image application in this process.
TNEF Technology
It is fully referred to as the uncertain Encapsulation Format of transmission, and the proprietary email attachment format of Microsoft Outlook and Microsoft Exchange Server. The most common names of emails appended with TNEF Encoding are Winmail. dat or win. dat. TNEF appears in the email as a MIME attachment of the application/ms-tnef type. The name of the attachment is Winmail. dat. It contains the complete email content and all additional files. Only the MAPI client (such as Outlook) can decode Winmail. dat attachments. Non-MAPI clients cannot decode TNEF and may display Winmail. dat as a typical but useless file.
Next, we continue the above vulnerability analysis. After research, we found that,
When the value of 'pidtagattachmethod' in the winmail file is set to ATTACH_OLE (6), the attachment (another file contains the winmail. dat file) will be used as an OLE object. Then, attackers can create a specific TNEF email and send it to the target user for attack.
We can also learn more about the specific TNEF and winmail. dat file formats?
The content of the TNEF email is as follows,

The following is a sample winmail. dat file,

A malicious winmail. dat containing the OLE object is as follows,

"06 00" defines that the attachments contained in winmail. dat will be used as an OLE object.
In this case, a TNEF-encoded email is created and then sent to the user. When the user reads the email, the embedded OLE object is automatically loaded, this triggers the attack. According to the test, multiple OLE objects can be automatically loaded by mail, which also leads to a big problem.

Main attack methods
According to security expert Li haifei,
"Because the Flash 0-day vulnerability is easily obtained by attackers, the attacker can execute arbitrary code by inserting a Flash exp In the OLE-enabled TNEF email. We use the Flash OLE object as a test sample and successfully run the Code. However, we also need to note that other OLE objects may be exploited by attackers ."

For example, Outlook automatically recognizes files in. msg Format as security files. By default, attachments are viewed in the Outlook information viewer instead of in the sandbox. This means that the content embedded in the email attachment is automatically opened when the user views the email.
We can also see the attack effect in the following video:
Security measures
1. We recommend that you change the configuration in the Registry to block the automatic loading of Flash through OLE objects. The method is as follows,
Through blocking the CLSID D27CDB6E-AE6D-11cf-96B8-444553540000 to achieve
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Office \ Common \ COM Compatibility \ {D27CDB6E-AE6D-11cf-96B8-444553540000}] "Compatibility Flags" = dword: 00000400
2. Please download the security patch to fix it as soon as possible.
(Patch link: path)