Summary of Sandworm Attack

This loophole has just come out of the analysis, at that time roughly understand the principle, but to many details and principle is still smattering. Later began to find a job, and the work has been set down, the teacher also assigned a variety of bitter force of the work ... Today finally there is time to pay for this part of the homework, in the process of learning with the teacher wits is also drunk. >_<

This vulnerability on the Internet, a variety of Chinese and English analysis has been a lot, so here I only according to their own situation to do a small collation and summary, and will refer to a variety of relevant information for their own restudying.

1. cve-2014-4114

First, the cve-2014-4114 of this logical flaw is that when the PPT calls the IPersistStorage interface's Load method to load the OLE compound document object that corresponds to the storage object (OLE compound document), The MOTW (Mark on the Web) processing of all types of compound documents has not been caused. This allows an attacker to circumvent MOTW protection by forging the CLSID of an OLE compound document. The execution process is as follows:

Figure 1 Execution path [1]

The CLSID of the compound document in the cve-2014-4114 attack sample [2]:

Figure 2 CLSID

By querying the registry, {00022602-0000-0000-c000-000000000046} corresponds to video Clip. As can be seen in Figure 1, Cpackage::load called Readclassstg to get the file type of the compound document, which is processed in two categories based on the CLSID.

The two documents in the sample are of type 0x22602 (corresponding to _clsid_avifile), so cpackage::load calls Loadmmsstorage for further processing. Loadmmsstorage internal According to the specific type, call Cpackage::ole2soundrecreadfromstream---Cpackage::createtempfilename Copystreamtofile eventually writes the file to the temp directory.

As shown in Figure 1, after Copyfilew and Copystreamtofile, the read to file is not MOTW processed, that is, Markfileunsave is not called.

Figure 3 Markfileunsafe

---------------------------------------------------------------------------------------------------

Markfileunsave

The Markfileunsave function is to set the security Zone of the file by calling Izoneidentifier::setid. The urlzone value set here is 3, which is the urlzone_internet type (Figure 4), which indicates that this file is from another computer (Figure 5).

Figure 4 Urlzone

Figure 5 Security Zone

Note that the Security zone is implemented through the NTFS file system's alternate Data Streams (ADS) feature and is not part of the Windows ACL mechanism. It saves zone information by creating a alternate streams named Zone.identifier: $DATA to the file. As shown in 6.

Figure 6 Zone.identifier: $DATA

Then, when the user tries to run, install such a file, Windows detects the file's zone information, blocks execution, and pops up a warning prompt that the user will have an untrusted file to execute.

Figure 7 Security Warning

---------------------------------------------------------------------------------------------------

Eventually, the Slides.inf and slide1.gif written to the temp directory are not MOTW processed, as shown in 8.

Figure 8 Sample released files

The PPT then responds to the end user's actions through the DoVerb method of the OLE compound Document Object IOleObject interface. Here PPT calls the DoVerb method (IVerb = = 3) According to the definition of the slide XML. As shown

Figure 9 Slide1.xml

IOleObject::D Overb () is handled differently based on the value of Iverb. When Iverb is greater than or equal to 3 o'clock, the execution flow goes to the position shown in Figure 10. Its function is consistent with "right-click File, select 2nd (3-2=1) option in the popup menu to run the file", whereas for INF files, the second option for the popup menu is just "Install" (11), Therefore, the INF was eventually installed through InfDefaultInstall.exe.

Figure IOleObject::D overb () with iverb=3 [3]

Figure One popup Menu

2. cve-2014-6352

ms14-060 released 3 days later, the patch can still be bypassed, and found a corresponding sample in the wild. Then Microsoft released a temporary solution to fix it (Security advisory 3010060) to mitigate the exploits before ms14-064 was released.

First, take a look at the patch of the ms14-060 patch, and with the binary comparison tool you can see that ms14-060 only perfects MOTW processing for all types of compound documents, as shown in.

Figure 12 Adding MOTW protection [1]

However, this vulnerability is more than this, and previous analysis has indicated that an attacker could alter the execution process by manipulating the "CLSID of the OLE compound document" and "Ole Verb in XML".

The problem is that not all files marked with "MOTW protection" will pop up with a warning window when they are opened. For example, files that are downloaded from the web, such as docx, PDF, zip, and so on, are not prompted for security warnings when they are opened (note: Office files such as docx are opened in Protected View mode).

Figure "MOTW protection" tagged files

When the relevant software is installed, the process command is registered in the right-click popup menu to facilitate user action, 14, when Python is installed, the second item of the popup menu for the *.py file is edit with IDLE. There is no security warning when an attacker manipulates OLE Verb in XML to open *.py using "edit with IDLE" for a. McAfee researchers use this approach to exploit vulnerabilities, see [4] for details.

Figure 14 Popup Menu for *.py files

Also, in the captured attack sample, an attacker would embed the EXE directly into the PPT and run exe,15 as shown by manipulating OLE Verb in XML to use Administrator rights for all of them. At this point, if the victim logs on to the system using an administrator account or shuts down UAC, there will be no security warning. If the victim logs on to the system using a standard user account or does not turn off UAC, a UAC warning dialog box will be obtained.

Figure 15 Running as Administrator

3. Other

You can learn and analyze Microsoft in this patches Sandworm by using Jon Erickson's report on Blackhat Asia, Persist it using and abusing Microsoft's Fix it Attack The Fix it is released in.

Shortly after the exposure of cve-2014-4114, a sample of the direct embedding file (rather than the earliest UNC download) was used [5], and I modified an embedded generator using the cve-2014-4114 generator source code, but in the case where the compound document type is 0x22602 guaranteed, The INF is not installed as expected (before the ms14-060 patch), and the effort is limited to tracking debug reasons.

4. References

[1] Timeline of Sandworm Attacks

http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/

[2] Microsoft Compound Document File Format.

Http://www.openoffice.org/sc/compdocfileformat.pdf

[3] Bypassing Microsoft ' s Patch for the sandworm Zero day:a detailed look at the Root cause

Http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-root-cause

[4] Bypassing Microsoft ' s Patch for the sandworm Zero day:even ' Editing ' Can cause Harm

Http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm

[5] Xecure Lab discovers new variant of cve-2014-4114 in Taiwan APT attacks

Http://blog.xecure-lab.com/2014/10/cve-2014-4114-pptx-apt-xecure-lab.html

Summary of Sandworm Attack