Also about MS12-005

At the beginning, I saw Microsoft's security announcement on the MS12-005. I saw the ClickOnce deployment technology and Office documents mentioned above. If attackers embed an installation file with ClickOnce malware in the Office document, when the user opens this Office document, because Windows Packager does not strictly filter unsafe file types (file types with executable attributes), this malicious program will be executed. It seems that the exploitation of this vulnerability is only related to ClickOnce. Only applications deployed using ClickOnce technology can bypass Windows Packager's filtering of insecure file types.

Later I read the Akita Security Team's analysis on this vulnerability.Office arbitrary ClickOnce application execution vulnerabilityIn this article, the cause of the vulnerability is that the Office component does not strictly filter Insecure File Types (it also mentions that. NET has a logical error when granting permissions related to ClickOnce applications ). In the end, the article said that if an attacker wants to successfully exploit this vulnerability, the user needs to make some "convenient". For the second time, he also specially constructed a funny game to entertain the masses who did not know the truth. For more information about the design ideas, see the original article.

After reading the Akita article, I roughly studied the ClickOnce deployment technology. I wrote a small program in C # And deployed it on the local IIS In CickOnce mode. I drag and drop the generated. application file into the Word document. When I double-click it, no warning box is displayed and the program is not executed. It is estimated that there is still a problem in the deployment. After a while, I was not involved in the crash. I was planning to search the website to see if there were any off-the-shelf POC (especially the phishing Word file they made by Akita ).

The result is a POC in the form of *. PPTX. Double-click to open this document. If Python is installed locally, a Python script file embedded in this document will be parsed and executed. It seems that the cause of this vulnerability is not directly related to ClickOnce. The ClickOnce application is only a trigger method. Shunteng found a blog post posted by researchers who provided the POC on their blog Exploit Shop.MS12-005: embedded object package allow arbitrary code execution.

This article mainly analyzes the causes of vulnerabilities and the risk mitigation methods through patch comparison. According to my POC debugging and patch comparison, the Cause Analysis of the vulnerability is very accurate. Here we will briefly describe the function calling process of Windows Packager (packager. dll pre-patch version: 6.1.7600.16385) after double-clicking the embedded Python script in PPTX:

CPackage: DoVerb ----------> CPackage: _ GiveWarningMsg -----------> IsProgIDInList. Call IsProgIDInList to determine whether the file suffix is in the blacklist of insecure file suffixes. If not, DoVerb then calls CPackage: _ ActivateEmbeddedFile to open the file directly (finally, by calling ShellExecuteEx ). This is where the vulnerability is located! Only "*. exe *. js * vbs *. bat ", but ignore other suffixes with executable properties, such as "*. application "and" *. py "--

"Only these extensions are executables? There are a lot more executable extension as you may know"

However, the article does not accurately analyze the vulnerability control methods. The author believes that packager after the patch. dll (patch version: 6.1.7600.16917) is added with AssocIsDangerous (by shlwap. dll export) to determine whether the file type Suffix of the embedded object to be opened has executable properties --

 

"MS12-005 patched this issue by calling AssocIsDangerous () to check the executable extension ."

However, after a patch is installed, double-click the embedded object in PPTX. The function call process of Windows Packager is as follows:

CPackage: DoVerb --------> CPackage: _ ExecuteAttachment ----------> CPackage: _ ActivateEmbeddedFile --------------> CAttachmentServices: Execute. In CAttachmentServices: Execute is a function implemented in shdocvw. dll. Before calling ShellExecuteEx to open the target file, it will call CAttachmentServices: _ OpUserTrust to bring up a dialog box prompting you whether to open the selected object.

It is not difficult to see that the installed Windows Packager does not strictly verify whether the file belongs to the security type when opening the embedded object. Instead, a warning dialog box is displayed for users to choose from.

From http://hi.baidu.com/4b_4b/blog/item/599b879885ba7f55d0135ea9.html