Analysis of security problems caused by releasing files to temporary folders

Analysis of security problems caused by releasing files to temporary folders

Recently, McAfee's advanced Vulnerability Detection System (AEDS) has detected some interesting RTF files that execute "additional" content in the document. In general, these Word documents allow users to trust and run these "extra" content, such as the images displayed when users click additional content.
 

A warning is reported when the user tries to execute the malicious program included in the document.
As word prompts, it is foreseeable that it will not pose a threat to users. However, we strongly recommend that you do not run any documents with attachments, because the story is not over here. Just as we use AEDS to discover potential security issues in PDF, we have detected a series of suspicious (or "interesting") performance when opening such RTF files: the attached file will be released to the temporary folder of the current user (for example, in C: \ Users \ AppData \ Local \ Temp ). For example, release a special rtfsample file reader.exe to a temporary folder.

 
When the RTF file is opened, reader.exe will be released to the user's Temporary Folder.
We found that this situation occurs in Windows 7 and 8, without installing Office software (using WordPad to open the RTF file can also trigger such vulnerabilities ). However, this phenomenon cannot be seen in XP.
The file is released through the "Package" Activex control. The format is similar to the following:

 
The "Package" control is referenced by RTF.
The "Package" ActiveX Control Information in the registry is as follows:
CLSID: {F20DA720-C02F-11CE-927B-0800095AE340}
ProgID: Package
InProcServer32: % SystemRoot % \ system32 \ packager. dll
During the test, we observe the following performance:
The file name and released file content are controlled by the RTF file.
This type of situation can be triggered when you open the RTF document without any additional operations.
If the same file name already exists in the Temporary Folder, the malware will release (2 ).. The current file will not be overwritten.
When the file is closed, the released file will be deleted.
This behavior allows anyone to release any file to a temporary folder with any file name when opening the RTF document, which undoubtedly raises security concerns. The best way is to create a unique file name in the Temporary Folder, such as using a random file name or creating a program-the specified directory in the Temporary Folder. For example, Adobe Reader 11 uses the directory export rd32_sbx (C: \ Users \ AppData \ Local \ Temp \ export rd32_sbx) to specify different temporary file operations.
How can attackers abuse this behavior?
Since most applications and operating systems often use temporary folders, it is obviously difficult to answer this question because we do not know how each program uses each temporary file. However, some of our ideas are listed below:
In some cases, as long as the file exists, the application runs an executable file from the Temporary Folder. Of course, in this case, it is very dangerous to open the RTF file. This can also be applied to DLL. In a real environment, we hope this situation will be minimized. But in fact, most programs will first create executable programs or DLL (or rewrite if the file exists) and then execute it.
DLL pre-loading problem. Some applications may create an executable file in the Temporary Folder and execute it. In this situation, when the. exe file has a DLL pre-loading problem, it will find the DLL in the Temporary Folder. If a DLL with the same file name is placed in a temporary folder, the DLL will be loaded immediately.
The application may depend on some special files that do not exist or cannot be executed. When such a file is placed in a temporary folder, it can change the performance of the application or the process of the program, bringing unpredictable security issues.
We call it a Temporary Folder Access Vulnerability. Through the Temporary Folder Access Vulnerability of other applications, attackers can execute additional code on the victim's system.
The following steps are generally taken:
The attacker sends an RTF file to the victim.
The victim opens it, and one or more special files are released to the Temporary Folder.
If other programs are accessing temporary folders through the vulnerability we have discussed, malicious code will be automatically executed. The document may contain some social engineering texts to allow victims to trust the following column operations, such as running valid programs.
If the victim runs these steps, the vulnerability is successfully triggered.
Therefore, it is necessary for another program to have a temporary file access vulnerability. Sometimes attackers may need to interact with users, but sometimes they do not.
Do attackers want to launch such attacks?
This is hard to say. Successful exploitation of this vulnerability requires the attacker to continuously learn and try before the attack, regardless of whether the target has a Temporary Folder Access Vulnerability. According to an analysis, the method of testing the RTF sample is usually insufficient to understand the attacker's attempt. .
We have found some interesting file names for malicious RTF release:
CEH.exe
Du.sfx.exe
FINCEN ~ 2. EXE
Inicio. bat
Inv_875867001426_74653003.cpl
Pastelyearendguidedm (32.16.exe
QUICKSHIPPINGDUEINVOICE.exe
Reader.exe
Test. vir
Advanced persistent threats generally know the target before an attack. We suggest some organizations pay attention to this issue, especially complicated and targeted attacks.
Security suggestions
If you open the RTF file through MS Word, you can disable the "Package" ActiveX control through Office Kill bit in the workspace. We found that setting the following registry value can solve the Office problem.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Office \ Common \ COM Compatibility \ {F20DA720-C02F-11CE-927B-0800095AE340}]
"Compatibility Flags" = dword: 00000400
However, if you use WordPad to open the RTF file, the previous workspace will not work. We have talked about many document-based attacks before. The best protection method is not to open documents of unknown sources. Close the document as soon as possible when you detect any suspicious operations. These steps can reduce the probability of successful attacks.
The investigation shows that when processing these RTF files on Windows and Office platforms, the vulnerability not only involves memory corruption or a single application or system, but also contains a lot of content, the breadth of development undoubtedly brings challenges to some organizations and security companies.