Welcome to Smokey's Security Forums.
As a guest you only have limited access to the board and it's features, please consider registering to gain full access!
Registration is free and it only takes a few moments to complete.

Smokey's Security Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Fileless attacks surge in 2017, security solutions are not stopping them

Fileless attacks are on the rise and are predicted to comprise 35 percent of all attacks next year, according to the Ponemon Institute.

Fileless attacks surge in 2017, security solutions are not stopping them

Malware Log Analysis & Removal Help * Ransomware Encryption & Decrytion Techniques * Official Jetico Inc. Support Forums

Share this topic on FacebookShare this topic on MySpaceShare this topic on RedditShare this topic on TwitterAuthorTopic: Analyzing an exploit for СVE-2017-11826  (Read 58 times)

0 Members and 1 Guest are viewing this topic.

ScarlettTopic starter

  • Updates Moderator
  • *
  • Offline Offline
  • location: Cymru
  • Posts: 22570
Analyzing an exploit for СVE-2017-11826
« Reply #1 on: October 26, 2017, 11:16:54 AM »
Analyzing an exploit for СVE-2017-11826
26 October 2017, 11:00 am



The latest Patch Tuesday (17 October) brought patches for 62 vulnerabilities, including one that fixed СVE-2017-11826 – a critical zero-day vulnerability used to launch targeted attacks – in all versions of Microsoft Office.

The exploit for this vulnerability is an RTF document containing a DOCX document that exploits СVE-2017-11826 in the Office Open XML parser.



The exploit itself is in word/document.xml as follows:



Under the ECMA-376 standard for Office Open XML File Formats, the valid ‘font’ element describing the fonts used in the document must look like this:



In the body of the exploit the closing tag is absent. The opening tag is followed by the object element which cause ‘type confusion’ in the OOXML parser. Any object element can be used to successfully exploit this vulnerability. To pass one of the checks preceding the exploitation, there must be an OLEObject element in front of the tag, and the length of the content of the attribute name must be no shorter than 32 bytes after conversion from UTF-8 into Unicode.



After conversion from UTF-8 to Unicode, E8 A3 AC E0 A2 80 becomes EC 88 88 08.



If all these conditions are fulfilled, this pointer will be dereferenced, and control will be transferred to the contents of this address with the offset 4.



To control the memory content at address 0x088888EC, the attackers apply the popular heap spraying technique with use of ActiveX components:



The exploit bypasses ASLR and DEP using ROP and gadgets from msvbvm60.dll. The msvbvm60.dll module is loaded from the RTF document with the help of a CLSID associated with this DLL:





The first part of ROP sets the ESP register’s value:



The second part of ROP is ignored: it was used to set the EIP register at 0x088883EC. The last ‘pop eax; retn’ gadget moves the address 0x729410D0 into EAX. This is the address for the VirtualProtect pointer in the Imports area of msvbvm60.dll from Kernel32.dll:



The VirtualProtect pointer is used in the next ROP gadget to call the function VirtualProtect(0x8888C90, 0x201, 0x40, 0x72A4C045). After this, control is transferred to the shellcode at the address 0x8888F70, which decrypts and executes the embedded:



Kaspersky Lab’s security solutions detect exploits for СVE-2017-11826 as:

MSWord.Agent.ix;

MSOffice.CVE-2017-11826.a;

HEUR:Exploit.MSOffice.Generic.

IOC

cb3429e608144909ef25df2605c24ec253b10b6e99cbb6657afa6b92e9f32fb5



Source: Securelist - Information about Viruses, Hackers and Spam

>> To obtain the full Kaspersky Lab Securelist article, click the link in the first post line <<
 

* Permissions
You can't post new topics.
You can't post replies.
You can't post attachments.
You can't modify your posts.
BBCode Enabled
Smilies Enabled
[img] Enabled
HTML Disabled


Except where otherwise stated, all content, graphics, banners and images included © 2006 - 2017 Smokey Services™ -- All rights reserved
Design board graphics, banners and images by Meg&Millie - Emma aka Tinker

This site does not store profiling-, tracking-, third-party and/or any other non-essential cookie(s) on client computers and is fully compliant with the EU ePrivacy Directive
Smokey's does not use any Web Analytics/Analysis Service, and also does not use any browser fingerprinting techniques

    

  

Smokey's also provides free fully qualified FRST (Farbar Recovery Scan Tool) Log / Malware Analysis & Removal Help and System Health Checks
rifle
rifle
rifle
rifle