Zero-Days Exploit (cve-2017-11826)-Memory Corruption Vulnerability
Latest Patch of Microsoft brought patches for 62 vulnerabilities, including one that fixed СVE-2017-11826 critical zero-day vulnerability used to launch targeted attacks – in all versions of Microsoft Office.
To control the memory content at address 0x088888EC, the attackers apply the popular heap spraying technique with use of ActiveX components:
The exploit bypasses ASLR and DEP using ROP and gadgets from msvbvm60.dll. The msvbvm60.dll module is loaded from the RTF document with the help of a CLSID associated with this DLL:
Microsoft Office is prone to memory-corruption vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.
The exploit for this vulnerability is an RTF document containing a DOCX document that exploits СVE-2017-11826 in the Office Open XML parser, as shown in Figure 1
Structure of File
Attach compressed zip file in RTF with activeX1.bin embedded in it along with ROP-CHAIN and shell code as shown in the Figure (2&3) after the file structure below:
The following is the file structure of this document:
The first part of ROP sets the ESP register’s value:
The second part of ROP is ignored: it was used to set the EIP register at 0x088883EC. The last ‘pop eax; retn’ gadget moves the address 0x729410D0 into EAX. This is the address for the Virtual Protect pointer in the Imports area of msvbvm60.dll from Kernel32.dll:
The Virtual Protect pointer is used in the next ROP gadget to call the function Virtual Protect (0x8888C90, 0x201, 0x40, 0x72A4C045). After this, control is transferred to the shellcode at the address 0x8888F70, which decrypts and executes the embedded:
This document has exe and a blank document embedded into it. Both documents i.e., the exe and the blank document use the same algorithm to decrypt the payload – a one-byte XOR with the key incremented in each step and the first few hundred bytes swapped, and shell code that uses Windows Management Instrumentation functions to execute the payload.
The highlighted portion in the below screenshots shows(Figure 4&5) the identification of starting (“BABABABABABABA”) and end point (“BBBBBBBBBBBBBB”) of exe and also the decryption key for the exe “BE-BA-FF-CA”:
Dynamic Analysis with SMA-LAB (sequretek Malware analysis Lab)
Some suspicious activity is capture by our SMA-LAB, while we run cve-2017-11826 inside our lab.
Registry keys written
Registry keys read
Suspicious Activity Capture in memory
2 event capture, Allocate read-write-execute memory (Figure 7 explain API with Argument)
Detect Virtual machine (Usually used by attackers) (Figure 8 explain API with Argument)
Indicators of Compromise (IoC’s)
|Filename||~WRO0000.doc (Figure 9)|
|Filename||activeX1.bin (Figure 3)|
Run all software as a non-privileged user with minimal access rights.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Do not accept or execute files from untrusted or unknown sources.
Do not follow links provided by unknown or untrusted sources.
Implement multiple redundant layers of security.
Updates are available.
We recommend that all Office users install the official patch as soon as possible.