340 likes | 607 Views
An Analyze Of CVE-2013-3906. 江瑞敏. Outline. Introduction Background Knowledge Docx Format Tiff Format Exploit Analyze ActiveX Heap Spray Vulnerability Analyze Defense Recommendation Reference. Introduction. CVE 2013 3906 Description.
E N D
Outline • Introduction • Background Knowledge • Docx Format • Tiff Format • Exploit Analyze • ActiveX Heap Spray • Vulnerability Analyze • Defense Recommendation • Reference
CVE 2013 3906 Description • The vulnerability allow remote attackers to execute arbitrary code via a crafted TIFF image.
Vulnerable Environment • Office 2003 • Office 2007 • Windows XP • Windows Vista • Windows 7
Microsoft Docx Format • a zip archive • Many xml and resources inside • More Info check out the online documentation
TIFF Format • An Image Format • Can Contains Different Type of Image Inside It.
Tag We Are Interested • StripByteCounts • JPEGInterchangeFormat • JPEGInterchangeFormatLength
An Overview • 1. using activeX object to perform heap spray. • 2. the malicious image will cause an heap overflow and hence overwrite an function pointer. • 3. ogl.dll will call the function pointer and the instruction pointer will points to 0x08080808.
activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. activeX object activeX object activeX object activeX object Function pointer Some Code …. ….. Malicious TIFF Image Word Virtual Address
activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. activeX object activeX object x activeX object activeX object Function pointer Some Code …. ….. Malicious TIFF Image Word Virtual Address
ActiveX Heap Spray • New technique to perform an heap spray • No need to add other code to perform heap spray, MS word will do it for you . • Each activex.bin contains multiple copy of shellcode. • Depending on the samples, the shellcode may different.
Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag.
Basic Parsing Process TIFF HEADER Strip Byte Counts Tag 0 Tag 1 Tag 2 JPEG Image …… Tag n IFD
Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8 • E. memcpy the JPEG image content to the new allocated memory address.
activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. TIFF HEADER activeX object activeX object Strip Byte Counts activeX object activeX object Function pointer memcpy JPEG Image Zero Size Some Code …. ….. IFD Word Virtual Address
activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. TIFF HEADER activeX object activeX object x Strip Byte Counts activeX object activeX object JPEG Image Function pointer JPEG Image Zero Size Some Code …. ….. IFD Word Virtual Address
Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8 • E. memcpy the JPEG image content to the new allocated memory address. • F. OGL.DLL will call the function pointer somewhere in the code.
Defense Recommendation • 1. Disable specific ActiveX control with Office kill bit[link] • 2. Opening document in protected view only.[link] • 3. Disable TiffCodecHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1 • 4. Write a script to scan.
Tool That I used • Windbg • Xxd • Hachoir-urwid
Reference • http://armorize-cht.blogspot.tw/2013/12/cve-2013-3906-apt-janicab-arx-arlab-operation-hangover-taidoor-winnti.html • http://www.fileformat.info/format/tiff/egff.htm • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906 • http://www.schemacentral.com/sc/ooxml/e-a_graphicData-1.html • http://officeopenxml.com/drwPic-nvPicPr.php • http://0xicf.wordpress.com/tag/cve-2013-3906/ • http://www.exploit-db.com/exploits/30011/ • http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx • http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html • http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/