1 / 33

An Analyze Of CVE-2013-3906

An Analyze Of CVE-2013-3906. 江瑞敏. Outline. Introduction Background Knowledge Docx Format Tiff Format Exploit Analyze ActiveX Heap Spray Vulnerability Analyze Defense Recommendation Reference. Introduction. CVE 2013 3906 Description.

dana
Download Presentation

An Analyze Of CVE-2013-3906

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Analyze Of CVE-2013-3906 江瑞敏

  2. Outline • Introduction • Background Knowledge • Docx Format • Tiff Format • Exploit Analyze • ActiveX Heap Spray • Vulnerability Analyze • Defense Recommendation • Reference

  3. Introduction

  4. CVE 2013 3906 Description • The vulnerability allow remote attackers to execute arbitrary code via a crafted TIFF image.

  5. Vulnerable Environment • Office 2003 • Office 2007 • Windows XP • Windows Vista • Windows 7

  6. Some Samples

  7. Available in Metasploit

  8. Background Knowledge

  9. Microsoft Docx Format • a zip archive • Many xml and resources inside • More Info check out the online documentation

  10. TIFF Format • An Image Format • Can Contains Different Type of Image Inside It.

  11. An Overview

  12. Tag We Are Interested • StripByteCounts • JPEGInterchangeFormat • JPEGInterchangeFormatLength

  13. Exploit Analyze

  14. An Overview • 1. using activeX object to perform heap spray. • 2. the malicious image will cause an heap overflow and hence overwrite an function pointer. • 3. ogl.dll will call the function pointer and the instruction pointer will points to 0x08080808.

  15. activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. activeX object activeX object activeX object activeX object Function pointer Some Code …. ….. Malicious TIFF Image Word Virtual Address

  16. activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. activeX object activeX object x activeX object activeX object Function pointer Some Code …. ….. Malicious TIFF Image Word Virtual Address

  17. ActiveX Heap Spray • New technique to perform an heap spray • No need to add other code to perform heap spray, MS word will do it for you . • Each activex.bin contains multiple copy of shellcode. • Depending on the samples, the shellcode may different.

  18. Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag.

  19. Basic Parsing Process TIFF HEADER Strip Byte Counts Tag 0 Tag 1 Tag 2 JPEG Image …… Tag n IFD

  20. JPEG content

  21. StripByteCounts Entry

  22. Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8

  23. After Adding All The Entry !!!!!

  24. Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8 • E. memcpy the JPEG image content to the new allocated memory address.

  25. activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. TIFF HEADER activeX object activeX object Strip Byte Counts activeX object activeX object Function pointer memcpy JPEG Image Zero Size Some Code …. ….. IFD Word Virtual Address

  26. What Will Be Copied

  27. activeX object activeX object activeX object activeX object activeX object activeX object ….. ….. TIFF HEADER activeX object activeX object x Strip Byte Counts activeX object activeX object JPEG Image Function pointer JPEG Image Zero Size Some Code …. ….. IFD Word Virtual Address

  28. Vulnerability Analyze • The TIFF file inside the docx. • ogl.dll will parse the tiff file. • A. get the JPEG content from JPEGInterchangeFormat Tag. • B. get the size of the JPEG from JPEGInterchangeFormatLength Tag. • C. calculate the total size from the StripByteCounts Tag. • D. NTAllocateHeap() with the size calculated below:StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8 • E. memcpy the JPEG image content to the new allocated memory address. • F. OGL.DLL will call the function pointer somewhere in the code.

  29. Defense Recommendation • 1. Disable specific ActiveX control with Office kill bit[link] • 2. Opening document in protected view only.[link] • 3. Disable TiffCodecHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1 • 4. Write a script to scan.

  30. Tool That I used • Windbg • Xxd • Hachoir-urwid

  31. Reference • http://armorize-cht.blogspot.tw/2013/12/cve-2013-3906-apt-janicab-arx-arlab-operation-hangover-taidoor-winnti.html • http://www.fileformat.info/format/tiff/egff.htm • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906 • http://www.schemacentral.com/sc/ooxml/e-a_graphicData-1.html • http://officeopenxml.com/drwPic-nvPicPr.php • http://0xicf.wordpress.com/tag/cve-2013-3906/ • http://www.exploit-db.com/exploits/30011/ • http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx • http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html • http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/

More Related