Site icon API Security Blog

The latest exposure of the RTF vulnerability beside the use of research to explore the topic guide-vulnerability warning-the black bar safety net

0×1 details
In recent days, Tencent computer housekeeper to capture a new office document virus samples, 经阐发为9月12号刚被微软修复的.NET Framework vulnerability flaws bug(CVE-2017-8759 the fields of intrusion samples. The vulnerability flaws of the bug with the previous rtf vulnerabilities flaws bug(CVE-2017-0199 the same, just the user closes a malicious Trojan virus Office documents will be caught.
0×2 CVE-2017-8759 vulnerability flaws bug the fulfilment elucidating
CVE-2017-8759本质上是一个.net framework vulnerability flaws bug, 影响所有主流的.NET Framework version:
Microsoft . NET Framework 4.6.2
Microsoft . NET Framework 4.6.1
Microsoft . NET Framework 3.5.1
Microsoft . NET Framework 4.7
Microsoft . NET Framework 4.6
Microsoft . NET Framework 4.5.2
Microsoft . NET Framework 3.5
Microsoft . NET Framework 2.0 SP2
……
After the mainstream windows 7, windows 10等操纵系统平台中都默许安装了.NET Framework, 任何应用SOAP办事的软件都能经由过程.NET Framework is triggered. While it can be integrated into an office document, the user simply double-click the close an office document, without the rest of the manipulation, you can trigger the vulnerability flaws bugs, the complete feel free to rate code implementation. Vulnerability flaws bug at https://referencesource. microsoft. com/#System. Runtime. Remoting/metadata/wsdl PrintClientProxy function, the function used to parse the wsdl file and the information obtained after pattern formation. cs code parser. cs:
! [](/Article/UploadPic/2017-9/201792123156489. png? www. myhack58. com)
Figure 1: parser. cs sector code
soap:address location specifies the SOAP URL of the location at 6142 row, 6149 row, call the WsdlParser. IsValidUrl()function to the pattern of the location specifies the URL location:
! [](/Article/UploadPic/2017-9/201792123156471. png? www. myhack58. com)
Figure 2: IsValidUrl function code snippet
This function of the efficacy of a brief, the analysis to obtain the URL location of the back combined with@”and end coupled with the”, To, for example:
string value output to the URL location is https://guanjia. qq. com, will be the pattern to@”https://guanjia.qq.com”to to the caller. 6148 row, 6149 lines, 6150 line three-line code pattern into the following code:
// the base. ConfigureProxy(this. GetType(), @””https://guanjia.qq.com”
A wsdl file can specify multiple location, from the above code can be seen, as long as the first location is useful, from the second start will be coupled with the body identifier of the//, the full URL of the location will be seen as the text content is output to. cs code, then will the creation of the csc. exe process, which compiled born with a name similar to http*****. dll, this DLL will be loaded into the office process, because the ultimate compilation born. dll outside does not contain the text of the URL locations, in normal circumstances, here does not have any achievements.
What, then WsdlParser. IsValidUrl()function is not to weigh the output of the string value will contain a newline character to the environment, for example, we captured a sample, specify the following shown in one location:
! [](/Article/UploadPic/2017-9/201792123156751. png? www. myhack58. com)
Figure 3: snap to the sample location code
WsdlParser. IsValidUrl()function pattern, will be born the following code:
! [](/Article/UploadPic/2017-9/201792123156206. png? www. myhack58. com)
Figure 4: Britain at the end IsValidUrl pattern of future generations of code
We can see the body of the identifier//only the body of the base. ConfigureProxy(this. GetType (),@”;, because the newline is there, it is not the body off the next 4 lines of code, The code will be compiled to the end of the age born of http*****. dll is an office procedure after the load to fulfill.
Is malicious Trojan virus sample simply particular structure of the soap xml, as
! [](/Article/UploadPic/2017-9/201792123156630. png? www. myhack58. com)
Figure 5: a malicious Trojan virus the structure of the soap xml code
Then via a process System. Diagnostics. Process. Start(_url. Split(‘?’) [1], _url. Split(‘?’) [2]);this line of code will be able to the creation of the Rwanda. exe process, and then pull the corresponding script perform malicious Trojan virus code.
0×3 sample elucidating
Capture to the fields of application of the sample via a process mailbox stop the spread, the main invasion attack tools include foreign trade things practitioners. Invasion attacker to intrusion attacks aimed at transmitting vertical nylon message, and then included with the application vulnerability flaws bug the structure of the order. doc the document, the lure is the invasion of the attack of the user shut. And once accidentally closed the document, it will trigger the vulnerability flaws bugs is dill plant on the remote control Trojan, incur 隐衷 information revealed.
Sample procedure to start the enterprise the following:
! [](/Article/UploadPic/2017-9/201792123156892. png? www. myhack58. com)
Figure 6: sample start the stakeholder chain
1, document fulfillment elucidating: the
The document closed, will be from the Do Controller https://endlesspaws[.] com/plas/word[.] db, pull db file, and that file embedded in a VBScript script, by Rwanda. exe analysis performance:
! [](/Article/UploadPic/2017-9/201792123156288. png? www. myhack58. com)
Figure 7: embedding the VBScript script code
It plays the first will be clearing out now profile born. cs code file, a compiled born. pdb, the. dll file, which will be further from the invasion of the attacker moderation for the long haul-do Controller the relay socket to download the Trojan file to a:
https://endlesspaws[.] com/plas/under[.] php? hhh=5 in.
2, virus a elucidating: the
The sample is a downloader, it will inherit from the virus-do download virus file b:
https://endlesspaws[.] com/plas/under[.] php? hhh=2

**[1] [[2]]() [next]()**Read More

Exit mobile version