Post on 25-Feb-2016
description
An Analyze Of CVE-2013-3906
江瑞敏
Outline
• Introduction• Background Knowledge– Docx Format– Tiff Format
• Exploit Analyze– ActiveX Heap Spray– Vulnerability Analyze
• Defense Recommendation• Reference
Introduction
CVE 2013 3906 Description
• The vulnerability allow remote attackers to execute arbitrary code via a crafted TIFF image.
Vulnerable Environment
• Office 2003• Office 2007• Windows XP• Windows Vista• Windows 7
Some Samples
Available in Metasploit
Background Knowledge
Microsoft Docx Format
• a zip archive• Many xml and resources inside• More Info check out the online
documentation
TIFF Format
• An Image Format• Can Contains Different Type of Image Inside It.
An Overview
Tag We Are Interested
• StripByteCounts• JPEGInterchangeFormat• JPEGInterchangeFormatLength
Exploit Analyze
An Overview
• 1. using activeX object to perform heap spray.• 2. the malicious image will cause an heap
overflow and hence overwrite an function pointer.
• 3. ogl.dll will call the function pointer and the instruction pointer will points to 0x08080808.
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Malicious TIFF Image
Word Virtual Address
Some Code….…..
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Malicious TIFF Image
Word Virtual Address
Some Code….…..
x
ActiveX Heap Spray
• New technique to perform an heap spray• No need to add other code to perform heap
spray, MS word will do it for you .• Each activex.bin contains multiple copy of
shellcode.• Depending on the samples, the shellcode may
different.
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.
TIFF HEADER
Strip Byte Counts
JPEG Image
IFD
Tag 1
Tag 0
Tag n
Tag 2
……
Basic Parsing Process
JPEG content
StripByteCounts Entry
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
After Adding All The Entry
!!!!!
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
– E. memcpy the JPEG image content to the new allocated memory address.
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Word Virtual Address
Some Code….…..
Zero Size
TIFF HEADERStrip Byte
Counts
JPEG Image
IFD
memcpy
What Will Be Copied
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Word Virtual Address
Some Code….…..
Zero Size
TIFF HEADERStrip Byte
Counts
JPEG Image
IFD
JPEG Image x
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
– E. memcpy the JPEG image content to the new allocated memory address.
– F. OGL.DLL will call the function pointer somewhere in the code.
Defense Recommendation
• 1. Disable specific ActiveX control with Office kill bit[link]
• 2. Opening document in protected view only.[link]
• 3. Disable TiffCodecHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1
• 4. Write a script to scan.
Tool That I used
• Windbg• Xxd• Hachoir-urwid
Reference• http://
armorize-cht.blogspot.tw/2013/12/cve-2013-3906-apt-janicab-arx-arlab-operation-hangover-taidoor-winnti.html
• http://www.fileformat.info/format/tiff/egff.htm• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906• http://www.schemacentral.com/sc/ooxml/e-a_graphicData-1.html• http://officeopenxml.com/drwPic-nvPicPr.php• http://0xicf.wordpress.com/tag/cve-2013-3906/• http://www.exploit-db.com/exploits/30011/• http://
blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx
• http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html
• http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/