An Analyze Of CVE-2013-3906
description
Transcript of An Analyze Of CVE-2013-3906
![Page 1: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/1.jpg)
An Analyze Of CVE-2013-3906
江瑞敏
![Page 2: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/2.jpg)
Outline
• Introduction• Background Knowledge– Docx Format– Tiff Format
• Exploit Analyze– ActiveX Heap Spray– Vulnerability Analyze
• Defense Recommendation• Reference
![Page 3: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/3.jpg)
Introduction
![Page 4: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/4.jpg)
CVE 2013 3906 Description
• The vulnerability allow remote attackers to execute arbitrary code via a crafted TIFF image.
![Page 5: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/5.jpg)
![Page 6: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/6.jpg)
Vulnerable Environment
• Office 2003• Office 2007• Windows XP• Windows Vista• Windows 7
![Page 7: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/7.jpg)
Some Samples
![Page 8: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/8.jpg)
Available in Metasploit
![Page 9: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/9.jpg)
Background Knowledge
![Page 10: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/10.jpg)
Microsoft Docx Format
• a zip archive• Many xml and resources inside• More Info check out the online
documentation
![Page 11: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/11.jpg)
TIFF Format
• An Image Format• Can Contains Different Type of Image Inside It.
![Page 12: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/12.jpg)
An Overview
![Page 13: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/13.jpg)
Tag We Are Interested
• StripByteCounts• JPEGInterchangeFormat• JPEGInterchangeFormatLength
![Page 14: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/14.jpg)
Exploit Analyze
![Page 15: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/15.jpg)
An Overview
• 1. using activeX object to perform heap spray.• 2. the malicious image will cause an heap
overflow and hence overwrite an function pointer.
• 3. ogl.dll will call the function pointer and the instruction pointer will points to 0x08080808.
![Page 16: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/16.jpg)
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Malicious TIFF Image
Word Virtual Address
Some Code….…..
![Page 17: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/17.jpg)
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Malicious TIFF Image
Word Virtual Address
Some Code….…..
x
![Page 18: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/18.jpg)
ActiveX Heap Spray
• New technique to perform an heap spray• No need to add other code to perform heap
spray, MS word will do it for you .• Each activex.bin contains multiple copy of
shellcode.• Depending on the samples, the shellcode may
different.
![Page 19: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/19.jpg)
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.
![Page 20: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/20.jpg)
TIFF HEADER
Strip Byte Counts
JPEG Image
IFD
Tag 1
Tag 0
Tag n
Tag 2
……
Basic Parsing Process
![Page 21: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/21.jpg)
JPEG content
![Page 22: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/22.jpg)
StripByteCounts Entry
![Page 23: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/23.jpg)
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
![Page 24: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/24.jpg)
![Page 25: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/25.jpg)
After Adding All The Entry
!!!!!
![Page 26: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/26.jpg)
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
– E. memcpy the JPEG image content to the new allocated memory address.
![Page 27: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/27.jpg)
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Word Virtual Address
Some Code….…..
Zero Size
TIFF HEADERStrip Byte
Counts
JPEG Image
IFD
memcpy
![Page 28: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/28.jpg)
What Will Be Copied
![Page 29: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/29.jpg)
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Function pointer
activeX objectactiveX object
activeX object
activeX object
activeX object
…..
Word Virtual Address
Some Code….…..
Zero Size
TIFF HEADERStrip Byte
Counts
JPEG Image
IFD
JPEG Image x
![Page 30: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/30.jpg)
Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.
– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:
StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8
– E. memcpy the JPEG image content to the new allocated memory address.
– F. OGL.DLL will call the function pointer somewhere in the code.
![Page 31: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/31.jpg)
Defense Recommendation
• 1. Disable specific ActiveX control with Office kill bit[link]
• 2. Opening document in protected view only.[link]
• 3. Disable TiffCodecHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1
• 4. Write a script to scan.
![Page 32: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/32.jpg)
Tool That I used
• Windbg• Xxd• Hachoir-urwid
![Page 33: An Analyze Of CVE-2013-3906](https://reader035.fdocuments.net/reader035/viewer/2022062411/56816931550346895de07ded/html5/thumbnails/33.jpg)
Reference• http://
armorize-cht.blogspot.tw/2013/12/cve-2013-3906-apt-janicab-arx-arlab-operation-hangover-taidoor-winnti.html
• http://www.fileformat.info/format/tiff/egff.htm• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906• http://www.schemacentral.com/sc/ooxml/e-a_graphicData-1.html• http://officeopenxml.com/drwPic-nvPicPr.php• http://0xicf.wordpress.com/tag/cve-2013-3906/• http://www.exploit-db.com/exploits/30011/• http://
blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx
• http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html
• http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/