2013年11月12日 星期二

[updated: hitting Taiwan too] The recent fresh zero-day targeting Office .docx (CVE-2013-3906)

Watch out~ The recent document exploit CVE-2013-3906 is still a zero-day, it has been over a week, still no patch! By now, we has not witnessed any APT emails hitting Asia carrying this document exploit. However, we believe it's coming soon. [updated] Government agencies in Taiwan are starting to get this document exploit, roughly a week after the security advisory. If you happened to spot any more suspicious ones, feel free to dump to our online XecScan (http://scan.xecure-lab.com), it would digest this document exploit happily, as always.
[This is advertisement] For our XecMail customers, no worry, this zero day would get detected without any engine update. :)

Early this month, Nov. 5th, the Microsoft Security Advisory (2896666) relating to the Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution,and this affects even the latest Office 2007 SP3 and Office 2010 SP2. In this article, it's mentioned McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office and they submitted probably the first sample to Microsoft.

Xecure Lab got this sample on Nov. 5th, and confirmed our current APT email security appliance (XecMail) can detect it as well.

FireEye also blogged a good analysis report of this document exploit on Nov. 6th.

Let us summarized the highlights of this exploit:
  1. The exploit was first used in APT attack hitting India. Recipients of the document would also noticed the photos of Indian women in it.
  2. The notorious crimeware/banking Trojan Citadel surprisingly include this exploit in such a short time frame.
  3. Before this exploit, many security experts would think docx is pretty safe, it's XML format, not the traditional OLE format, it's XML inside a zip-like compression, even if there is exploit, it's hard to have a working exploit, blahblah.
  4. The shellcode contains anti-vm trick that detects API-hooking, so it's not easy to detect it with traditional sandbox or virtual execution.
  5. Once again, it's the GDI+ module that's to be blamed, and this time the TIFF-tag 'StripByteCounts' get exploited. The attacker came up with a new variant of heap spraying - ActiveX Object Spraying. Previously we have seen similar trick using SWF object, e.g. CVE-2012-5054, but that one does not become a hype. This time, this new trick open a new era for applying document exploit on docx, pptx,xlsx file types.


    The exploit is so cool, but the shellcode is so lame, not even encrypted...

    Because of this document exploit, we now offers a new file format support for our free online XecScan, it now also accepts docx (zip-like format).
    A sample XecScan result of analyzing this document exploit is appended below for your information.
     





    The below screenshot is for the one hitting Taiwan government sector.


沒有留言:

張貼留言