CVE-2017-0199 - exploit office with ole link object

[nixawk]

The existence of the flaw was revealed by McAfee researchers on Friday, and confirmed by FireEye researchers on Saturday. The latter shared details about it with Microsoft weeks ago, and were waiting to publicly reveal the flaw once Microsoft pushed out a patch. The patch is still to be released.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office,” McAfee researchers noted.

The flaw is exploited through a specially crafted Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object. The object instructs Word to send a HTTP request to a remote server controlled by the attackers, to retrieve from it a malicious .hta file masquerading as a RTF file.

A .hta file is an executable, and in this case it loads and executes a malicious script that closes Word (i.e. the winword.exe process), downloads additional payloads, and starts Word again and shows a decoy document.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft,” the researchers explained.

References

1. https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
2. https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
3. https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/
4. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
5. https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
6. https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/
7. https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100
8. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
9. https://www.microsoft.com/en-us/download/details.aspx?id=7105
10. https://www.microsoft.com/en-us/download/details.aspx?id=10725

[nixawk]

The pr is merged. Thanks everyone.

[xiaovpn]

it should be ie 11 or10? When i use ie 8 on win7sp1,it's not working ,bu changed to ie11,everything is ok

[snemes]

It should be at least IE10, so IE11 should be fine too.

[moaeddy]

I do not get this, what this exploit has to do with ie? Thought its self execute no dependency . if there is something to do with ie I thought should be hta plz correct me if I'm wrong

[etormadiv]

So, one should update ie8 to ie10 or ie11 to make the exploit working ? I spent one day trying to make it working under windows 7 sp1 with ie8 (fresh installation) but it is not, I just receive one GET request, but no second request to the payload is made (under windows 7 sp1 with ie8).

[void-in]

@Atiyasharf Please use #metasploit on IRC or https://community.rapid7.com for support queries. Issue pages on GH are only for reporting bugs and feature requests.