Some Information on the SandWorm 0-Day Vulnerability
Author: Garett Montgomery
When preparing to write a Strike for a vulnerability, I like to look around on the Internet and see if there are any examples of the exploit. Usually I'm looking to make sure I've covered all the exploit vectors, but I also like to learn as much as I can about a vulnerability. With last week’s release of Microsoft Tuesday Patches for October, CVE-2014-4114 (MS14-060) got a lot of press. That's because quite a few sites picked up on the use of a 0-day being used by the Sandworm malware (a variant of BlackEnergy). Typically you won't find much more than generic terms describing the vulnerability at a high level–enough to convince users of the seriousness of the vulnerability, without providing enough details to easily create an exploit for the vulnerability. But in this case, there was quite a lot of information available. One company claimed to have found the vulnerability (and responsibly reported it to Microsoft), and shortly thereafter another company claimed to have found it and reported it even earlier. Mainstream articles proliferated touting the use of a 0-day, mentioning that US institutions had been among those targeted. Exploits modules and PoCs (Proof-of-Concept) were released, a screenshot of the patched function appeared on Twitter, and several low-level analyses of the exploit and vulnerability were published.
So for once, there's quite a bit of useful technical information about a vulnerability – as well as examples of exploits. I thought I would summarize some of the more interesting details I found, as well as provide commentary based on my own testing experience. At the end, I list out the steps you can use to get started to perform your own testing.
- iSight appears to have been the first to release some details regarding the vulnerability: http://www.isightpartners.com/2014/10/cve-2014-4114/. Unlike most vulnerabilities exploited by opening malicious files, this one exploits a vulnerability against the operating system. The vulnerable file, packager.dll, can be found under c:\Windows\System32\ on both Windows 7 and Windows 8 systems.)
- NakedSecurity has a summary of the attack and vulnerability: http://nakedsecurity.sophos.com/2014/10/15/the-sandworm-malware-what-you-need-to-know/?utm_source=Naked%2520Security%2520-%2520Feed&utm_medium=feed&utm_content=rss2&utm_campaign=Feed&utm_reader=feedly.
- Zscaler has a graphical breakdown with annotations, as well as a copy of the .inf file used: http://research.zscaler.com/2014/10/analysis-of-sandworm-cve-2014-4124-0-day.html. The thing to note here is that changing the .gif file name is not required – you can directly run an executable from the .inf file.
- Haife Li has posted a screenshot of the patched function as viewed in IDAPro https://twitter.com/HaifeiLi/status/522957372075962368.
- If you perform a binary diff of the patched file against the packager.dll file included in MS12-005 you can see the differences yourself. The below screenshot was generated using DargunGrim4.
- TrendMicro published an analysis of the vulnerability. http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/.
- A sample of the actual .ppsx file has been uploaded to BinVul http://www.binvul.com/viewthread.php?tid=456&extra=&page=1. Download the file to a test system to follow along with the various analyses.
- ExploitDb has released an exploit module for the vulnerability. http://www.exploit-db.com/exploits/35019. The author starts with a .ppsx template, adds embedded object files that point to an executable payload and an inf file, zip everything up and send the file:
To create your own test setup:
1.Create an SMB share, accessible from your test system
2.Create an executable file (you can just create a text document with 'calc.exe', and save it with ‘.cmd’ extension)
3.Take the .inf file, and replace slide1.gif with you the name of your executable file
4.Save the modified .inf file and your executable file to the SMB share
5.Copy the ppsx file, unzip it, and go to the ‘ppt/embeddings/’ directory
6.Open each .bin file with a hex editor and replace the SMB path with the appropriate SMB path of your replacement file.
7.Zip the changed files up and change the extension to .ppsx
8.Open the .ppsx file with Microsoft PowerPoint on an unpatched, supported Windows operating system (more recent than XP).
9.Calculator pops up when the slideshow is initiated
10.Try saving the .ppsx file in other formats to see the resulting output, as well as to test your Network Protection Device.
Some highlights from my testing that I didn't find mentioned anywhere else:
- The file rename action is not required. I expected that there were only certain file formats or extensions that could be downloaded and executed. But if you set up your own testing environment, you'll find that you do not need to change the file extension, you can just directly execute your target executable file.
- The inf file can be used to execute commands directly – downloading an exe is not required. You can execute whatever command you choose (try replacing %1%\slide1.gif.exe with calc.exe)
- The zip format for most of the office files means that any change to any of the files in the archive will alter the zip file – static strings won't be of much use in detecting an exploit for this vulnerability. All files that embed OLE objects will need to be decompressed, and searched for embedded objects. Devices that just inspect bytes on the wire will have a hard time with this.
- Using PowerPoint 2007 the .ppsx file could be saved in 27 different formats.
- When saved as PowerPoint XML Presentation (.xml), the file was a single XML document, and the contents of were base64 encoded within the XML. This will likely require different detection methods.
Leverage Subscription Service to Stay Ahead of Attacks
- The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.