OT: (Fwd) Evasion with OLE2 Fragmentation

Ian cobalt-users1 at fishnet.co.uk
Mon May 18 12:22:43 IST 2009


I saw this on the Security Focus PenTest list and thought it may be relevant here.  It 
describes a technique to evade Virus Scanners using MS Office Documents.



------- Forwarded message follows -------
Date sent:      	Fri, 15 May 2009 08:40:27 -0500
To:             	pen-test at securityfocus.com
Subject:        	Evasion with OLE2 Fragmentation
From:           	"H D Moore" <sflist at digitaloffense.net>
Date forwarded: 	Fri, 15 May 2009 21:37:44 -0600 (MDT)

Something to keep in mind when using Office doc exploits during  
penetration tests:

(links active within in the article itself)


At BreakingPoint, we provide comprehensive coverage of Microsoft Tuesday  
patches. This Tuesday was no different and we released StrikePacks 45799  
and 45800 to cover MS09-017 (the PowerPoint vulnerabilities). In addition  
to writing exploits for these flaws, we also research application-specific  
evasion methods. In the case of file format flaws, we support evasion at  
every level, including techniques like IP fragmentation, alternate MIME  
encodings, HTTP compression, and data randomization within the files  
themselves. While working on Strike coverage for MS09-017, we discovered a  
simple way to bypass mainstream anti-virus and IPS signatures for  
malicious Office documents. This post talks about the method we used and  
some of our test results against popular anti-virus products.

Microsoft Office documents have been abused by security researchers and  
malware writers for many years. In 1999, Melissa, one of the first email  
viruses, used Visual Basic macros to send itself to all addresses in the  
victim's address book. Since then, macro security has been greatly  
improved, and attackers have moved on to exploiting parsing flaws in the  
Office software itself. This month, Microsoft released patches to address  
14 vulnerabilities in the PowerPoint document parsers. Unlike traditional  
network attacks, file format flaws are notoriously difficult for IPS  
vendors to identify accurately. To remedy this, the anti-virus industry  
has added file format exploit detection into both desktop and network  
gateway scanning products.

Office documents are some of the most convoluted file formats in  
wide-spread use. The basic structure of these files is based on the  
Compound Document Format (OLE2 Structured Storage). This format is  
essentially a block-based filesystem with specific files and directories  
for each type and version of Office document. The actual "file" entries  
within these documents are also proprietary and change based on the  
version and features of the Office software used to create them. In order  
to detect a file format exploit, the parsing software needs to understand  
OLE2, locate the correct entry containing the document contents, and parse  
through that content to locate the specific structure that triggers the  
exploit. This process is CPU intensive and requires the parsing software  
to have a deep understanding of the version-specific Office document data  
inside of the OLE2 container. Creating software to do this correctly is  
expensive and time consuming, so the easy solution is to ignore the  
document format entirely and just scan for exploit-specific signatures.  
This is what most anti-virus and IPS products do today.

Just like most block-based filesystems, the OLE2 format is susceptible to  
fragmentation. When the Office software wants to write data, it tries to  
consume any available free blocks before allocating new ones. The OLE2  
format has two different block tables; one for small entries (normally set  
to be less than 4096 bytes), and another for larger contiguous segments.  
Although fragmentation can occur during normal editing of an Office  
document, it is rare for documents to be heavily fragmented.

It turns out that there is an excellent OLE library for Ruby, written by a  
developer who goes by aquasync. This library makes it easy to create and  
modify Compound Document files. With a little bit of scripting, we were  
able to create a tool (available below) to force heavy fragmentation of  
Office documents. Out first test of this tool used a Melissa variant as  
the base document. Uploading the raw Melissa Word document to  
VirusTotal.com resulted in 39 out of 40 AV products recognizing the  
document as malicious. After running this file through the refragmenter  
script, the results were only 10 out of 40. This is horrible coverage for  
a file that had the exact same OLE2 contents as the original sample,  
albeit in a different block order. Any product able to parse OLE2 streams  
correctly should be able to identify this file just as accurately as the  
non-fragmented version. Once we modifed the script to use 64 byte writes  
instead of 512, we only see detection in 7 out of 40 products. Keep in  
mind that this malware was originally released in 1999!

Melissa may not be the best choice for testing modern anti-virus  
capabilities. Instead, lets look at a live sample of the Microsoft Word  
exploit for CVE-2007-0515 (MS07-014). The original, unmodified version of  
this document is detected by 25 out of 40 anti-virus products. Using the  
refragmenter script with 64 byte writes, only 1 out of 40 products  
detected the file as malicious, and this detection was for a different  
vulnerability (MS06-060).

IPS and IDS developers have a great excuse for poor Office document  
coverage - this type of analysis is difficult and processor intensive.  
However, this is precisely the area where anti-virus products are supposed  
to succeed. Its embarrassing that so many products fail to detect known  
threats that have the exact same byte stream, just reordered using a  
mechanism that occurs in real documents. In our testing, the only public  
tool that can accurately identify fragmented Office documents is Office  
Cat, written by Lurene Grenier of the Sourcefire VRT. This tool uses the  
Windows OLE API to parse each stream, regardless of fragmentation, and  
scans deep into the document format to detect individual exploits.

All BreakingPoint Strikes that target Office document flaws have been  
updated to support the OLE::RefragmentData option, which performs an  
operation similar to the refragmenter Ruby script below.

The refragmenter script can be downloaded from:

This script depends on the ruby-ole library, which can be found online at  

For more information about Office document flaws and exploitation methods,  
we recommend Bruce Dang's Black Hat USA 2008 presentation Methods for  
Understanding Targeted Attacks with Office Documents  

------- End of forwarded message -------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPM$33C5.PM$
Type: application/octet-stream
Size: 7013 bytes
Desc: Mail message body
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090518/ca92612d/WPM33C5.obj

More information about the MailScanner mailing list