OT: (Fwd) Evasion with OLE2 Fragmentation
Ian
cobalt-users1 at fishnet.co.uk
Mon May 18 12:22:43 IST 2009
Hi,
I saw this on the Security Focus PenTest list and thought it may be relevant here. It
describes a technique to evade Virus Scanners using MS Office Documents.
Regards
Ian
--
------- Forwarded message follows -------
Date sent: Fri, 15 May 2009 08:40:27 -0500
To: pen-test at securityfocus.com
Subject: Evasion with OLE2 Fragmentation
From: "H D Moore" <sflist at digitaloffense.net>
Date forwarded: Fri, 15 May 2009 21:37:44 -0600 (MDT)
Something to keep in mind when using Office doc exploits during
penetration tests:
-
http://www.breakingpointsystems.com/community/blog/evasion-with-ole2-fragmentation
(links active within in the article itself)
--
At BreakingPoint, we provide comprehensive coverage of Microsoft Tuesday
patches. This Tuesday was no different and we released StrikePacks 45799
and 45800 to cover MS09-017 (the PowerPoint vulnerabilities). In addition
to writing exploits for these flaws, we also research application-specific
evasion methods. In the case of file format flaws, we support evasion at
every level, including techniques like IP fragmentation, alternate MIME
encodings, HTTP compression, and data randomization within the files
themselves. While working on Strike coverage for MS09-017, we discovered a
simple way to bypass mainstream anti-virus and IPS signatures for
malicious Office documents. This post talks about the method we used and
some of our test results against popular anti-virus products.
Microsoft Office documents have been abused by security researchers and
malware writers for many years. In 1999, Melissa, one of the first email
viruses, used Visual Basic macros to send itself to all addresses in the
victim's address book. Since then, macro security has been greatly
improved, and attackers have moved on to exploiting parsing flaws in the
Office software itself. This month, Microsoft released patches to address
14 vulnerabilities in the PowerPoint document parsers. Unlike traditional
network attacks, file format flaws are notoriously difficult for IPS
vendors to identify accurately. To remedy this, the anti-virus industry
has added file format exploit detection into both desktop and network
gateway scanning products.
Office documents are some of the most convoluted file formats in
wide-spread use. The basic structure of these files is based on the
Compound Document Format (OLE2 Structured Storage). This format is
essentially a block-based filesystem with specific files and directories
for each type and version of Office document. The actual "file" entries
within these documents are also proprietary and change based on the
version and features of the Office software used to create them. In order
to detect a file format exploit, the parsing software needs to understand
OLE2, locate the correct entry containing the document contents, and parse
through that content to locate the specific structure that triggers the
exploit. This process is CPU intensive and requires the parsing software
to have a deep understanding of the version-specific Office document data
inside of the OLE2 container. Creating software to do this correctly is
expensive and time consuming, so the easy solution is to ignore the
document format entirely and just scan for exploit-specific signatures.
This is what most anti-virus and IPS products do today.
Just like most block-based filesystems, the OLE2 format is susceptible to
fragmentation. When the Office software wants to write data, it tries to
consume any available free blocks before allocating new ones. The OLE2
format has two different block tables; one for small entries (normally set
to be less than 4096 bytes), and another for larger contiguous segments.
Although fragmentation can occur during normal editing of an Office
document, it is rare for documents to be heavily fragmented.
It turns out that there is an excellent OLE library for Ruby, written by a
developer who goes by aquasync. This library makes it easy to create and
modify Compound Document files. With a little bit of scripting, we were
able to create a tool (available below) to force heavy fragmentation of
Office documents. Out first test of this tool used a Melissa variant as
the base document. Uploading the raw Melissa Word document to
VirusTotal.com resulted in 39 out of 40 AV products recognizing the
document as malicious. After running this file through the refragmenter
script, the results were only 10 out of 40. This is horrible coverage for
a file that had the exact same OLE2 contents as the original sample,
albeit in a different block order. Any product able to parse OLE2 streams
correctly should be able to identify this file just as accurately as the
non-fragmented version. Once we modifed the script to use 64 byte writes
instead of 512, we only see detection in 7 out of 40 products. Keep in
mind that this malware was originally released in 1999!
Melissa may not be the best choice for testing modern anti-virus
capabilities. Instead, lets look at a live sample of the Microsoft Word
exploit for CVE-2007-0515 (MS07-014). The original, unmodified version of
this document is detected by 25 out of 40 anti-virus products. Using the
refragmenter script with 64 byte writes, only 1 out of 40 products
detected the file as malicious, and this detection was for a different
vulnerability (MS06-060).
IPS and IDS developers have a great excuse for poor Office document
coverage - this type of analysis is difficult and processor intensive.
However, this is precisely the area where anti-virus products are supposed
to succeed. Its embarrassing that so many products fail to detect known
threats that have the exact same byte stream, just reordered using a
mechanism that occurs in real documents. In our testing, the only public
tool that can accurately identify fragmented Office documents is Office
Cat, written by Lurene Grenier of the Sourcefire VRT. This tool uses the
Windows OLE API to parse each stream, regardless of fragmentation, and
scans deep into the document format to detect individual exploits.
All BreakingPoint Strikes that target Office document flaws have been
updated to support the OLE::RefragmentData option, which performs an
operation similar to the refragmenter Ruby script below.
The refragmenter script can be downloaded from:
http://www.breakingpointsystems.com/community/files/refragmenter.rb
This script depends on the ruby-ole library, which can be found online at
http://code.google.com/p/ruby-ole/
For more information about Office document flaws and exploitation methods,
we recommend Bruce Dang's Black Hat USA 2008 presentation Methods for
Understanding Targeted Attacks with Office Documents
(http://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html).
-HD
------- End of forwarded message -------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WPM$33C5.PM$
Type: application/octet-stream
Size: 7013 bytes
Desc: Mail message body
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20090518/ca92612d/WPM33C5.obj
More information about the MailScanner
mailing list