SummaryThe CVE-2014-4114 vulnerability has his own 5 minutes of fame right now, basically because it was used in last APT campaign against NATO, Poland and Ukraine (documented by iSight). This post describes steps used to analyze the sample (without turning on IDA Pro or windbg ;).
The vulnerability itself is nothing more but a design flaw, which allows one to insert malicious OLE Package Shell Object, resulting in remote code download and execution. The vulnerable code is located inside CPackage::DoVerb function in packager.dll file (more on this later).
File analysisThe analyzed sample (333.pps) is actually an OpenXML document. Wikipedia states that:
Office Open XML (also informally known as OOXML or OpenXML) is a zipped, XML-based file format developed by Microsoft for representingspreadsheets, charts, presentations and word processing documents.File header dump can be used to confirm the file type (50 4b represents a magic value for ZIP archives):
After unzipping the document the following content can be found under ppt/ directory:
Next, by opening the ppt/slides/slide1.xml and analysing its content it is possible to spot references to two OLE objects named Package Shell Object with r:id values rId4 and rId5:
In order to find what oleObjects are referring to more information can be found in another file, ppt/slides/_rels/slide1.xml.rels:
The above files reside in embeddings/ directory:
A hexdump reveals interesting aspects of these two files:
In summary, simply analysis of the sample already provided a bunch of usefull information about the vulnerability location and remote endpoint.
Few words about embedding OLE objectsThe question arise: how to embed Package Shell Object into the OpenXML document ?
A Package Shell Object can be created by inserting an OLE object from Insert->Object menu in PowerPoint and then selecting the Package object type:
It seems that .INF files can be located on the remote UNC path and gets executed by InfDefaultInstall.exe silently without any UAC notification. Further analysis showed that other filetypes (i.e. .exe or .bat) creates an alert box.
In order to execute malicious file on the remote server the exploit needs to:
- copy file from remote content
- rename it to .exe and execute using RunOnce
The slide1.inf file contains core part of the exploit:
[RxRename] is used to rename file and [RxStart] is used to add new registry key (and execute slide1.gif.exe immediately).