Interesting explorer crash exploit

[aigle]

I just fouind an interesting malicious doc file. Just seeing it in explorer causes the explorer to crash.

I know of ani exploit but never heard of such an explot via a doc file.

CFP and GW were not able to intercept this exploit.

Quote:

Kaspersky - Exploit.Win32.Agent.ah
McAfee - Exploit-ExplorerCrash.b!demo

[Rmus]

From the file name, this seems to be a PoC, demo from several years ago. These kinds of PoC files that crash applications are plentiful, and demonstrate that a particular vulnerability can execute code. An old one where a ZIP file crashes Win Explorer:

Quote:

Sucessfully tested on Microsoft Windows Xp Pro sp3 English.
If you open with Winzip sometimes the exeption doesen't occur.
Just right click the file and explorer will crash.

So it shouldn't be difficult to do that in a document. For a HIPS product to prevent the exploit would involve analyzing the code to see if any function is being altered by the code that could be intercepted.

While interesting to play with, not until a PoC becomes an exploit with a payload can we know what we need to protect against. For MSWord:

Responding to a file-parsing application attack
http://isc.sans.org/diary.html?storyid=3757

Quote:

There are two common scenarios of attack involving Word documents:

• Documents that are in themselves not malicious but contain a malicious "embedded object". This attack methodology is commonly used in the IRS/BBB/DOJ Trojans that have been reported throughout 2007.
  
  
• Documents crafted to exploit a file-parsing vulnerability in the application software. In this case, the document contains a crafted component which exploits a specific vulnerability, followed by shellcode which takes further action. It generally either downloads an external, second-stage payload, or executes an embedded Trojan binary. These attacks are sparingly used "in public", but are very common in closely targeted attacks.

http://www.technologynewsdaily.com/node/7312 (article no longer available)

Quote:

These emails had a Microsoft Word document attached which contained embedded executable code. When opened, the executable code would activate a trojan component that would then compromise the victims computer.

Basic prevention, of course, begins with policies regarding email attachments.

Until the vulnerability is patched to prevent the code from executing, the payloads of these exploits, of course, are easy to block with many solutions:

----
rich

[aigle]

Thanks a lot for the nice analysis.

[PiCo]

Have you tried aigle to view the file with sanboxed Windows Explorer using Sandboxie?

It should be very interesting, because there is a minor issue concerning Sandboxie + Windows Explorer, which you can see here.

[aigle]

I doubt that any HIPS/ Sandbox will prevent explorer crash due to any exploit. But if there is a pay load sure it will be stopped and that is all what we need.

I am not using SBIE. If u like, PM me.

Thanks