Interesting explorer crash exploit

I just fouind an interesting malicious doc file. Just seeing it in explorer causes the explorer to crash.

I know of ani exploit but never heard of such an explot via a doc file.

CFP and GW were not able to intercept this exploit.

 

From the file name, this seems to be a PoC, demo from several years ago. These kinds of PoC files that crash applications are plentiful, and demonstrate that a particular vulnerability can execute code. An old one where a ZIP file crashes Win Explorer:

So it shouldn't be difficult to do that in a document. For a HIPS product to prevent the exploit would involve analyzing the code to see if any function is being altered by the code that could be intercepted.

While interesting to play with, not until a PoC becomes an exploit with a payload can we know what we need to protect against. For MSWord:

Responding to a file-parsing application attack
http://isc.sans.org/diary.html?storyid=3757

http://www.technologynewsdaily.com/node/7312 (article no longer available)

Basic prevention, of course, begins with policies regarding email attachments.

Until the vulnerability is patched to prevent the code from executing, the payloads of these exploits, of course, are easy to block with many solutions:

​

----
rich

 

Thanks a lot for the nice analysis.

 

Have you tried aigle to view the file with sanboxed Windows Explorer using Sandboxie?

It should be very interesting, because there is a minor issue concerning Sandboxie + Windows Explorer, which you can see here.

 

I doubt that any HIPS/ Sandbox will prevent explorer crash due to any exploit. But if there is a pay load sure it will be stopped and that is all what we need.

I am not using SBIE. If u like, PM me.

Thanks