Vulnerability in Microsoft Word Could Allow Remote Code Execution(2953095)

Discussion in 'other security issues & news' started by ronjor, Mar 24, 2014.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,078
    Location:
    Texas
  2. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  3. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California
    Ronjor,

    Don't get me wrong. I love your posts, respect your knowledge, value the knowledge that you share, and dig your outfit.

    But I just can't resist saying I have not used Word in over nine years, and am continuously surprised that anyone does.

    I realize that there are surely business reasons to use it, but I, a mere mortal, use a free program that seems to do everything I need.

    And its name is even worse than "Word". It's called Textmaker!
     
  4. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    Would SRP (or another anti-exe) block this?

    Anyone have a sample RTF to try?
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @HandsOff: I'll admit I've never heard of it. But sadly many businesses are stuck on MS Office right now.

    @erim: no, this a memory corruption exploit, so SRP, etc. would not block it. They might block a payload delivered this way, but the exploit would not be affected.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,078
    Location:
    Texas
    http://blogs.technet.com/b/srd/arch...ion-to-stay-protected-and-for-detections.aspx
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Also if the exploit's goal is a privilege escalation plus delivering a payload/executable that has inherited the elevated rights, then SRP would not block it if the SRP settings allow admins to execute without restrictions.
     
  8. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,557
  9. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    53
    Yeah, I meant the payload, assuming it's the only thing that does real damage.
    It seems that the exploit eventually tries to run a malicious file (named svchost.exe) and unless the originating process (Word?) has elevated rights SRP should stop that .exe from running. But correct me if I'm wrong.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Not necessarily a safe assumption. If the next stage is an exploit against a privileged service, instead of a payload, that will be a problem.

    The exploit doesn't depend on running a malicious file, though it may be used in the wild for that purpose. Blocking the payload is basically a stopgap measure.

    Edit: BTW, a general comment re anti-executables: blocking unkown binaries is IMHO *not* the best way to use HIPS/FW software. I did some (admittedly basic) testing of a bunch of security software several months ago, and what I found was that the best setups were the ones that used a HIPS/FW as a sandbox.

    e.g. take for instance Privatefirewall. Say you set it up as a pure executable blocker.

    Now you point it at your Metasploit server VM and see what happens. (And NB, Metasploit can be set up to do this automatically, and it is far less versatile than most bona fide crimeware.)

    - Metasploit compromises the browser with some exploit or other
    - It then runs through a bunch of privilege elevation exploits
    - If one of those works, it then tries to forcibly turn off every antivirus or firewall service it can find
    - Finally it executes the payload you set up once everything is disabled

    And the payload has a pretty high chance of eventually running, since only that last step requires any use of unknown binaries.

    Now say you set PF to silently deny the browser any use of system calls you don't want. Point the browser at your Metasploit server and:

    - The browser compromise may fail due to inadequate permissions
    - Privilege escalation exploits may fail due to the right system calls not being available, or permissions being inadequate

    That's not as good as having the vulnerability patched, but it's better than nothing.
     
    Last edited: Mar 25, 2014
  11. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Microsoft's KB 2953095 Word security hole is part of ongoing embarrassment
    http://www.infoworld.com/t/microsof...ity-hole-part-of-ongoing-embarrassment-239026
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    And:

    "First, our tests showed that EMET default configuration can block the exploits seen in the wild. In this case, EMET’s mitigations such as “Mandatory ASLR” and anti-ROP features effectively stop the exploit. You can find more information about EMET at http://www.microsoft.com/emet. The exploit code seems to target Word 2010 and it deeply relies on the specific ASLR bypass mentioned. We were glad to see in our tests that this exploit fails (resulting in a crash) on machines running Word 2013, due to the ASLR enforcement introduced for this product."

    Mrk
     
  13. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Perhaps SRP could block the second stage in the exploit chain :

    Quote:
    The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014. This means that even after a successful exploitation with reliable code execution, after this date the shellcode may decide to not drop the secondary backdoor payload and simply abort the execution. When the activation logic detects the correct condition to trigger, the exploit drops in the temporary folder a backdoor file named ‘svchost.exe’ and runs it. The dropped backdoor is a generic malware written in Visual Basic 6 which communicates over HTTPS and relies on execution of multiple windows scripts via WScript.Shell and it can install/run additional MSI components,” the Microsoft researchers said." UNQUOTE

    -http://threatpost.com/word-zero-day-attacks-use-complex-chain-of-exploits/105002

    Edit : So, running EMET, SRP, plus disabling Wscript.exe will mitigate this exploit. I think.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    SRP will absolutely take care of that. One of the first rules I set up is to allow svchost.exe to run from System32 and SysWOW64. A disallowed path rule (with the path just being "svchost.exe") stops it from running from anywhere else. Set up the exclusions for the system directories first.
     
  15. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    @xxJackxx: be warned that SRP works from userspace (IIRC it basically overrides the CreateProcess and CreateProcessEx functions). If a program in userspace is compromised in a way that allows tampering with its memory space (such as this memory corruption exploit), then those overrides can themselves be overridden, allowing the compromised program to spawn other programs as it normally might.

    This isn't common, but it's something to think about.

    OTOH, a HIPS would prevent the payload stage quite easily in that case.
     
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I agree, it would, and I recommend both.
     
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    I don't think I would; such a combination is unnecessarily redundant IMO.

    The only reason I could recommend SRP as a security measure, at all, is that it blocks programs without asking the user. (Better from a social engineering standpoint!)
     
  18. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Neat. I reckon it's for the potential case of a fake svchost.exe being dropped into privileged system folders such as Windows\temp where your rules would hindered it to execute?
     
  19. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    1,910
    Location:
    North of the 38th parallel.
    Last edited: Mar 27, 2014
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,078
    Location:
    Texas
    .....
     
  21. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  22. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Decided to apply the MS fix as I am running MS Word 2013. Will you have to undo the fix prior to MS's 2nd Tuesday April update?
     
  23. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    You may undo the Fix It or Patch over it as you wish. Why is this ?
    Many did not undo MS Fix It's prior to "Patch Tuesdays". This posed a problem that Microsoft remedied internally some time ago.
     
  24. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,294
    Location:
    USA
    Thanks siljaline, I'll probably apply the disable fix prior to the MS 2nd Tuesday April updates, but if I forget good to know MS recognized this problem.
     
  25. HandsOff

    HandsOff Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    1,946
    Location:
    Bay Area, California

    LOL! That's why I use it! No has ever heard of it!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.