Interesting explorer crash exploit

Discussion in 'malware problems & news' started by aigle, Jan 12, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I just fouind an interesting malicious doc file. Just seeing it in explorer causes the explorer to crash.

    I know of ani exploit but never heard of such an explot via a doc file.

    CFP and GW were not able to intercept this exploit.

     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the file name, this seems to be a PoC, demo from several years ago. These kinds of PoC files that crash applications are plentiful, and demonstrate that a particular vulnerability can execute code. An old one where a ZIP file crashes Win Explorer:

    So it shouldn't be difficult to do that in a document. For a HIPS product to prevent the exploit would involve analyzing the code to see if any function is being altered by the code that could be intercepted.

    While interesting to play with, not until a PoC becomes an exploit with a payload can we know what we need to protect against. For MSWord:

    Responding to a file-parsing application attack
    http://isc.sans.org/diary.html?storyid=3757

    http://www.technologynewsdaily.com/node/7312 (article no longer available)

    Basic prevention, of course, begins with policies regarding email attachments.

    Until the vulnerability is patched to prevent the code from executing, the payloads of these exploits, of course, are easy to block with many solutions:

    [​IMG]

    ----
    rich
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks a lot for the nice analysis. :thumb: :thumb:
     
  4. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Have you tried aigle to view the file with sanboxed Windows Explorer using Sandboxie?

    It should be very interesting, because there is a minor issue concerning Sandboxie + Windows Explorer, which you can see here.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I doubt that any HIPS/ Sandbox will prevent explorer crash due to any exploit. But if there is a pay load sure it will be stopped and that is all what we need.

    I am not using SBIE. If u like, PM me.

    Thanks
     
Loading...
Thread Status:
Not open for further replies.