RTF file fuzz

1. RTF file fuzz —by Maldiohead
2. About me: • Security researcher@360 • Focus on : 1)Malware reverse analysis. 2)windows kernel, office vulnerability fuzz& analysis( find a office vulnerability:MS address CVE-2016-7275). 3) develop emulator now (run windows pe file ,vbs ,js s cript).
3. Agenda: 1.RTF File format 2.RTF attack interface 3.A rtf fuzz tool write by me
4. RTF file format • Rtf file just like a container(you can drop text ,video,pdf, pic.etc).with the help of ole .(which is a way to attack sy stem). • Rtf own a huge key words.(another vulnerability interfac e). • Rtf syntax very loose(so it will be lead to some security i ssues).
5. Ole object in RTF file: Key words about OLE object in RTF file: • #PCDATA Text (without control words) • #SDATA Hexadecimal data • #BDATA Binary data
6. • <objdata> '{\*' \objdata (<objalias>? & <objsect>?) <data> '}' • \objdata This sub-destination contains the data for the object in the appropriate format; OLE objects are in OLE SaveToStream format. This is a destination control wor d. • \objalias This sub-destination contains the alias record of the publisher object for the Macintosh Edition Manage r. This is a destination control word. • \objsect This sub-destination contains the section reco rd of the publisher object for the Macintosh Edition Man ager. This is a destination control word.
7. • OleSaveToStream format :
9. RTF attack interface • By Ole : 1)DLL Preloading Example: OLE Loading(cve-2015-23 69/cve-20167275) • ProgID:WMDMCESP.WMDMCESP.1 • %systemroot%\System32\cewmdm.dll
11. • 2) Memory Corruption • The dll is not initial well will lead to memory corruption • Eg:cve-2015-1770 • https://labs.mwrinfosecurity.com/assets/987/original/m wri_advisory_cve-2015-1770.pdf • Progid: • osf.Sandbox.1 COM
12. 3)Type confusion • Eg:cve-2014-1761(typically object confusion vulnerility) • ListoverridecountN may be 0, 1, or 9.in the exploit this v alue will be 25
17. 29=0x1d It’s matched. the object is just lfolevel.
19. My fuzz tool and a vulnerility • 1. json file(contains rtf key words) • 2.generate rtf python script • 3.monitor program
21. • Use key words generate rtf files • Run the rtf file • record exception logs
22. CVE-2016-7275: • 由于 Microsoft office 在初始化运行的时时 候,会加 时 时 时 时时 默认 时 时时 建,由于 时 时o时 ffice2007 会在注册表中注册一个 com 组建, SYMINPUT.dll, 时时 的 注册表 时 时 时 是: HKEY_LOCAL_MACHINE\SOFTWARE\Mi crosoft\Office\Word\Addins\OfficeSymbol.Connect12 . • 而 offfice2013 在初始化运行阶段会加载这个组建,在关闭文件 的时候, office2013 会动态加载另一个 mstr2tsc.dll, 由于这 个 dll 不在默认路径中,在依次搜索:当前目时 时 system32 之后 ,会尝试搜索文件所在目录,从而造成 dll 劫持 . • 微软对该漏洞的修补 :
23. • Rtf fuzz tool: • https://github.com/maldiohead/rtffuzz. • More work should do.