An Analyze Of CVE-2013-3906

江瑞敏

Outline

• Introduction• Background Knowledge– Docx Format– Tiff Format

• Exploit Analyze– ActiveX Heap Spray– Vulnerability Analyze

• Defense Recommendation• Reference

Introduction

CVE 2013 3906 Description

• The vulnerability allow remote attackers to execute arbitrary code via a crafted TIFF image.

Vulnerable Environment

• Office 2003• Office 2007• Windows XP• Windows Vista• Windows 7

Some Samples

Available in Metasploit

Background Knowledge

Microsoft Docx Format

• a zip archive• Many xml and resources inside• More Info check out the online

documentation

TIFF Format

• An Image Format• Can Contains Different Type of Image Inside It.

An Overview

Tag We Are Interested

• StripByteCounts• JPEGInterchangeFormat• JPEGInterchangeFormatLength

Exploit Analyze

An Overview

• 1. using activeX object to perform heap spray.• 2. the malicious image will cause an heap

overflow and hence overwrite an function pointer.

• 3. ogl.dll will call the function pointer and the instruction pointer will points to 0x08080808.

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Function pointer

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Malicious TIFF Image

Word Virtual Address

Some Code….…..

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Function pointer

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Malicious TIFF Image

Word Virtual Address

Some Code….…..

x

ActiveX Heap Spray

• New technique to perform an heap spray• No need to add other code to perform heap

spray, MS word will do it for you .• Each activex.bin contains multiple copy of

shellcode.• Depending on the samples, the shellcode may

different.

Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.

– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.

TIFF HEADER

Strip Byte Counts

JPEG Image

IFD

Tag 1

Tag 0

Tag n

Tag 2

……

Basic Parsing Process

JPEG content

StripByteCounts Entry

Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.

– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:

StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8

After Adding All The Entry

!!!!!

Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.

– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:

StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8

– E. memcpy the JPEG image content to the new allocated memory address.

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Function pointer

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Word Virtual Address

Some Code….…..

Zero Size

TIFF HEADERStrip Byte

Counts

JPEG Image

IFD

memcpy

What Will Be Copied

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Function pointer

activeX objectactiveX object

activeX object

activeX object

activeX object

…..

Word Virtual Address

Some Code….…..

Zero Size

TIFF HEADERStrip Byte

Counts

JPEG Image

IFD

JPEG Image x

Vulnerability Analyze• The TIFF file inside the docx.• ogl.dll will parse the tiff file.

– A. get the JPEG content from JPEGInterchangeFormat Tag.– B. get the size of the JPEG from JPEGInterchangeFormatLength Tag.– C. calculate the total size from the StripByteCounts Tag.– D. NTAllocateHeap() with the size calculated below:

StripByteCounts_EntryValue + JPEG_size + (StripByteCounts_EntrySize*2)+8

– E. memcpy the JPEG image content to the new allocated memory address.

– F. OGL.DLL will call the function pointer somewhere in the code.

Defense Recommendation

• 1. Disable specific ActiveX control with Office kill bit[link]

• 2. Opening document in protected view only.[link]

• 3. Disable TiffCodecHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus\DisableTIFFCodec = 1

• 4. Write a script to scan.

Tool That I used

• Windbg• Xxd• Hachoir-urwid

Reference• http://

armorize-cht.blogspot.tw/2013/12/cve-2013-3906-apt-janicab-arx-arlab-operation-hangover-taidoor-winnti.html

• http://www.fileformat.info/format/tiff/egff.htm• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906• http://www.schemacentral.com/sc/ooxml/e-a_graphicData-1.html• http://officeopenxml.com/drwPic-nvPicPr.php• http://0xicf.wordpress.com/tag/cve-2013-3906/• http://www.exploit-db.com/exploits/30011/• http://

blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx

• http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html

• http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/