rtf abuse - sector 2017 - security education … cycle was approximately 2,189,235 fuzzing...
TRANSCRIPT
![Page 1: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/1.jpg)
RTF Abuse:Exploitation, Evasion and Counter
Measures
Devon Greene
![Page 2: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/2.jpg)
Member of Ixia’s Application and
Threat Intelligence (ATI) Team
Focus on Malware Analysis, Exploit
Development and Product
Development.
<3 CTFTime.org & Vulnhub
Challenges
Opinions are my own, not Ixia’s
\*\author
@DasMe_Devon
![Page 3: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/3.jpg)
Inspiration Slide
How I Met RTF
Working on a strike.
Created 6 new evasion profiles
… in Ruby (Not better than Python)
![Page 4: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/4.jpg)
Identify malicious RTF documents
Enhance detection capabilities
System hardening techniques
\*\blueTeamPoints
Key Points Blue Team
![Page 5: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/5.jpg)
Obfuscation Techniques
Vulnerability Discovery Approaches
Exploitation Techniques
\*\redTeamPoints
Red TeamKey Points
![Page 6: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/6.jpg)
To Understand RTF…
You Must RTFM!
![Page 7: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/7.jpg)
\*\Features
Ability to Query DBs / Flat Files
Hyperlinks
Object Linking and Embedding
Document Variables
Functions and Parameters (limited)
Interesting Features
Embedded Fonts
Pictures
Hex / Unicode Support
Much moar!
Features You Expect
![Page 8: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/8.jpg)
\*\markupComparison
Hyper Text Markup Language (HTML)
Rich Text Format (RTF)
![Page 9: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/9.jpg)
\*\featureDemo1
Build an RTF doc from scratch
Use an RTF doc to perform a DB
query
Quick look at built-in functions
Let’s Play
![Page 10: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/10.jpg)
Exploitation
![Page 11: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/11.jpg)
N-Day Vulnerabilities (Automagic)
Embedded Font Vulnerabilities
Insecure Library Loading Vulns
Packager Objects (CVE-Free)
\*\Exploitation
Attack Paths Death From Above!
![Page 12: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/12.jpg)
\*\cveFish
CVE-2016-7193
![Page 13: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/13.jpg)
\*\fontemb
Historically Powerful
DuQu Malware leveraged 0-Day TTF
Exploit (CVE-2011-3402)
Font engine lives in the Windows
Kernel
Downside: bloats the file quite a bit.
![Page 14: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/14.jpg)
\*\insecureLibraryLoading
How It Works…
![Page 15: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/15.jpg)
\*\insecureLibraryLoading
![Page 16: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/16.jpg)
\*\noMacros
![Page 17: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/17.jpg)
\*\noMacros
Embed file in word document
Save as RTF
Copy/Paste \pict object
Forging Images
Place any file you want in a users
%temp% directory
Seriously… any file.
Email Providers Don’t Care
Interesting Packager Quirks
![Page 18: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/18.jpg)
Few Fun Techniques
Take advantage of %temp%
Take advantage of local env
Compatible with other doc types
\*\exploitDemo1
Embedded Objects
![Page 19: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/19.jpg)
Noted earlier, bypasses Packager Checks.
Warning: VM gonna go BOOM!
Note: this is a packaged font file, not an \embfont tag.
\*\exploitDemo2
Embedded Font File
![Page 20: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/20.jpg)
Vulnerability Discovery
![Page 21: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/21.jpg)
\*\fuzzing
Mutation Based
Researcher defines how the
input should be formed.
Generation Based
![Page 22: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/22.jpg)
\*\fuzzingTips
Search for “MUST”
![Page 23: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/23.jpg)
\*\fuzzingDemo
Built a thorough data model of the RTF specification.
Distributed fuzzing amongst 6 machines
1 Cycle was approximately 2,189,235 fuzzing iterations
500+ crashes // 6 unique
![Page 24: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/24.jpg)
\*\foodForThought
Open Office
Corel Word Perfect
Text Wrangler
Cloud-based document
services
MS Office on other
Platforms
Other Targets
![Page 25: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/25.jpg)
Obfuscation Techniques
![Page 26: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/26.jpg)
\*\evasions
Jan.01 – Jun.30 Generation Based
725 .doc exts
100 .rtf exts
< 10 .docx exts
300 other exts
Extension MS Word 2010
MS Word2016
DOC Y Y
DOCHTML Y N
DOT Y Y
DOTHTML Y N
WBK Y Y
WIZ Y Y
![Page 27: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/27.jpg)
\*\evasions
Magic File Tampering
MS Word respects {\rt as a
minimum magic file
header.
MS Wordpad requires {\rtf#
Mixed Case
Utilized anywhere
#PCDATA is defined.
Useful in bypassing static
signatures
![Page 28: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/28.jpg)
\*\evasions
Encoding Contrast
URL Encoding
A = %41
Double URL Encoding
A = %2541
Unicode Escaping
A = 0x41
A = \u0041
Hex Escaping
A = 0x41
A = \’41
![Page 29: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/29.jpg)
\*\evasions
![Page 30: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/30.jpg)
\*\evasions
Bin Substitution
Works in MS Office Only
Does not work in MS
Wordpad
Whitespace
Simple and Effective
Chunk up your payloads
and other shady stuff
\r \n \t \s
Syntax:\bin# <ASCII>
![Page 31: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/31.jpg)
\*\evasions
Fictitious Control Words
Detection Slayer
Double Edged Sword
Some AV heuristic checks
will catch this.
\*\random
Syntax:{\*\HELLO WORLD}
![Page 32: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/32.jpg)
\*\evasions
![Page 33: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/33.jpg)
\*\evasionDemo1
Bypassing RTFScan.exe
By applying evasion techniques,
can we throw off RTFScan.exe’s
analysis capabilities?
![Page 34: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/34.jpg)
\*\evasionDemo2
Bypassing AVs?
By applying evasion techniques,
can we make a bad guys
malicious document harder to
detect?
![Page 35: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/35.jpg)
Counter Measures
![Page 36: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/36.jpg)
\*\ruleWritingTips7
Focus On
File Extensions
IE: .doc
Malformed file headers
IE: {\rtvpn
Embedded objects
IE: \objdata
Unknown RTF tags
IE: \*\HaiMom
Special Cases
Non required params
IE: \objclass
Encoding Techniques
IE: \u0041
Mixed Cases
IE: \objclass name
![Page 37: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/37.jpg)
\*\ruleWritingTips1
Focus On
This… obvious... Tag…
Generator tag
\*\generator MsftEdit
Obvious is Obvious
![Page 38: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/38.jpg)
\*\systemHardening3
3 Tips
Set Office Killbit on the
packager clsid
Update Executable
Extensions
Change .rtf association
back to Wordpad
DIY
![Page 39: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/39.jpg)
\*\analysisTools4
RTF Analysis Tools
Didier Steven’s rtfdump
Declage’s rtfobj
PhishMe psparser.py
RTFScan.exe
Fool Proof?
![Page 40: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/40.jpg)
\*\conclusionBlue
Recap
Update your magic file
header for RTF
Scrutinize \*\generator tags
Focus on required
parameters first
Lookout for .WIZ and
.WBK!
Disable Packager Objects
Punch On!
![Page 41: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/41.jpg)
\*\conclusionRed
Recap
Take advantage of
obfuscation techniques!
Trade warning signs by
using packager objects.
Save as other doc-types
when necessary!
Fuzz the hell out of RTF!
Ninja Alert
![Page 42: RTF Abuse - SecTor 2017 - Security Education … Cycle was approximately 2,189,235 fuzzing iterations 500+ crashes // 6 unique \*\foodForThought Open Office Corel Word Perfect Text](https://reader034.vdocument.in/reader034/viewer/2022051800/5abfc97b7f8b9ab02d8e971c/html5/thumbnails/42.jpg)
Questions?