MS12-005 : embedded object package allow arbitrary code execution

MS12-005 is really fun.
See our video capture – http://t.co/g4BKbgGF

Updates 2 : MS12-005 is much more dangerous than I thought. Very easy to exploit, and 100% reliable. Now no user interactions are required. Exploit is available : http://www.cc.gatech.edu/~blee303/exploit/ms12-005/MS12-005.ppsx . Download this and double-click the ppsx file (PPT presentation file) would execute the python scripts :) In this ppsx, customized animations were used to activate the embedded document (python script), which would be activated as the document opened. No permission checks are required. Thanks to Yorick.

Updates 1 : See http://seclists.org/fulldisclosure/2012/Jan/164 for the attack vector. This guy seems to be the founder of MS12-005, and it suggests to use office and .application. You may want to check if this also requires the user interaction (like enabling the macro).

Before patch : packager.dll, 6.1.7600.16385 (win7_rtm.090713-1255)
After patch : packager.dll, 6.1.7601.17727 (win7sp1_gdr.111118-2330)

Here’s some background for MS12-005 (see http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/packager_what_is_obj_pkg.mspx?mfr=true). Object packager can embed any files into the other file, and this is also true for office documents. You can simply drag-and-drop any files into the office document, then the icon of that file will be shown in the document. By double-clicking the icon, you can execute the embedded file if it is executable. Surely packager.dll pops up the warning message which says “DONT DO THIS, IT IS DANGEROUS”, and it requires the confirmation from the user.

The problem of MS12-005 lies in 1) how to identify the executable file and 2) how to show the warning message to the user.

1. How to identify the executable file
Before the patch, packager.dll identifies the executable by matching them with the table (let’s say execExtTable).

.text:02FA1D98 execExtTable dd offset a_exe ; DATA XREF: CPackage::_GetCurrentIcon(_IC *)+69o
.text:02FA1D98 ; CPackage::_GiveWarningMsg(HWND__ *)+5Eo
.text:02FA1D98 ; “.exe”
.text:02FA1D9C dd offset a_com ; “.com”
.text:02FA1DA0 dd offset a_bat ; “.bat”
.text:02FA1DA4 dd offset a_lnk ; “.lnk”
.text:02FA1DA8 dd offset a_cmd ; “.cmd”
.text:02FA1DAC dd offset a_pif ; “.pif”
.text:02FA1DB0 dd offset a_scr ; “.scr”
.text:02FA1DB4 dd offset a_js ; “.js”
.text:02FA1DB8 dd offset a_jse ; “.jse”
.text:02FA1DBC dd offset a_vbs ; “.vbs”
.text:02FA1DC0 dd offset a_vbe ; “.vbe”
.text:02FA1DC4 dd offset a_wsh ; “.wsh”
.text:02FA1DC8 dd offset a_sct ; “.sct”
.text:02FA1DCC dd offset a_vb ; “.vb”
.text:02FA1DD0 dd offset a_wsc ; “.wsc”
.text:02FA1DD4 dd offset a_wsf ; “.wsf”
.text:02FA1DD8 dd offset a_wmz ; “.wmz”

Just looping through that table to see if the embedded file has the same extension name.
This is actually done by calling the function IsProgIDInList.

.text:02FA72F4 push 11h ; int
.text:02FA72F6 push offset execExtTable ; dangerousTable
.text:02FA72FB push esi ; pExtName
.text:02FA72FC push 0 ; int
.text:02FA72FE call ?IsProgIDInList@@YGHPBG0PBQBGI@Z ; IsProgIDInList(ushort const *,ushort const *,ushort const * const *,uint)

WHAT?? Only these extensions are executables? There are a lot more executable extension as you may know. Though it could be system specific depending on the execution handlers are installed (yeah.. this reminds me of old windows vulnerability), .py and .pl should be popular enough. In this point, I am sure some other folks might be able to come up with better attack vectors (.vsto could be the one ??).

MS12-005 patched this issue by calling AssocIsDangerous() to check the executable extension.

.text:02FA6A11 push eax
.text:02FA6A12 call ds:__imp__AssocIsDangerous@4 ; AssocIsDangerous(x)
.text:02FA6A18 test eax, eax
.text:02FA6A1A jnz short loc_2FA6A42

Try this using DarunGrim. It specifically shows up that this block has been changed :)

2) how to show the warning message
This is simple part. Before the patch, packager.dll shows up the warning message only if it is executable. See the function : CPackage___GiveWarningMsg(HWND hWnd). This function loops over execExtTable again, and IT WON’T SHOW THE WARNING MESSAGES if it is not in execExtTable !!!

How to Exploit.
Our video capture on youtube shows everything (http://t.co/g4BKbgGF). To be simple, we used python scripts to embed into office documents, and wrote the macro to execute (double-click) this embedded python script. After opening the office document, you need to confirm to execute the macro and it will execute python scripts right away.

About these ads

15 Comments on “MS12-005 : embedded object package allow arbitrary code execution”

  1. [...] Pokec k videu nájdete na stránkach exploitshop. [...]

  2. John says:

    What’s the value if it requires a macro and a macro user approval?

    • lifeasageek says:

      1. To execute the embedded executable in office document, a user may need to double-click the icon. We automated this double-click process using the macro (This is not the part of vulnerability). MS12-005 vulnerability is that office doesn’t ask the user for the embedded file execution.

      2. Yeah… this seems to be not so good attack vector. MS12-005 founder (http://seclists.org/fulldisclosure/2012/Jan/164) suggested to use outlook and .application, but still needs to check if this also requires the user interaction.

      • Yorick says:

        Actually, don’t use Outlook, use PowerPoint :-). Should work fine with Python scripts.

      • lifeasageek says:

        @Yorick Thanks for the heads up ! You must be the MS12-005 guy :) Very impressive to find the ppsx attack vector. awesome !!! :)

  3. tobi says:

    I like this blog.

  4. tobi says:

    I like this blog, because as an outsider I do not really have access to most exploit codes and cannot study such things myself. It is interesting to hear about how typical exploits work.

  5. [...] Exploit Shop Advertisement GA_googleAddAttr("AdOpt", "1"); GA_googleAddAttr("Origin", "other"); [...]

  6. [...] sacar partido fácilmente de esta vulnerabilidad, pero por la experiencia que nos proporcionan casos como el del MS12-005, sabemos que puede ser cuestión de horas, así que no te duermas y actualiza tu Yahoo! [...]

  7. jorge says:

    what exactly does the pacth do? does it add more file types to the check list?

    • lifeasageek says:

      1. Patched one calls AssocIsDangerous(), which may check all the registered executable handlers on the machine (I’m not sure for this. you need to check this)
      2. Patched one may always popup the warning message when it executes the embedded file. This process doesn’t depend on the file extension (you also need to check this).

  8. [...] MS12-005 : embedded object package allow arbitrary code execution – exploitshop.wordpress.com MS12-005 is much more dangerous than I thought. Very easy to exploit, and 100% reliable. Now no user interactions are required. Exploit is available. [...]

  9. Amuththa says:

    But user should install python programme on computer. otherwise it will ask to select open with option.

  10. Ali says:

    i used .HTA but it doesn’t work too.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 36 other followers