Public exploit for CVE-2017-0199

There is a public exploit for CVE-2017-0199 which leverage Microsoft Office vulnerability which need to be on priority on patching. Hacker can create a crafted Exploit in form of a document using Metasploit and send it as an email or using the Watering hole attack technique to infect the remote victim user. Hackers used this vulnerability to breach the email account of the minitry of Foreing Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world. Vulnerability Details: This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. Microsoft has issued Security Patch Advisory on April. Please kindly check if the bellow affected products are existed in your environment and expedite patching this vulnerability as soon as possible. Note: For critical systems perform testing and validation and for non-critical systems role out the patch please. Affected Products:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) References:
  • 1. http://www.securityweek.com/iranian-copykittens-conduct-foreign-espionage 2. https://www.rapid7.com/db/modules/exploit/windows/fileformat/office_word_hta

    3. https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html

    Advertisements

    0-Day Vulnerability for all Windows Versions and Antivirus

    The new 0-day vulnerability turns the Antivirus software into a malware and allow attacker to take full control of the victim computer. This attack method is called DoubleAgent.
    Windows has feature called Microsoft Application Verifier that verify any applications before they run. There is a security issues that recently has been found that allows attacker to inject a custom verifier into any application to gain fully control over the victim computer. The attacker by injection any DLL into the process, they hijack the computer during or after the booting process to keep their persistency. Attackers can leverage this vulnerability to turn an AV into an malware by manipulating the AV’s behavior to take over the victim machine or execute arbitrary codes such as escalating privileges, modifying process natures and behaviors, and many more.

    All Microsoft versions are vulnerable to this kind of attack, as well as at the present of writing this Advisory, most of the Antvirus vendors have not release any patch yet except Malwarebytes and AVG. TrendMircro mentioned that they are planing to push a patch for upcoming weak, while Symantec has not been seen in the affected list. Since the DoubleAgent is published publicly and there is no mitigation or patch release yet, the risk for such attack is very high.

    for more information please refer to the following addresses:
    https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
    https://github.com/Cybellum/DoubleAgent