An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”

Prior to the release of Microsoft’s monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group.

Based on our analysis, the vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.

The severity of the vulnerability is highly critical because it fairly simple to exploit. Since it is a logic defect, attackers need not to create Shellcode or Return Oriented Programming (ROP), a method to bypass DEP protection. DEP prevents the execution of code (including malicious Shellcode) from certain regions of computer memory (non-executable).If they (attackers) know the format then they can craft a PowerPoint exploit directly. Furthermore, since it has no heap spray, ROP, Shellcode, most of heuristic detection methods would have difficulty in detecting it.

The original logic includes two potential risky behaviors without user’s knowledge or consent, which should be carefully designed:

  1. Copy file from remote shared folder
  2. Install downloaded .INF fileWe analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:

We analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:

windowsPPTvuln_fig1Figure 1. Folder structure of PPSX file

The following is the content of oleObject1.bin and oleObject2.bin. It indicates that the said OLE objects are resident in remote shared folder.

windowsPPTvuln_fig2

windowsPPTvuln_fig3

Figures 2-3 Content of oleObject1.bin and oleObject2.bin

And in slide1.xml, we can see it refer to two Packager Shell Object “rId4” and “rId5.”

windowsPPTvuln_fig4

Figure 4. Content of slide1.xml (part 1)

In slide1.xml.resl, “rId4” and “rId5” are defined as two OLE object above.

windowsPPTvuln_fig5

Figure 5. Content of slide1.xml.resl

When slide1 is opened, the files “slide1.gif” and “slides.inf” are copied to local by packager.dll. And in slide1.xml, some actions are described such as “-3”, and another is “3”. These two actions are called when loading two OLE objects. This routine is seen in packager!CPackage::DoVerb() function.

windowsPPTvuln_fig6

Figure 6. Content of slide1.xml (part 2)

In slide1.gif, if the parameter is “-3”, and the function will do nothing. However, if “slides.inf” is loaded and the parameter is “3”, it installs the .INF file. The screenshot below is the call stack when InfDefaultInstall.exe is executed:

windowsPPTvuln_fig7

Figure 7. Call stack of INF installation

After which, INF renames slide1.gif to slide1.gif.exe, and adds registry runonce value for it. This is done so that in the next system boot up, the Trojan is executed automatically.

We detect the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A.

Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network.  Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability via the following DPI rule:

  • 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)

Users are strongly advised to patch their systems once Microsoft releases their security update for this. In addition, it is recommended for users and employees not to open Powerpoint files from unknown sources as this may possibly lead to a series of malware infection.

With additional analysis from Kai Yu

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”

Read more: An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”

Story added 14. October 2014, content source with full text you can find at link above.