Microsoft Office zero day allows access outside sandbox
A new bug in Microsoft Office has been spotted being exploited. It can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019. The bug exists in the OLE file format and the way it's handled in Microsoft Word. Researchers at Mimecast noted that the OLE32.dll library incorrectly handles integer overflows. The flaw allows hackers to hide exploits in Word documents in a way that won't trigger most antivirus solutions. In a recent spam campaign, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor, CVE-2017-11882. On unpatched systems, the flaw allows it to drop a new variant of Java JACKSBOT, a remote access backdoor that infects its target only if Java is installed.
JACKSBOT is able to take complete control of the compromised system. It can collect keystrokes steal passwords, and gram data from webforms. It also has the ability to take screenshots, record videos from webcams, and record sound. It doesn't stop there, it can also transfers files and collect user information to steal certificates for VPN and cryptocurrencies. The thing that stood out for researchers is that the hackers were using the Equation exploit and worked out a bypass to allow itself go through undetected. This process of chaining a code-execution exploit and a flaw which leads to a bypass is somewhat unique and we don't see many of these in data-format exploits.
An Object Linking and Embedding Compound File acts as an underlying file system for information and objects present in a Microsoft Word document. It contains streams of data that are treated like individual files embedded within the OLE file itself. Each stream has a name. Streams can also contain information on macros in the document and the metadata of a document. According to the specifications for the Compound File Binary File Format, the OLE stream header contains a table called DIFAT, which is made up of an array of numbers that includes section IDs and some special numbers. This is where the problem exists.
To access the sector N in the table, it's offset is computed using the following formula: sector size * (sector ID + 1), when sector ID is DIFAT[N]. When a big sector ID exists, it leads to an integer-overflow that results in a relatively small offset. As a result of the integer overflow, only the lowest 32 bits are used. In other words, the calculated offset will be 0x200 = 512. The system sees an impossible offset and can lead it to crash or ignore the section, including any exploit that may be hiding there.
Despite evidence that the flaw is being exploited, the Microsoft Security Response Center stated that it will not be fixing OLE with a security patch anytime soon, because the issue by itself does not result in memory corruption and doesn't meet the security bar for an immediate fix. Microsoft stated that this is an unintended behavior, but it is not important enough to fix right now. Since Microsoft won't fix it, it's up to security professionals to make sure their systems are as up to date as possible and that they are leveraging the threat intelligence they need to better manage threats.