漏洞平台

POC详情： 9e3e00f57bf6a0a88df471f5a0b3439ca3231f49

来源

https://github.com/NotAwful/CVE-2017-0199-Fix

关联漏洞

标题： Microsoft Office 安全漏洞 (CVE-2017-0199)
描述：Microsoft Office是美国微软（Microsoft）公司开发的一款办公软件套件产品。常用组件有Word、Excel、Access、Powerpoint、FrontPage等。多款Microsoft产品中存在远程代码执行漏洞。远程攻击者可借助特制的文本文件利用该漏洞执行任意代码。以下产品和版本受到影响：Microsoft Office 2007 SP3；Microsoft Office 2010 SP2；Microsoft Office 2013 SP1；Microsoft Office 20

描述

Quick and dirty fix to OLE2 executing code via .hta

介绍

# CVE-2017-0199 Fix
Remove CVE-2017-0199's ability to execute code by changing the default handler for .hta files. The default handler for files invoked through OLE2 (COM Objects) is stored separately from the local system's default application and can only be changed through the registry.

## Basic Logic Exploit
*This is one practical example of this exploit, and is explained as I understand it. Not all occurances may follow this pattern and my assessment may be incorrect. The fix presented in the next section however does work in the situations I have tested it in.*
1. RTF document hosted on web server has malicious hypertext application (HTA) payload 'cat'ed to the end of it.
2. Hosting server responds to GET requests for the file with a header stating the content is a HTA file.
3. Microsoft Word runs a OLE2 object to fetch the RTF document from the web server.
4. Microsoft Word is forced to validate the filetype as the extension .rtf does not match the content type of HTA.
5. Microsoft Word checks from the end of file for recognizable data structures and matches HTA data structures to HTA content type.
6. Microsoft Word auto-corrects the filetype and passes it to the COM handler for HTA files (mshta.exe).
7. Mshta.exe runs the malicious hypertext application code from the end of the file.

COM handlers are stored separately from system handlers in the registry to prevent errors in the filetype validation process.

## Basic Fix
1. In RegEdit.exe navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon**
2. Open the advanced permissions for **DefaultIcon**
3. Change owner to **Administrators** (group)
4. Add your current user account to the list of security principals, assign it "Full Control"
5. Edit the **(Default)** key to be **C:\Windows\System32\notepad.exe,1**
6. In Advanced Permissions for **DefaultIcon** remove your user, and reassign **SYSTEM** as the owner
7. Repeat Steps 1 through 6 for **HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32**, changing the **(Default)** key value to **C:\Windows\System32\notepad.exe**

This removes CVE-2017-0199's ability to execute code by changing the default handler for **.hta** objects invoked through OLE2 to notepad. This will apply to all instances of OLE2 invoking .hta files. This will cause notepad to open and will throw errors, but code will not execute.

## ORIGINAL REGISTRY KEYS
```
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\SysWOW64\mshta.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\SysWOW64\mshta.exe
```
## EDITED REGISTRY KEYS
```
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\System32\notepad.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\System32\notepad.exe
```

### ENVIRONMENT
+ 1 Ubuntu 16.04.2 LTS Server with LAMP stack and SSH Server
+ 1 Windows 10 Client with Office 365 (2016)

### REFERENCES
+ Exploit Proof of Concept: https://rewtin.blogspot.ca/2017/04/cve-2017-0199-practical-exploitation-poc.html (Accessed 2017-04-17)
+ CVE-2017-0199 Analysis: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html (Accessed 2017-04-17)

### LESSONS
+ Do not edit HKCR directly. Edit the associated keys in either HKCU or HKLM.
+ You can return ownership of a registry key back to SYSTEM or others after taking it.
+ Don't screw with the registry. Leave it how you found it once you've made your changes.
+ Process Monitor has powerful right-click filtering to cut noise.
+ Process Monitor's find feature searches for a string in all fields.
+ pscp.exe (Putty) is a command-line SSH file transfer tool.
+ Linux is still a big pain.

### Closing Remark
I take no responsibility for any damages or problems cause by this mitigation or user confusion resulting from notepad and a bunch of errors. This is a dirty fix and I do not know if this will cause wider issues in a production environment. As always, evaluate mitigations with your specific environment and needs in mind.

I will add screenshots later to show before and after effects of this mitigation. Also this can be done as a script, but I am having difficulties with changing permissions to the registry key and so I'll handle that later.

文件快照


 [4.0K]  /data/pocs/9e3e00f57bf6a0a88df471f5a0b3439ca3231f49
└── [4.4K]  README.md

0 directories, 1 file

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。