有人在pastebin上贴了个分析,原始地址:http://pastebin.com/64pBCgbw。
Some unnoticed facts about cve-2013-3906 1. Embedded in cve-2013-3906 exploit are Excel Russian files.View post on imgur.comMeans: fuzzing artifacts or intended decoy. 2. Embedded in cve-2013-3906 exploit Excel files are not required for triggering and exploitation of the vulnerability. Means: exploit acquired for hacking campaigns to be used 'as is', rather than produced in-lab. 3. All known samples of cve-2013-3906 from all hacking campaigns have same useless XLS embeddings inside. Means: one exploit seller, brainless tool usage. 4. First submission of cve-2013-3906 to VirusTotal was on 2013-07-07 (JoseMOlazagasti.docx, MY, NL, DK, other EU). http://cryptam.com/docsearch.php?sha256=2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6 https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/ Means: @fireeye research is missing at least one hacking group/campaign. 5. First appearance of cve-2013-3906 in the wild (2013-07-07) was mistaken by @avast_antivirus for cve-2012-0158. http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/ https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/1373962220/ https://www.virustotal.com/ru/file/2c48b4b75db16a32f2ea872454c5cb0fe281302d2d6a18d5bdc98c64f31dd2d6/analysis/ Means: shame. 6. First submission of cve-2013-3906 internals (tiff, ActiveX) to VirusTotal was on September (TW,IN,IS). Not by previously attacked EU. Not reported until November. https://www.virustotal.com/ru/file/f9f82073a52aec988a14f19ffce79ed716a88fe9bf70b55919d47bc0464276ba/analysis/#additional-info https://www.virustotal.com/ru/file/2cfaf996f64ba5b370dd3a92e2e255474267bb4fe68933faa052625773d2da22/analysis/#additional-info (see Additional info section) Means: unqualified incident response or testing/analysis by 0day-interested parties. 7. In beginning of October, a few named and very single samples of cve-2013-3906 were submitted to VirusTotal (mostly US). 2013-10-01 21:01:52 Illegality_Supply details.docx https://www.virustotal.com/ru/file/c8367b47ade998dff759ee149ffa72276c8b71ccb45d4203a93dd7edafe14cbe/analysis/ 2013-10-07 18:27:25 Re-credit.docx_ https://www.virustotal.com/ru/file/b238d7d16fd0ccba6c15ea5670ed67c155469c36a3645b12d37f8e11ea153b9d/analysis/ 2013-10-07 20:28:38 Swift Message $288,550 USD.docx https://www.virustotal.com/ru/file/5ad4c6d89a847535fac398c431c3e4e247e2d5313e493ac72cc6c88e8db7b725/analysis/ …… Means: incident response of a campaign against one-shot targets or 0day exploit testing. Summary The cve-2013-3906 exploit was produced most likely by a Russian developer around March 2013 (ref:EXIF) and sold to multiple parties, beginning from July, 2013. The exploit was used in 3 (at least) distinct hacking campaigns: #1 in July 2013 and against Europe, #2 & #3 in October 2013 and against Middle East and Asia. The exploit remained unnoticed for 2 months, and was detected shortly after beginning of the 2nd/3rd campaigns (possibly due to their connection with known malware Citadel). Some parties involved in campaigns ordering and production may reside in Taiwan, India, Israel and the United States. Previous research http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html#more-3703 http://www.securelist.com/ru/blog/207768960/Novyy_staryy_0day_dlya_Microsoft_Office_CVE_2013_3906 http://pastebin.ca/2474735 @alisaesage
这脸打得真是啪啪响。
如果不是McAfee的Advanced Exploit Detection System有所动静加上之后的详细分析和确认,很可能各大厂商会继续忽略。从他们的博客来看,AEDS应该还没投入到产品中。
Exploit Detection这种东西,玩到最后估计还是得走Dynamic taint analysis这种模式,核心的概念就是,只要一些原本不该被执行的数据被执行了,那肯定是溢出了。当然,Dynamic taint analysis也不是那么好做的,首先是肯定是得基于Virtual Machine, Sandboxing, Binary Instrumentation等等技术,除了解决各种蛋疼的效率和规则问题之外,还有复杂多变的IT环境的模拟。最后,真要做这个,我觉得还是得用私有云解决。
对抗Dynamic taint analysis,倒是可以利用解释器/JIT/VM,现在稍微复杂的程序里面,这两个东西很常见。:)
回到这个漏洞本身,CVE-2013-3906的漏洞成因,是因为Word在处理TIFF文件格式的时候一个整数溢出导致了堆溢出,覆盖了函数指针,导致任意代码执行(可参考:CVE-2013-3906简要分析)。Exploit中,使用了ActiveX进行Heap Spray以便控制内存布局。CVE-2013-3906调试、跟踪以及基于Signature的检测都很好做。漏洞成因是可以理解为处理畸形文件结构导致,所以基于Signature的检测没有太大的问题。
注意到Exploit用了Heap Spray,这里就有问题了。Avast!在2013.7.22的那个博客里,最后给出的结果是:
AmazingRaceCyprus.docx 73041092efeb04c4a5e9b6a1a217754c RTF:CVE-2012-0158-BO [Expl] JoseMOlazagasti.docx fef7fdfe74c071310956a753679c80e5 RTF:CVE-2012-0158-BO [Expl] AboutUs.docx b498d5de87575d4b999e203e71616b69 RTF:CVE-2012-0158-BO [Expl]
CVE-2012-0158,臭名昭著,这是个经典的栈溢出,不需要太多的处理来布局内存,随便一点的jmp esp就行了,专业一点的上ROP Chain然后稍稍加密一下Shellcode。主流配置上打开10s已经极限了,但CVE-2013-3906的话,这会还没喷完吧?所以,Avast!在处理这个样本的时候,很可能是无人值守的黑盒跑,发现问题之后也只分析了ShellCode,并没有对溢出点的成因进行过多的分析,最后就这样放过了0Day。
这大概也和CVE-2012-0158有一些关系,从CVE-2012-0158报告到现在的这一年多时间里,CVE-2012-0158在已知漏洞中使用的最为广泛,免杀方便、生成方便、ROP也方便,而且很难单纯的从结构上检测出漏洞。防范的方法很大程度上依赖于是否更新了补丁。而且,更新不是从Office 2003换成Office 2010…持续一年多,每天各种各样的CVE-2012-0158,多多少少会有点疲倦和偷懒。然后,也就没有然后了。
这次事件,对于各大AV厂商来说,都应该从中吸取教训。尤其是……不说了。
最后,在现有的可用计算资源允许的情况下,检测Exploit,太难。