Embed Size (px)
Citation preview
• Haifei Li ([email protected]) • Chong Xu ([email protected])
BadWinmail and Email Security on Outlook
About Us - Haifei
• Security Researcher @ Intel Security (formerly McAfee) • Previously: Microsoft, Fortinet
• Work on 2 questions (for good purposes): 1) how to find vulnerabilities? 2) how to exploit them? At McAfee my interests have been extended to the 3rd:
3) how to detect the effect by answering the 1st & 2nd ?
work on research-backed projects aimed to detect the most steady (zero-day) exploits
• Presented stuff some times (BlackHat Europe 2010, REcon 2012, Syscan360 2012, CanSecWest 2011/2014/2015, Black Hat USA 2015)
About Us - Chong
• Ph.D from Duke University
• Senior Director @ Intel Security
• Focus • Advanced (0-day) exploit and malware defense • APT detection • Threat intelligence • Innovation • Next generation network/host solutions
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
Outlook is a key application in enterprise
environment Not just exchanging emails
Meetings / personal information
Sharing files (shared folder), integrated w/ Lync
(now called Skype for Business)
Probably more commonly used than browsers
It’s the most direct way that an attacker can
reach into your enterprise, by sending emails Behind the firewalls
Highly targeted victim
Outlook security deserves attention
Outlook 101
CVE-2014-2730, April, 2014 DoS only in parsing XML; not really exploitable
No MS patch info found
CVE-2013-3905, Nov, 2013 Info-disclosure in handing X.509 certificate, e.g. allow port-scan in
internal network
Fixed in MS13-094
CVE-2013-3870, Sep, 2013 Double-free in handling nested S/MIME certificates; potentially allow
RCE, but most unlikely to exploit, as explained in
http://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-
difficult-to-exploit-double-free-in-outlook.aspx
Fixed in MS13-068
CVE-2013-0095, March, 2013 Outlook for MAC only, crafted HTML email will use Webkit engine to
render remote web content automatically; allow info-leak (whether
the victim read the email or not).
Fixed in MS13-026
Outlook Bugs in Recent Years
CVE-2010-2728, Sep, 2010 Heap-based overflow in parsing TNEF format; seems not easy to
exploit.
Fixed in MS10-064
CVE-2010-0266, July, 2010 Logical fault in verifying file types when user opens email
attachments; requires few user interaction, but easy to exploit (still
very dangerous).
Fixed in MS10-045
CVE-2010-0816, May, 2010 Integer overflow in handling POP3 response; only in Outlook Express
edition.
Fixed in MS10-030
It’s just an email client that has seen few
vulnerabilities in recent years, how insecure
can it be? But…
Outlook Bugs in Recent Years
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
Embedding a document in another document
Just double-clicking on the “checklist” documents,
readers open another document
Let’s Talk About OLE First
OLE provides the majority of interoperability
functions in Office
It’s just a subset of COM
2 types of OLE objects In-process OLE (in-process COM), loaded via
ole32!OleLoad()
Separate-process OLE (separate-process COM), loaded
via ole32!OleRun()
What’s OLE?
COM OLE
We have explained the OLE (for in-process OLE)
internals as well as the attack surface at Black Hat
USA 2015. https://sites.google.com/site/zerodayresearch/Attacking_Intero
perability_OLE_BHUSA2015.pdf, which has been referenced
by many researchers as it has helped their research
against Office-based threats
Our BlackHat talk is about OLE on
Word/PowerPoint/Excel/WordPad only, i.e., it’s for
Word/PowerPoint/Excel documents and RTF file formats
But OLE has wider existence!
What’s OLE?
We may receive an email similar to this
This is an Excel Spreadsheet “embedded” in the email body,
not as an attachment as we usually see
OLE in Outlook
This email can be saved as “.msg,” which has the binary as
If you have dealt with OLE in other Office formats before, you
see an OLE object structure here!
OLE in MSG
Microsoft “[MS-OXMSG].pdf” tells us the secrete
There’s even an example in the specification
OLE in MSG
It seems like an OLE object stored in the MSG file format
Using the knowledge from our BH presentation, we Changed the CLSID of the “_substg1.0_3701000D” Storage
to Flash OLE CLSID D27CDB6E-AE6D-11cf-96B8-444553540000
Manually injected a “Contents” stream containing the flash exploit into
the .msg file.
OLE in MSG
When the .msg was opened in Outlook, the exploit is triggered,
i.e., the content stream is loaded by Flash OLE’s
IPersistentStorage::Load() function, which triggers the exploit.
OLE in MSG
At this point, it’s pretty sure that this is a really
dangerous (and previously-unknown) attack vector, or
a novel “exploit delivering method.”
Attackers may attach the .msg file in an email, and
send it to the victim, as long as the victim preview
the .msg attachment, the “embedded” Flash exploit
will run! .msg attachment is considered as “safe” file type by
Outlook – Outlook even uses itself to preview .msg
attachment
Attack Scenario of OLE in MSG
We know Flash OLE object could be loaded
It’s reasonable to guess more OLE objects could be
loaded in Outlook
Indeed, such as: Adobe Flash (pwning via Flash 0day)
Adobe Reader (pwning via PDF 0day?)
etc
More OLE Objects Under Attack
Wait! Is that all?
About the time I was going to send the report to
Microsoft, I happened to read this “clue” webpage https://support.microsoft.com/en-us/kb/241538
Turns out TNEF (the winmail.dat) supports OLE too!
After some investigation, I found
OLE in TNEF
Remember when someone sent you a strange attachment named
“winmail.dat” and you have no idea how to open it?
Winmail.dat
TNEF is another Microsoft-invented email file format,
described in “[MS-OXTNEF].pdf”
It’s a binary file format (like MSG), but it will be parsed
directly as long as the user reads the email! (MSG could only
be sent as email attachments)
Following is a sample .eml (which could be sent via email
protocols) that contains OLE.
OLE in TNEF
Here is what a TNEF file looks like (after the
decoding from .eml file)
0x223E9F78 is the Magic Number
OLE in TNEF
Looking at the whole data of the file, we find some
“interesting” bytes in that “TNEF” winmail.dat
D0 CF 11 E0 A1 B1 1A E1 => the Magic Number for a
“OLE Structured Storage” (OLESS)
With the help of the identifying the “length” fields marked
with red, we were able to dump the OLESS stream
0x223E9F78 is the Magic Number
OLE in TNEF
The dumped OLESS could be opened/edited by many
“structured storage” tools Here I used the open-sourced OpenMcdf
Isn’t it the same as in MSG?
OLE in TNEF
We can play the old trick as how we “hacked” the
MSG Modify the CLSID to Flash OLE’s CLSID
Add a “Contents” stream, put our exploit there
After that Re-pack the modified OLESS into winmail.dat
Remember to update the “length” fields
Encod (base64) that winmail.dat into an email file
Send that email via email protocols
OLE in TNEF
And when Outlook receives that TNEF email
It Worked!
As mentiond, TNEF specification is actually well described in
“[MS-OXTNEF].pdf” Our exercise is to modify an existing TNEF email sample; but
one can build the TNEF file with his own
In order to let TNEF render the attachment (it’s another
concept than the “email attachment”) as OLE object, the
“AttachTypeFile” should be set to 0x02 (AttachTypeOLE)
This could be used to detect TNEF email that contains OLE
objects
OLE in TNEF
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
Users get pwned as long as they just read the email No matter you preview the email or start a new window to read
email in Outlook
Flash is installed on most Windows It’s installed by default on every Windows 8, 8.1, 10!
On Windows 7, just need the victim to install the Flash ActiveX
version (for IE)
Note: Flash is not the only one object Outlook can load, as we
have discussed before
Having a reliable Flash zero-day exploit, is fairly easy
for someone who wants to launch a targeted attack Up to 50,000 USD (according to Zerodium)
Read various other industry posts/papers/presentations talking
about how many Flash zero-days they analyzed and how many
Flash CVEs they’ve found
It’s Really Bad
There’s no sandbox on Outlook! Yes, you read it right, for such an important app!
Getting code execution in Outlook = taking control of the
computer
Due to the nature of email-based attack, it’s an ideal
way to launch highly-targeted attack What is a real APT? This is
It’s wormable! When hacked one computer via email, the worm may gather
all the contacts and then sends the same exploit through
email to all the contacts to spread itself
It doesn’t usually happen in Windows ecosystem nowadays
It’s Really Bad
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
Disclosure Timeline The issue was reported to MSRC in late October 2015
Fix was released on December 8th, 2015 during Patch
Tuesday (CVE-2015-6172, MS15-131) MSRC and the Office team patched it within 1.5 months,
fastest patching speed I’ve ever seen.
80+ email exchanges were made for this case, including 1
online meeting 2 “face-to-face status updates”
Thanks to Jason Shirk (MSRC) for coming to Vancouver
Per request, paper and demo were released 1 week (on
December 15th) after the patch, allowing more people to install
the patch
The paper was released at: https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
The Disclosure Thing
I wrote a script monitoring the email samples we have
to see if there’s an ITW BadWinmail attack The usual “threat intelligence” thing
Glad no alert so far
There were reports of some samples detected by AV,
they are FP
I’d like to share my view on patch
After the Fix
I spent time on this because I saw a “weird” thing After the fix, my PoC still loads the Flash binary!
Isn’t the best patch blocking Outlook from loading Flash
binary at all?
So I fired my debugger, and confirmed that the
CoCreateInstance(CLSID_Flash,..) is indeed called
The “weird” Fix
mso!Ordinal4312+0xa5b:
64c7a954 ff15cc1ac464 call dword ptr [mso!Ordinal10691+0x1acc
(64c41acc)] ds:0023:64c41acc={ole32!CoCreateInstance (76039d0b)}
0:000> db poi(esp) L10
0012ac64 6e db 7c d2 6d ae cf 11-96 b8 44 45 53 54 00 00
So, what’s going on? But, our exploit is indeed not working!
So I step-by-step debugging from the
CoCreateInstance, and found that After the CoCreateInstance (which loads the binary)
and before the IPersistStorage::Load() (which loads
our Flash exploit), a check was added (in wwlib.dll)
The new check blocks the OLE initialization process
(IPersistStorage::Load()) to prevent exploit from being
loaded
The “weird” Fix
The 0x00000040 bit is set here
Confirming this is easy - when we reset the bit
to 0 in memory, our exploit works again
The “weird” Fix
Some takeaways from our diggings in the fix This fix is “weird” because that after the fix, the Flash
binary is supposed to not be loaded in the Outlook
process at all
However, this fix is effective anyway
There’s 1 bit in the memory controlling the feature
We believe this is app-depended, which means as
long as the “container” is Outlook, OLE object
shouldn’t be initialized
We currently don’t know if the bit is from any Outlook
customization settings (like from Registry)
The “weird” Fix
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
Outlook is not just a normal app, in fact, it’s a “threat
entrance” for many organizations Victims often get hacked starting from malicious attachments
Do you know the BlackEnergy trojan that caused the Ukraine
electric power outage was started from a Macro-
embedded .xls attachment?
Office documents are supposed to be opened in the
“Protected View” mode by default It’s a strong sandbox, according to this MWR research
So, in the BlackEnergy case, the victim did 1) Click the “Enable Editing” to disable the Protected View (PV)
2) Click the “Enable Content” to enable the embedded Macro
Outlook vs. Attachment-based Threats
But, we found that sometimes in domain-joined environment,
Office attachments will be opened w/o the Protected View! Outlook + Exchange Server, domain-joined
Typical environment for many organizations use Microsoft
solutions
If the attachment is sent within the organization, no Protected
View e.g., [email protected] sends a .docx to [email protected]
For external senders, we’ve seen all the 3 possibilities: Attachments from all external senders will be opened in PV
If the external sender is a “known” address for the user, no PV
otherwise there is PV
Attachments from all external senders will be opened w/o PV
We’d like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and
Dennis Dwyer (@dunit50) for helping us on testing the behavior.
The Problem
Microsoft knows this already The registry key, “MarkInternalAsUnsafe”, when set,
forces users to open any Office files in Protected View
mode (https://support.microsoft.com/en-us/kb/2714439)
However, the flag is not set by default.. Remember, when we talk about security issues, we need
to think from average users
According to our tests, no organization sets this flag for
their employees
It’s an Expected Behavior..
In simple word, Outlook doesn’t protect against inside
threats by default For example, If one employee (could be anyone) gets
hacked, the attacker could use his/her email account to
send a malicious Office exploit to the CEO, which allows
the threat actor to hack the CEO’s computer much easier
Did you know the Hacking Team use Flash exploit
embedding in Office documents? It will work in this case
Regarding external emails, we’d like to call IT
administrators to perform their own tests As we have seen different organizations act differently
Probably depending on the Exchange Server versions or
some configurations on Exchange Server
The Risks
Agenda
A Look Back at Outlook Security
The Journey of the BadWinmail Discovery
How Bad Is It?
The Fix
Outlook vs. Email Attachments
Conclusion
BadWinmail was an ideal attacking technique for
targeted/APT attacks, and it’s wormable
No Protected View for internal emails pose a real-world
security concern
Outlook is not secure as you think (even after Badwinmail)
Exploitation - Outlook does not have a Sandbox!
The attack surface is actually pretty wide Outlook supports many formats, most are binary formats, namely
MSG/TNEF/RPMSG (fuzzing is needed!)
A lot of features most people don’t know yet, features bring bugs
We don’t know Outlook supports OLE before
Outlook is highly-integrated with the Office system, i.e., they share
a lot of libraries, which means vulnerabilities in other Office apps
may affect Outlook too
Conclusion
[1] Haifei Li and Bing Sun, “Attacking Interoperability: An OLE Edition” [Online]
https://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdf
[2] Microsoft, “[MS-OXMSG]: Outlook Item (.msg) File Format” [Online]
https://msdn.microsoft.com/en-us/library/cc463912(v=exchg.80).aspx
[3] Microsoft, “Description of Transport Neutral Encapsulation Format (TNEF) in Outlook 2000”, [Online]
https://support.microsoft.com/en-us/kb/241538
[4] Microsoft, “[MS-OXTNEF]: Transport Neutral Encapsulation Format (TNEF) Data Algorithm”, [Online]
https://msdn.microsoft.com/en-us/library/cc425498(v=exchg.80).aspx
[5] Haifei Li, “BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook” [Online]
https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
[6] Robert Lipovsky and Anton Cherepanov, “BlackEnergy trojan strikes again: Attacks Ukrainian
electric power industry” [Online]
http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-
power-industry
[7] Microsoft, “Office document attachments open in Protected View in Outlook” [Online]
https://support.microsoft.com/en-us/kb/2714439
Major References
