BadWinmail and Email Security Outlook Final

8/16/2019 BadWinmail and Email Security Outlook Final

1/47

• Haifei Li ([email protected])

• Chong Xu ([email protected])

BadWinmail and Email Security on Outlook


2/47

About Us - Haifei

• Security Researcher @ Intel Security (formerly McAfee)

• Previously: Microsoft, Fortinet• Work on 2 questions (for good purposes):

1) how to find vulnerabilities?2) how to exploit them?

At McAfee my interests have been extended to the 3rd

:3) how to detect the effect by answering the 1st & 2nd ?

work on research-backed projects aimed to detect the moststeady (zero-day) exploits

• Presented stuff some times (BlackHat Europe 2010, REcon2012, Syscan360 2012, CanSecWest 2011/2014/2015,Black Hat USA 2015)


3/47

About Us - Chong

• Ph.D from Duke University

• Senior Director @ Intel Security

• Focus• Advanced (0-day) exploit and malware defense

• APT detection • Threat intelligence• Innovation• Next generation network/host solutions


4/47

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion


5/47

Outlook is a key application in enterprise

environment Not just exchanging emails

Meetings / personal information

Sharing files (shared folder), integrated w/ Lync

(now called Skype for Business) Probably more commonly used than browsers

It’s the most direct way that an attacker can

reach into your enterprise, by sending emails Behind the firewalls

Highly targeted victim

Outlook security deserves attention

Outlook 101


6/47

CVE-2014-2730, April, 2014 DoS only in parsing XML; not really exploitable No MS patch info found

CVE-2013-3905, Nov, 2013 Info-disclosure in handing X.509 certificate, e.g. allow port-scan in

internal network

Fixed in MS13-094CVE-2013-3870, Sep, 2013

Double-free in handling nested S/MIME certificates; potentially allow

RCE, but most unlikely to exploit, as explained in

http://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-

difficult-to-exploit-double-free-in-outlook.aspx

Fixed in MS13-068

CVE-2013-0095, March, 2013 Outlook for MAC only, crafted HTML email will use Webkit engine to

render remote web content automatically; allow info-leak (whether

the victim read the email or not).

Fixed in MS13-026

Outlook Bugs in Recent Years

http://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspxhttp://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspx


7/47

CVE-2010-2728, Sep, 2010 Heap-based overflow in parsing TNEF format; seems not easy to

exploit.

Fixed in MS10-064

CVE-2010-0266, July, 2010 Logical fault in verifying file types when user opens email

attachments; requires few user interaction, but easy to exploit (still

very dangerous).

Fixed in MS10-045

CVE-2010-0816, May, 2010 Integer overflow in handling POP3 response; only in Outlook Express

edition.

Fixed in MS10-030

It’s just an email client that has seen few

vulnerabilities in recent years, how insecure

can it be? But…

Outlook Bugs in Recent Years


8/47

Agenda



How Bad Is It?

The Fix


Conclusion


9/47

Embedding a document in another document

Just double-clicking on the “checklist” documents,

readers open another document

Let’s Talk About OLE First


10/47

OLE provides the majority of interoperability

functions in Office It’s just a subset of COM

2 types of OLE objects In-process OLE (in-process COM), loaded via

ole32!OleLoad()

Separate-process OLE (separate-process COM), loaded

via ole32!OleRun()

What’s OLE?

COM

OLE


11/47

We have explained the OLE (for in-process OLE)

internals as well as the attack surface at Black HatUSA 2015. https://sites.google.com/site/zerodayresearch/Attacking_Intero

perability_OLE_BHUSA2015.pdf , which has been referenced

by many researchers as it has helped their research

against Office-based threats

Our BlackHat talk is about OLE on

Word/PowerPoint/Excel/WordPad only, i.e., it’s forWord/PowerPoint/Excel documents and RTF file formats

But OLE has wider existence!

What’s OLE?

https://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdfhttps://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdfhttps://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdfhttps://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdfhttps://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdf


12/47

We may receive an email similar to this

This is an Excel Spreadsheet “embedded” in the email body,

not as an attachment as we usually see

OLE in Outlook


13/47

This email can be saved as “.msg,” which has the binary as

If you have dealt with OLE in other Office formats before, you

see an OLE object structure here!

OLE in MSG


14/47

Microsoft “[MS-OXMSG].pdf ” tells us the secrete

There’s even an example in the specification

OLE in MSG


15/47

It seems like an OLE object stored in the MSG file format

Using the knowledge from our BH presentation, we

Changed the CLSID of the “_substg1.0_3701000D” Storage

to Flash OLE CLSID D27CDB6E-AE6D-11cf-96B8-444553540000

Manually injected a “Contents” stream containing the flash exploit into

the .msg file.

OLE in MSG


16/47

When the .msg was opened in Outlook, the exploit is triggered,

i.e., the content stream is loaded by Flash OLE’s

IPersistentStorage::Load() function, which triggers the exploit.

OLE in MSG


17/47

At this point, it’s pretty sure that this is a really

dangerous (and previously-unknown) attack vector, ora novel “exploit delivering method.”

Attackers may attach the .msg file in an email, and

send it to the victim, as long as the victim previewthe .msg attachment, the “embedded” Flash exploit

will run! .msg attachment is considered as “safe” file type by

Outlook – Outlook even uses itself to preview .msg

attachment

Attack Scenario of OLE in MSG


18/47

We know Flash OLE object could be loaded

It’s reasonable to guess more OLE objects could beloaded in Outlook

Indeed, such as: Adobe Flash (pwning via Flash 0day)

Adobe Reader (pwning via PDF 0day?)

etc

More OLE Objects Under Attack


19/47

Wait! Is that all?

About the time I was going to send the report toMicrosoft, I happened to read this “clue” webpage https://support.microsoft.com/en-us/kb/241538

Turns out TNEF (the winmail.dat) supports OLE too!

After some investigation, I found

OLE in TNEF

https://support.microsoft.com/en-us/kb/241538https://support.microsoft.com/en-us/kb/241538https://support.microsoft.com/en-us/kb/241538https://support.microsoft.com/en-us/kb/241538https://support.microsoft.com/en-us/kb/241538


20/47

Remember when someone sent you a strange attachment named

“winmail.dat” and you have no idea how to open it?

Winmail.dat


21/47

TNEF is another Microsoft-invented email file format,

described in “[MS-OXTNEF].pdf ”

It’s a binary file format (like MSG), but it will be parsed

directly as long as the user reads the email! (MSG could only

be sent as email attachments)

Following is a sample .eml (which could be sent via email

protocols) that contains OLE.

OLE in TNEF


22/47

Here is what a TNEF file looks like (after the

decoding from .eml file)

0x223E9F78 is the Magic Number

OLE in TNEF


23/47

Looking at the whole data of the file, we find some

“interesting” bytes in that “TNEF” winmail.dat

D0 CF 11 E0 A1 B1 1A E1 => the Magic Number for a

“OLE Structured Storage” (OLESS)

With the help of the identifying the “length” fields marked

with red, we were able to dump the OLESS stream

OLE in TNEF


24/47

The dumped OLESS could be opened/edited by many

“structured storage” tools Here I used the open-sourced OpenMcdf

Isn’t it the same as in MSG?

OLE in TNEF


25/47

We can play the old trick as how we “hacked” the

MSG Modify the CLSID to Flash OLE’s CLSID

Add a “Contents” stream, put our exploit there

After that Re-pack the modified OLESS into winmail.dat

Remember to update the “length” fields

Encod (base64) that winmail.dat into an email file

Send that email via email protocols

OLE in TNEF


26/47

And when Outlook receives that TNEF email

It Worked!


27/47

As mentiond, TNEF specification is actually well described in

“[MS-OXTNEF].pdf ”

Our exercise is to modify an existing TNEF email sample; butone can build the TNEF file with his own

In order to let TNEF render the attachment (it’s another

concept than the “email attachment”) as OLE object, the

“ AttachTypeFile” should be set to 0x02 (AttachTypeOLE)

This could be used to detect TNEF email that contains OLE

objects

OLE in TNEF


28/47

Agenda



How Bad Is It?

The Fix


Conclusion


29/47

Users get pwned as long as they just read the email No matter you preview the email or start a new window to read

email in Outlook

Flash is installed on most Windows It’s installed by default on every Windows 8, 8.1, 10!

On Windows 7, just need the victim to install the Flash ActiveX

version (for IE) Note: Flash is not the only one object Outlook can load, as we

have discussed before

Having a reliable Flash zero-day exploit, is fairly easy

for someone who wants to launch a targeted attack Up to 50,000 USD (according to Zerodium) Read various other industry posts/papers/presentations talking

about how many Flash zero-days they analyzed and how many

Flash CVEs they’ve found

It’s Really Bad


30/47

There’s no sandbox on Outlook! Yes, you read it right, for such an important app!

Getting code execution in Outlook = taking control of the

computer

Due to the nature of email-based attack, it’s an idealway to launch highly-targeted attack What is a real APT? This is

It’s wormable! When hacked one computer via email, the worm may gather

all the contacts and then sends the same exploit through

email to all the contacts to spread itself

It doesn’t usually happen in Windows ecosystem nowadays

It’s Really Bad


31/47

Agenda



How Bad Is It?

The Fix


Conclusion


32/47

Disclosure Timeline The issue was reported to MSRC in late October 2015

Fix was released on December 8th, 2015 during PatchTuesday (CVE-2015-6172, MS15-131) MSRC and the Office team patched it within 1.5 months,

fastest patching speed I’ve ever seen.

80+ email exchanges were made for this case, including 1

online meeting 2 “face-to-face status updates”

Thanks to Jason Shirk (MSRC) for coming to Vancouver

Per request, paper and demo were released 1 week (on

December 15th) after the patch, allowing more people to install

the patch

The paper was released at: https://sites.google.com/site/zerodayresearch/BadWinmail.pdf

The Disclosure Thing

https://sites.google.com/site/zerodayresearch/BadWinmail.pdfhttps://sites.google.com/site/zerodayresearch/BadWinmail.pdf


33/47

I wrote a script monitoring the email samples we have

to see if there’s an ITW BadWinmail attack The usual “threat intelligence” thing Glad no alert so far

There were reports of some samples detected by AV,

they are FP

I’d like to share my view on patch

After the Fix

“


34/47

I spent time on this because I saw a “weird” thing After the fix, my PoC still loads the Flash binary!

Isn’t the best patch blocking Outlook from loading Flash

binary at all?

So I fired my debugger, and confirmed that the

CoCreateInstance(CLSID_Flash,..) is indeed called

The “weird” Fix

mso!Ordinal4312+0xa5b:64c7a954 ff15cc1ac464 call dword ptr [mso!Ordinal10691+0x1acc

(64c41acc)] ds:0023:64c41acc={ole32!CoCreateInstance (76039d0b)}

0:000> db poi(esp) L10

0012ac64 6e db 7c d2 6d ae cf 11-96 b8 44 45 53 54 00 00

Th “ i d” Fi


35/47

So, what’s going on? But, our exploit is indeed not working!

So I step-by-step debugging from the

CoCreateInstance, and found that After the CoCreateInstance (which loads the binary)

and before the IPersistStorage::Load() (which loadsour Flash exploit), a check was added (in wwlib.dll)

The new check blocks the OLE initialization process

(IPersistStorage::Load()) to prevent exploit from being

loaded

The “weird” Fix


36/47

Th “ i d” Fi


37/47

The 0x00000040 bit is set here

Confirming this is easy - when we reset the bit

to 0 in memory, our exploit works again

The “weird” Fix

Th “ i d” Fi


38/47

Some takeaways from our diggings in the fix

This fix is “weird” because that after the fix, the Flashbinary is supposed to not be loaded in the Outlook

process at all

However, this fix is effective anyway

There’s 1 bit in the memory controlling the feature We believe this is app-depended, which means as

long as the “container” is Outlook, OLE object

shouldn’t be initialized

We currently don’t know if the bit is from any Outlook

customization settings (like from Registry)

The “weird” Fix


39/47

Agenda



How Bad Is It?

The Fix


Conclusion

O tl k Att h t b d Th t


40/47

Outlook is not just a normal app, in fact, it’s a “threat

entrance” for many organizations Victims often get hacked starting from malicious attachments Do you know the BlackEnergy trojan that caused the Ukraine

electric power outage was started from a Macro-

embedded .xls attachment?

Office documents are supposed to be opened in the“Protected View” mode by default It’s a strong sandbox, according to this MWR research

So, in the BlackEnergy case, the victim did 1) Click the “Enable Editing” to disable the Protected View (PV)

2) Click the “Enable Content” to enable the embedded Macro

Outlook vs. Attachment-based Threats

Th P bl

http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttps://labs.mwrinfosecurity.com/system/assets/1015/original/Understanding_The_Microsoft_Office_2013_Protected_View_Sandbox.pdfhttps://labs.mwrinfosecurity.com/system/assets/1015/original/Understanding_The_Microsoft_Office_2013_Protected_View_Sandbox.pdfhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industryhttp://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-power-industry


41/47

But, we found that sometimes in domain-joined environment,

Office attachments will be opened w/o the Protected View!

Outlook + Exchange Server, domain-joined Typical environment for many organizations use Microsoft

solutions

If the attachment is sent within the organization, no Protected

View e.g., [email protected] sends a .docx to [email protected]

For external senders, we’ve seen all the 3 possibilities: Attachments from all external senders will be opened in PV

If the external sender is a “known” address for the user, no PVotherwise there is PV

Attachments from all external senders will be opened w/o PV

We’d like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and

Dennis Dwyer (@dunit50) for helping us on testing the behavior.

The Problem

It’ E t d B h i

mailto:[email protected]:[email protected]:[email protected]:[email protected]


42/47

Microsoft knows this already The r egistry key, “MarkInternalAsUnsafe”, when set,

forces users to open any Office files in Protected View

mode (https://support.microsoft.com/en-us/kb/2714439)

However, the flag is not set by default.. Remember, when we talk about security issues, we need

to think from average users

According to our tests, no organization sets this flag for

their employees

It’s an Expected Behavior..

Th Ri k

https://support.microsoft.com/en-us/kb/2714439https://support.microsoft.com/en-us/kb/2714439https://support.microsoft.com/en-us/kb/2714439https://support.microsoft.com/en-us/kb/2714439https://support.microsoft.com/en-us/kb/2714439https://support.microsoft.com/en-us/kb/2714439


43/47

In simple word, Outlook doesn’t protect against inside

threats by default For example, If one employee (could be anyone) gets

hacked, the attacker could use his/her email account to

send a malicious Office exploit to the CEO, which allows

the threat actor to hack the CEO’s computer much easier

Did you know the Hacking Team use Flash exploitembedding in Office documents? It will work in this case

Regarding external emails, we’d like to call IT

administrators to perform their own tests As we have seen different organizations act differently Probably depending on the Exchange Server versions or

some configurations on Exchange Server

The Risks


44/47

Agenda



How Bad Is It?

The Fix


Conclusion

C l i


45/47

BadWinmail was an ideal attacking technique for

targeted/APT attacks, and it’s wormable

No Protected View for internal emails pose a real-world

security concern

Outlook is not secure as you think (even after Badwinmail)

Exploitation - Outlook does not have a Sandbox!

The attack surface is actually pretty wide Outlook supports many formats, most are binary formats, namely

MSG/TNEF/RPMSG (fuzzing is needed!)

A lot of features most people don’t know yet, features bring bugs

We don’t know Outlook supports OLE before

Outlook is highly-integrated with the Office system, i.e., they share

a lot of libraries, which means vulnerabilities in other Office apps

may affect Outlook too

Conclusion

Major References


46/47

[1] Haifei Li and Bing Sun, “Attacking Interoperability: An OLE Edition” [Online]

https://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdf

[2] Microsoft, “[MS-OXMSG]: Outlook Item (.msg) File Format” [Online]https://msdn.microsoft.com/en-us/library/cc463912(v=exchg.80).aspx

[3] Microsoft, “Description of Transport Neutral Encapsulation Format (TNEF) in Outlook 2000”, [Online]

https://support.microsoft.com/en-us/kb/241538

[4] Microsoft, “[MS-OXTNEF]: Transport Neutral Encapsulation Format (TNEF) Data Algorithm”, [Online]

https://msdn.microsoft.com/en-us/library/cc425498(v=exchg.80).aspx

[5] Haifei Li, “BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook” [Online]

https://sites.google.com/site/zerodayresearch/BadWinmail.pdf

[6] Robert Lipovsky and Anton Cherepanov, “BlackEnergy trojan strikes again: Attacks Ukrainian

electric power industry” [Online]

http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electric-

power-industry

[7] Microsoft, “Office document attachments open in Protected View in Outlook” [Online]

https://support.microsoft.com/en-us/kb/2714439

Major References


47/47

Thank You!

[email protected]

[email protected]

Documents

BadWinmail and Email Security Outlook Final