Endpoint Protection

by Khushbu Jithra

The flood of recent Microsoft Office vulnerabilities has brought forth the need to understand the mechanics of the MS Office security architecture and the possible fault injection points. This article discusses Microsoft Office's OLE Structured Storage and the nature of recent dropper programs and other exploit agents, in an effort to scrutinize the workings of some of the recent MS Office exploits. The second part of this article then collates some forensic investigation avenues through different MS Office features. Parts of the article sample different MS Office vulnerabilities to discuss their nature and the method of exploitation.

1. Overview of recent MS Office vulnerabilities

MS Office vulnerabilities have aroused concerns, particularly for MS Office documents received through e-mail or downloaded from web sites. Some published vulnerabilities allow memory corruption or lead to buffer overflows, whereas others escalate privileges - all leading to compromising the victim's system. An approximate number of vulnerabilities in different MS Office documents against the vulnerability type, calculated at the time of this writing, are shown in the Figure 1 below.

Figure 1. MS Office vulnerability overview. msoff1-thumb.jpg

In the high frequency band of 'Remote Code Execution' vulnerabilities, all the vulnerabilities are of varying risk levels. However these vulnerabilities are the ones that pose the highest risk to systems. Denial of Service and Memory Corruption vulnerabilities, in comparison, pose a medium to high risk to systems.

Vulnerability distribution for different MS Office applications, and collectively for all applications, is shown below in Figure 2. The reader is given this overview of different vulnerabilities affecting MS Excel, MS Word and MS Powerpoint, respectively.

Figure 2. Vulnerability distribution across MS Office applications.

Each bar in Figure 2 represents individual application vulnerabilities, however the MS Office bar is not an aggregate of the three bars. Instead the MS Office bar represents the vulnerabilities which affect all MS Office applications collectively. The following sections will now provide a better understanding of some of these vulnerabilities.

2. OLE Structured Storage

One of the earliest MS Word vulnerabilities this year was exploited with the help of dropper programs embedded in the file structure of a MS Word file. Several vulnerabilities related to malformed images and media objects in MS Office similarly require the understanding of OLE Structured Storage, the MS Office file structure.

In the context of this article, OLE Structured Storage is defined as a systematic organization of components of any MS Office document. Each document has a root component which contains storage and stream components. The OLE Structured Storage is synonymous with the file system structure, such that 'storage' components are equivalent to directories and 'stream' components are equivalent to files, as shown below in Figure 3.

Figure 3. OLE Structured Storage.

A storage component may exist as a standalone component. Each storage component may have one or more sub-storage components and stream components. Also the root component may have stream components directly within it. MS Office 2000 and later versions support two file formats: OLE-binary based and the XML-based. Both are two forms of structured storage with the latter being a more browser-friendly option for storing documents. Figure 4 shows the mapping of the OLE Structured Storage to a sample Word document structure.

2.1 MS Office Documents and its components

Let's take a look at the structure of a Word document with an embedded Excel object, shown below in Figure 4.

Figure 4. Sample Word document storage format.

The 'MS Word' component is the root component containing several streams and one storage item. Different parts of the document such as the actual contents, any table inserted, the CompObj associated with the DLL files for the objects, the Summary Information for the content, any image inserted, and the Document Summary Information, all take the form of streams under the root component. The ObjectPool is the collective storage of all the sub-storage components. The figure samples the sub-storage Excel component. The Excel Sheet itself is a storage component within the ObjectPool and has its own streams of information – the Workbook, SummaryInformation, and DocumentSummaryInformation.

Different MS Office files are structured similarly. Different objects can be embedded into the document and are accessed and updated from their respective stream/storage components. Some COM and OLE vulnerabilities allow for an escalation of privileges and lack proper input filtration, leading to the compromise of systems running MS Office applications.

3. Sample mechanism of an attack

In a common attack scenario, the vulnerability is exploited via a simple insertion of a malformed or malicious object into the document structure. Some MS Excel and MS Word vulnerabilities are affected by such an attack.

Another instance of insertion of malicious objects is the Microsoft Word Malformed Object Pointer Remote Code Execution Vulnerability. This attack is illustrated below in Figure 5.

Figure 5. Exploitation - malformed object pointer vulnerability.

Steps to exploitation:

Step 1: The targeted victim opens the malicious MS Word document via an email attachment or a web page.
Step 2: The malicious storage component (dropper program) within the OLE Structured Storage gets executed as the Word file is opened.
Step 3: The Trojan is dropped on the victim's system.
Step 4: The trojan operates with a backdoor which allows the remote attacker to collect system information, access the command shell and take screen shots and store them to %System%\Capture.bmp.

In the above attack, if we were to break the vulnerability into different stages, the first vulnerable stage is when the attacker was able to draft or create a malicious Word document. The OLE Structured Storage fails to verify the content of the storage components and allows executables like Trojans to be inserted. The second stage is when the victim is lured into opening the malicious MS Word document via an email attachment or by downloading it from a Web page. The third stage is the malformed object pointer, which allows the malicious storage component to get executed as soon as the Word document is opened. Once the seed is planted, the Trojan is put into action. The fourth stage helps the embedded Trojan install a backdoor which can help the remote attacker to execute arbitrary code on the victim's system and eventually compromise it. To understand this further we can investigate the working of dropper programs in the next section of this article.

3.1 Dropper Programs

A dropper is a program that has been designed or modified to "install" standalone malware (such as Trojans, worms, backdoors) onto the target system. The malware code is usually contained in a dropper in such a way that it won't be detected by virus scanners.

A Trojan dropper typically extracts all its files to a temporary folder and executes all of them simultaneously. Dropper programs are seldom caught by any anti-virus programs or vulnerability scanners. This is due to the following reasons:

1. The dropper programs are not malicious themselves, but contain the code to drop the malicious content onto the victim's system .
2. In many cases, Trojan droppers contain innocuous multimedia files to hide any malicious activity.
3. Sometimes the dropper program injects code to overwrite the malicious MS Office document with a clean, fresh copy of the document such that there is no evidence left of the carrier document. Refer to Trojan.PPDropper.B for more information.
4. At times, Trojan droppers extract components directly to memory and activate them there, making it impossible for anti-virus software to detect dropped malware.

Several other MS Office vulnerabilities have been exploited due to improper input filtration, inadequate string parsing capabilities of the OLE Structured Storage functions, inadequate validation of a stream component variable (causing buffer overflows), memory corruption, and faulty rendering of the OLE Property Sets.

Discussing each vulnerability in detail is out of the scope of this article, but an observation can be made about the vulnerabilities overall. Almost all the vulnerabilities require the target to gauge the nature of the MS Office document before it is opened. This becomes increasingly difficult when anti-virus software is fooled by exploit agents like the dropper programs. Thus, the only solution is to correct the mechanism of the OLE Structured Storage itself.

While many vulnerabilities have been addressed in the Microsoft Security Bulletins, some quick workarounds for different vulnerabilities can also be implemented. These will be discussed in the next section.

4. Consolidated Workarounds

Nearly all workarounds start with warning users to avoid any unsolicited attachments from both known and unknown entities. However, more can be done to save systems from being compromised. There are workarounds provided by Microsoft on different occasions and for different MS Office vulnerabilities which can be used as common guidelines to deal with MS Office documents until updates or patches are released:

1. Open MS Office documents in 'Safe Mode' - Start Microsoft Office applications (e.g. Word, Excel, PowerPoint) in "safe mode" by holding down the control key when starting them. The user will be asked if he wants to start in safe mode and "safe mode" will appear in the title bar. If one receives an Office document via e-mail that he absolutely must read, save it and open it in the safe mode program rather than double-clicking the attachment in the e-mail program. For more details, refer to MS Office Online Assistance.
2. Block MS-TNEF (Transport Neutral Encapsulation Format) to help protect against attempts to exploit a vulnerability through SMTP email - Systems can be configured to block certain types of files sent through e-mail. Microsoft TNEF encoded e-mails, commonly known as Rich Text Formatted e-mail, can contain malicious OLE objects. These e-mails contain a file attachment that is usually named Winmail.dat to store the TNEF information. Blocking this file and blocking the application/ms-tnef MIME type could help protect both Exchange Servers and other affected programs from attempts to exploit this vulnerability.

As we all know, the MS Office architecture is very user-friendly and provides good backup and recovery options. It also provides excellent capabilities for reviewing documents in groups and inserting and embedding third-party application objects into MS Office applications. However, these same capabilities give us an interface to several forensic avenues which can turn out to be very useful during a forensic investigation. In the following section we'll conclude this article and then take a look at a preview of part two, which will discuss some of the ways a forensic investigator can look for document information and collect author evidence and view hidden information in MS Office documents.

5. Concluding part one

In the first part of this two-part series, we've taken a very cursory look at some of the security issues within Microsoft Office applications. Recent vulnerabilities and their subsequent exploitation has brought renewed interest in office document security within corporations, government and at home.

6. Preview of part two

Part two of this article will aid investigators with the 'analysis' phase of a forensic investigation. There are a number of features or tools available to help with the forensic process, and these will be discussed in some detail. We'll start with the popular track changes feature, making hidden markups visible in MS Office 2003 and 2002, and provide a script to aid in the deletion of a large number of comments from within a document. Then we'll look at issues when a document is sent through Office's send through e-mail feature with Exchange.

We'll also look at recovering unseen metadata in Office applications, Microsoft's 'SummaryInformation' features, and various ways of deleting personal data from with a document. Stay tuned.

7. References

7.1 Web references

1. http://msdn.microsoft.com/library/default.asp? url=/library/en-us/stg/stg/storage_vs__stream_for_a_property_set.asp
2. http://msdn2.microsoft.com/dede/library/microsoft.office .interop.word.oleformat_members.aspx
3. http://blogs.msdn.com/erikaehrli/archive/2005/11/30/dsofileproperties.aspx
4. http://windowssdk.msdn.microsoft.com/en-us/library/ms725799.aspx
5. http://en.wikipedia.org/wiki/Dropper
6. http://desaware.com/tech/persist.aspx
7. http://www.microsoft.com/technet/security/bulletin/MS06-027.mspx

7.2 Selected book references

1. Andrew Savikas, Word Hacks. O'Reilly, November 2004.
2. Chris Davis, Aaron Philipp, David Cowen, Hacking Exposed Computer Forensics. McGraw-Hill Professional, November 2004.

8. About the author

Khushbu Jithra, is an Information Developer and Security Researcher at NII Consulting, an Information Security Consulting firm based out of India. She writes at iScribe on her main interest - Information Security Documentation

9. Comments?

The comments section of this article is to be used for technical clarification and discussion only. Submitted comments must have technical merit in order to be approved.

10. Copyright

This article is © Copyright 2006, SecurityFocus. Reproduction without prior authorization is prohibited.

This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.