Vulnerabilities in Microsoft Access and MSJET40.DLL have been discussed in many blogs recently. Our friends at Panda blogged about a possible (new?) vulnerability of the MS Jet library on March 3rd and McAfee also blogged this past December about a different vulnerability reported on Bugtraq. Here at Symantec we also reported some of these vulnerabilities to Microsoft and also the many targeted attacks carried with .mdb files since March 2006, but this is almost the usual sort of response:
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
This sentence translates into a very simple equation: .mdb = .exe. Microsoft does not acknowledge the bug as a critical remote execution vulnerability because .mdb files are considered unsafe and so Outlook is configured to block Access files when received as attachment.
However, I doubt that all users aware of that. I also doubt that this mitigation is good enough to avoid patching these vulnerabilities forever. It is unclear at the moment exactly how many vulnerabilities (public and non-public) MSJET40.DLL has. If many independent AV companies are blogging about this problem and raising some points, there must be some rationale. We found another good reason today.
My colleague, Chen Yu, analyzed a very interesting sample of a targeted attack carried out with a special combination of a Word file (.doc) and an Access file (.mdb). The attacker first created a malicious Access file exploiting the unpatched CVE-2007-6026. Next, to bypass Outlook restrictions mentioned before, the .mdb file was renamed with a different file extension (.asd, a video format). With this trick, as clearly showed in the following picture, Access files are no longer blocked by Outlook because the protection triggers just on the file extension and not on the file format itself. In the picture I tried to send to my account an email with two copies of the same Access file, but with different file extensions. The file with .mdb extension was blocked, while the file with the .asd extension was still ready to be saved.
The attacker needs only to find a trick to force the MS Jet library to open the file and trigger the vulnerability that will run the malicious shellcode. Some social engineering and a little help from Office applications will work out well in this specific attack. In fact, it is possible to call MSJET40.DLL directly from MS Word, without using Access at all. In this attack, the .doc file uses mail merge functionalities to import an external data source file and so it effectively forces MS Jet to load the malicious Access sample. The following screenshot shows a dump of the malicious Word file with the references to MS Jet and the malicious Access file.
Social engineering is needed only to entice the victim to save both the files in the same folder before opening the “safe” MS Word file that immediately looks for the second file and opens it. It is worth noting that the attack does not work if the .doc file is opened directly from the email or without the malicious .mdb file; it’s the combination of .doc and .mdb that makes the attack effective. However, enticing victims to save and open these files from the same folder is not such a unrealistic scenario (putting both files in the same .zip archive before sending the mail may be enough).
The two files are detected as Trojan.Mdropper (.doc) and Trojan.Acdropper (.mdb), while the dropped executable is detected as Backdoor.Trojan. The files are sent with the filename “Nokia_7650_video_en.doc” and “v_080310.asd.”
At the moment, the most frequent exploits for MSJET40.DLL used in the wild for targeted attacks are targeting the following vulnerabilities:
• CVE-2005-0944, unpatched, reported by HexView in March 2005: http://www.hexview.com/docs/20050331-1.txt
• CVE-2007-6026, unpatched, reported by Frank Ruder, on Nov 2007: http://seclists.org/bugtraq/2007/Nov/0235.html
Both vulnerabilities affect Access 2003 and prior versions, but they seem to be patched on the newer Office 2007.
At this time we can’t tell you to “download the patch.” However, the lesson from this story is to be always vigilant and suspicious when receiving file attachments of any type, even when the attachments are non-executable formats, such as Microsoft Office files.
Message Edited by Trevor Mack on 03-24-2008 03:30 PM
Message Edited by Trevor Mack on 03-26-2008 05:15 AM