The Hunt for File Format Vulnerabilities

We have been seeing several vulnerabilities of non executable file formats used in the wild recently. For example, we can mention the Trojan.Mdropper.AA family that exploits a bug in a Microsoft Excel file format, or the case of the MSJET vulnerability (still unpatched) that affects MS Access files. The hunt for new vulnerabilities in popular file formats is still a good research area in the security world, especially when we talk about malicious code writers.

A proof of concept of a new bug that affects Windows Explorer has been reported in the wild on the milw0rm Web site. The bug affects the code that parses Word documents in order to extract and display summary information (for example, document type, author, title, etc.). A malformed property record in the DocumentSummaryInformation stream of the Word document will cause Explorer to access an invalid pointer when parsing the file, causing the process to crash because of a memory access violation. In our tests we found that Microsoft Word XP, currently updated with SP3 and the latest patches, seems to be vulnerable to this bug, which causes Word to crash due to a "divide by zero" exception. Note that other versions of Word don’t seem to be affected.

After deeper investigation, we think it is fortunate that the bug seems to only cause a denial-of-service (DoS), which occurs when the corrupted document is either opened with Word or browsed from Windows Explorer. At this stage, it seems to be very unlikely that this bug can be used to run malicious code, and it’s simply crashing the applications. Anyway, it’s still an annoying issue and we hope that it will get fixed in the future.

We took a look at the problem in the crafted proof-of-concept .doc posted on milw0rm and we think that the problem lies in the DocumentSummaryInformation container of a Word document stream. This object contains information about the document, such as the title and the author, and Windows Explorer will display this information when needed. For example, when we select a document from Explorer with the status bar visible, this information will be displayed on the status bar. This means that Explorer parses the document, reads the DocumentSummaryInformation, and parses the information stored inside. Unfortunately, the function of OLE32.DLL, which is responsible for this, does not correctly validate the size of a property. As a result, this size is mistakenly added to a pointer, resulting in access to an invalid memory area.

In the above picture, we can see a dump of the DocumentSummaryInformation structure (beginning at offset 0x4400), which contains a header that specifies two sections. We can see in the first red box the first malformed data. In particular, the second part of the box contains an integer that is too big, which is not properly validated by OLE32.DLL. This allows the second malformed data, in the second red box, to be incorrectly validated (it represents the length of the next string) against the wrong value in the first red box, causing OLE32.DLL to compute a wrong pointer, which when used results in a memory access violation.

The document I analyzed contains other malformed fields that don’t seem to be related to the bug, so we suspect this document was the result of several experiments of fuzzing techniques. Fuzzing file formats and client applications to find new bugs is an activity that still keeps many security researchers busy, but also many malicious-minded hackers. For readers interested in vulnerabilities and targeted attacks, I suggest that you have a look at this Symantec paper. Attackers are always looking for new bugs, because often a simple crash can be transformed into a zero-day weapon used against companies and organizations.

The following chart has been created by analyzing the number of malicious Trojans exploiting file formats in the last year. Word (.doc) seems to still be the preferred attack vector, but recently we observed some other vectors emerging, such as .xls, .pdf, and also Ichitaro documents (.jtd), which are popular in Japan. Once again, our advice is to be extremely careful when opening any type of email attachment, even when they arrive with a file format considered “safe” and non-executable.

References:

More on fuzzing:
http://en.wikipedia.org/wiki/Fuzzing

More on vulnerabilities:
http://www.securityfocus.com/columnists/391