Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, "RTF Stack Buffer Overflow Vulnerability," which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack. 


Figure 1.10 

After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, “Jmp ESP”, that  transfer the control to the stack memory containing our first shellcode.

Let's take a look at the first shellcode: 


Figure 1.20 

The code above uses a brute-force method to find the second shellcode entry-point by searching for the string "pingping" starting from hardcoded address 0x500000. To avoid causing exceptions while parsing these memory pages, it checks if the page is accessible by calling NtAccessCheckAndAuditAlarm() via Int 2Eh - passing EAX = 2h (NtAccessCheckAndAuditAlarm system call ordinal) and passing the page address in EDX. It returns STATUS_ACCESS_VIOLATION to EAX if the page is not accessible. 

The second shellcode starts by decrypting the rest of the codes and string using a XOR operation with constant keys. It retrieves the address of the needed APIs, downloads the malware from a remote location, and then executes it. In our sample, it attempts to download a file named svchost.exe and saves it as <system folder>\a.exe (detected as Trojan:Win32/Turkojan.C). 

Microsoft detects this exploit as Exploit:Win32/CVE-2010-3333.

We recommend customers that have not yet installed the security update MS10-087 to do so at their earliest convenience.

For reference, here’s a list of some SHA1s we’ve seen related to these targeted attacks:

  • 00d9af54c5465c28b8c7a917c9a1b1c797b284ab
  • 24ee459425020ea61a10080f867529ea241c51dc
  • 2e6abd663337c76379ae26b8aa6cf4db98137b64
  • 77637eccf9011d420cccc520bcb3ed0cf907dc00
  • CC47A73118C51B0D32FD88D48863AFB1AF7B2578

-- Rodel Finones