MS13-051 addresses a security vulnerability in Microsoft Office 2003 and Office for Mac. Newer versions of Microsoft Office for Windows are not affected by this vulnerability, but the newest version of Office for Mac (2011) is affected. We have seen this vulnerability exploited in targeted 0day attacks in the wild. In this blog we’ll cover the following aspects:

  • Technical Details
  • Attack Pattern
  • Advice for Detection

Technical Details

In the Office PNG file parsing code, there is a vulnerability where the length field of a chunk is not correctly checked. The PNG specification (http://www.w3.org/TR/PNG/#5Chunk-layout) says “Although encoders and decoders should treat the length as unsigned, its value shall not exceed 2^31-1 bytes.” However, in the malicious PNG files, we found the length field of a chunk equal to 0xFFFFFFFF. The PNG parsing code correctly treated this field as unsigned (as specified in the PNG spec), but was not catching the case when the value was 0xFFFFFFFF, which if interpreted as an unsigned value, exceeds 2^31-1. Below is what the malicious chunk size looks like (highlighted in yellow):

Shellcode analysis shows that the exploit for this vulnerability was a classic stack based buffer overflow, which wrote far past the end of a buffer on the stack, thereby overwriting control data on the program’s stack, eventually leading to high-jacking the program’s execution. Older versions of Office/Windows don’t have mitigations for these types of exploits, but newer versions of Office/Windows do. This is an example of how running current software can increase an organization’s security. We verified also that EMET 3.0 (and above) is able to stop the exploits observed so far, providing an additional mitigation against this specific attack.

Attack Pattern

The attacks we observed were extremely targeted in nature and were designed to avoid being investigated by security researchers. The malicious samples observed are Office documents (Office 2003 binary format) which do not include the malicious PNG file embedded directly in the document. Rather, the documents reference a malicious PNG file loaded from Internet and hosted on a remote server.

Attackers also equipped their servers with scripts which avoid serving the PNG exploit multiple times, in an effort to keep this 0day more concealed. We believe that the limited attacks observed were geographically located mostly in Indonesia and Malaysia.

Advice for Detection

The common pattern for all these documents is the filename “space.gif” used by each malicious file to fetch the remote PNG file containing the exploit. In order to help security vendors and enterprises look for potential indicators and to deliver an effective protection, we are providing some of the URLs used to load the remote PNG exploit and hashes of the malicious Office binary format documents observed in these limited targeted attacks.

hXXp://intent.nofrillspace.com/users/web11_focus/4307/space.gif
hXXp://intent.nofrillspace.com/users/web11_focus/3807/space.gif
hXXp://mister.nofrillspace.com/users/web8_dice/3791/space.gif
hXXp://mister.nofrillspace.com/users/web8_dice/4226/space.gif
hXXp://www.bridginglinks.com/somebody/4698/space.gif
hXXp://www.police28122011.0fees.net/pages/013/space.gif
hXXp://zhongguoren.hostoi.com/news/space.gif
MD5 SHA1
fde37e60cc4be73dada0fb1ad3d5f273 1bdc1a0bc995c1beb363b11b71c14324be8577c9
2f1ab543b38a7ad61d5dbd72eb0524c4 2a33542038a85db4911d7b846573f6b251e16b2d
7eb17991ed13960d57ed75c01f6f7fd5 d6a795e839f51c1a5aeabf5c10664936ebbef8ea
70511e6e75aa38a4d92cd134caba16ef f362feedc046899a78c4480c32dda4ea82a3e8c0
28e81ca00146165385c8916bf0a61046 f751cdfaef99c6184f45a563f3d81ff1ada25565
35a6bbc6dda6a1b3a1679f166be11154 f7f1c39b42453f0b27b601f32c0af3cce99f79db

Thanks to Andrew Lyons and Neel Mehta of Google Inc for the report, and to Elia Florio and Cristian Craioveanu for helping with this case.

- Neil Sikka, MSRC Engineering
@neilsikka