RTF zero day in the wild
FireEye recently published an RTF zero day that has been used in the wild since July. This zero day was used to spread FinSpy/FinFisher malware, a “lawful intercept” product with RAT-like capabilities.
The disclosed vulnerability is a logical vulnerability, which means most EMET style anti-exploitation techniques (ASLR, DEP, CFG) are irrelevant. As are any other pre-execution security mechanisms due to the nature of the logical vulnerability.
The SentinelOne behavioral engine successfully detects and blocks this vulnerability before any malicious code is executed.
The vulnerability, CVE-2017-8759, impacts the .NET framework and allows a malicious attacker to inject arbitrary code during the parsing parts of the RTF document: SOAP WSDL definitions. The function, PrintClientProxy,
that parses URLs encoded in the document fails with improper input validation. When multiple addresses are provided in a SOAP response, everything after the first address is prefixed with two slash signs (//), marking the rest of the line as a comment, including that address in it. However, the two slash signs comment marker is only in effect until the line ends. Therefore in order to execute attacker controlled code – all needed is to include a line break (CR;LF) in the address, following any malicious code. This validation issue has been successfully used by attackers to exploit and infiltrate.
This vulnerability impacts several different versions of Microsoft Windows, such as Windows Server 2008, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows 7, Windows 8.1, and Windows 10. Microsoft has recently released a fix for this issue. You can find more information on the impacted versions and the fix at microsoft.com.
Take a look at this video to see SentinelOne in action with build 1.8.3705 detecting this sophisticated zero day.