Re: Evasion with OLE2 Fragmentation

[Jeffrey Walton <noloader () gmail com>]

> Its embarrassing that so many products fail to detect
> known threats that have the exact same byte stream...
Try the EICAR test string using an arbitrary location within the file
(rather than starting at offset 0). Only four scanner engines on
VirusTotal.com detected the string when an arbitrary location was
used. When I enquired, I was told the reason was that the virus was an
actual program. Prepending the 'program' with a no-op sled to keep the
'program' in an executable state did not help the situation.

[1] http://www.eicar.org/anti_virus_test_file.htm

On 5/15/09, H D Moore <sflist () digitaloffense net> wrote:
> Something to keep in mind when using Office doc exploits during penetration
> tests:
>  -
> http://www.breakingpointsystems.com/community/blog/evasion-with-ole2-fragmentation
>
> (links active within in the article itself)
>
> --
>
> At BreakingPoint, we provide comprehensive coverage of Microsoft Tuesday
> patches. This Tuesday was no different and we released StrikePacks 45799 and
> 45800 to cover MS09-017 (the PowerPoint vulnerabilities). In addition to
> writing exploits for these flaws, we also research application-specific
> evasion methods. In the case of file format flaws, we support evasion at
> every level, including techniques like IP fragmentation, alternate MIME
> encodings, HTTP compression, and data randomization within the files
> themselves. While working on Strike coverage for MS09-017, we discovered a
> simple way to bypass mainstream anti-virus and IPS signatures for malicious
> Office documents. This post talks about the method we used and some of our
> test results against popular anti-virus products.
>
> Microsoft Office documents have been abused by security researchers and
> malware writers for many years. In 1999, Melissa, one of the first email
> viruses, used Visual Basic macros to send itself to all addresses in the
> victim's address book. Since then, macro security has been greatly improved,
> and attackers have moved on to exploiting parsing flaws in the Office
> software itself. This month, Microsoft released patches to address 14
> vulnerabilities in the PowerPoint document parsers. Unlike traditional
> network attacks, file format flaws are notoriously difficult for IPS vendors
> to identify accurately. To remedy this, the anti-virus industry has added
> file format exploit detection into both desktop and network gateway scanning
> products.
>
> Office documents are some of the most convoluted file formats in wide-spread
> use. The basic structure of these files is based on the Compound Document
> Format (OLE2 Structured Storage). This format is essentially a block-based
> filesystem with specific files and directories for each type and version of
> Office document. The actual "file" entries within these documents are also
> proprietary and change based on the version and features of the Office
> software used to create them. In order to detect a file format exploit, the
> parsing software needs to understand OLE2, locate the correct entry
> containing the document contents, and parse through that content to locate
> the specific structure that triggers the exploit. This process is CPU
> intensive and requires the parsing software to have a deep understanding of
> the version-specific Office document data inside of the OLE2 container.
> Creating software to do this correctly is expensive and time consuming, so
> the easy solution is to ignore the document format entirely and just scan
> for exploit-specific signatures. This is what most anti-virus and IPS
> products do today.
>
> Just like most block-based filesystems, the OLE2 format is susceptible to
> fragmentation. When the Office software wants to write data, it tries to
> consume any available free blocks before allocating new ones. The OLE2
> format has two different block tables; one for small entries (normally set
> to be less than 4096 bytes), and another for larger contiguous segments.
> Although fragmentation can occur during normal editing of an Office
> document, it is rare for documents to be heavily fragmented.
>
> It turns out that there is an excellent OLE library for Ruby, written by a
> developer who goes by aquasync. This library makes it easy to create and
> modify Compound Document files. With a little bit of scripting, we were able
> to create a tool (available below) to force heavy fragmentation of Office
> documents. Out first test of this tool used a Melissa variant as the base
> document. Uploading the raw Melissa Word document to VirusTotal.com resulted
> in 39 out of 40 AV products recognizing the document as malicious. After
> running this file through the refragmenter script, the results were only 10
> out of 40. This is horrible coverage for a file that had the exact same OLE2
> contents as the original sample, albeit in a different block order. Any
> product able to parse OLE2 streams correctly should be able to identify this
> file just as accurately as the non-fragmented version. Once we modifed the
> script to use 64 byte writes instead of 512, we only see detection in 7 out
> of 40 products. Keep in mind that this malware was originally released in
> 1999!
>
> Melissa may not be the best choice for testing modern anti-virus
> capabilities. Instead, lets look at a live sample of the Microsoft Word
> exploit for CVE-2007-0515 (MS07-014). The original, unmodified version of
> this document is detected by 25 out of 40 anti-virus products. Using the
> refragmenter script with 64 byte writes, only 1 out of 40 products detected
> the file as malicious, and this detection was for a different vulnerability
> (MS06-060).
>
> IPS and IDS developers have a great excuse for poor Office document coverage
> - this type of analysis is difficult and processor intensive. However, this
> is precisely the area where anti-virus products are supposed to succeed. Its
> embarrassing that so many products fail to detect known threats that have
> the exact same byte stream, just reordered using a mechanism that occurs in
> real documents. In our testing, the only public tool that can accurately
> identify fragmented Office documents is Office Cat, written by Lurene
> Grenier of the Sourcefire VRT. This tool uses the Windows OLE API to parse
> each stream, regardless of fragmentation, and scans deep into the document
> format to detect individual exploits.
>
> All BreakingPoint Strikes that target Office document flaws have been
> updated to support the OLE::RefragmentData option, which performs an
> operation similar to the refragmenter Ruby script below.
>
> The refragmenter script can be downloaded from:
> http://www.breakingpointsystems.com/community/files/refragmenter.rb
>
> This script depends on the ruby-ole library, which can be found online at
> http://code.google.com/p/ruby-ole/
>
> For more information about Office document flaws and exploitation methods,
> we recommend Bruce Dang's Black Hat USA 2008 presentation Methods for
> Understanding Targeted Attacks with Office Documents
> (http://www.blackhat.com/html/bh-usa-08/bh-usa-08-archive.html).
>
> -HD

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------