So this video has been out for a few months now but it’s making the rounds so I thought I’d give my take on things:
First off – if you’ve been to my presentation on targeted attacks using Microsoft Office documents as the payload – this will all look very familair to you as you will have seen a demo nearly identical to this on XP / Vista – but using a PowerPoint file as the document of choice (and one that was used in a real attack I might add).
Marc and Derek are demonstrating a very real scenario using vulnerabilities in Vista and Office 2007 that they discovered. In the video – Derek opens a Publisher file that was emailed to the user in the video – which b.t.w. (I’m told) was a UAC protected admin account. When the user double clicks the attachment and acknowledges the warning dialog box about opening untrusted attachments, Publisher opens, and then exits and then the system is owned. What about UAC you ask? Shouldn’t that have mitigated things? Certainly it would have, under normal conditions, reduced the damage potential of the shellcode running in the context of Publisher, except that in this case the payload (the shellcode) that was run by exploiting a vulnerability Publisher 2007 in turn exploited a Vista local EoP vulnerability to gain local system privileges which allowed the remote attacker to do things like disable the firewall (which resulted in the visible UI pop-up). So two exploits chained together to achieve maximum damage.
So what vulnerabilities were exploited? I’m not 100% sure but my money is on this Publisher 2007 vuln: http://www.microsoft.com/technet/security/Bulletin/MS07-037.mspx and this Vista vuln (for local EoP to system): http://www.microsoft.com/technet/security/Bulletin/MS07-021.mspx
Interesting things to note about the video:
1. Publisher exited with no Office / Windows watson kicking in and prompting to submit a report – this should be considered highly suspicious and is something I talk about as an indicator in my presentations. In these types of attacks it doesn’t *have* to be, that the application crashes with no watson dialogs – it usually depends on the type of vulnerability being exploited and the skill level / desire to be stealthy of the attacker.
2. Derek didn’t *have* to disable the firewall, or even EoP to system for that matter (I’m sure they were going for the ‘shock and awe’ factor). There is plenty of malware that could run as a standard user to steal keystrokes like that that can also come down via common HTTP downloader shellcode (the type found on metasploit.com etc.) that wouldn’t require the attacker to listen on a port or disable the firewall (which would mean the pop-up you saw from Vista about the firewall being disabled could easily be avoided to remain stealthy).
It was good to see Marc at the end of the video mention the importance of staying on top of security updates not only for Microsoft software but other software as well.