Skip to content
This repository has been archived by the owner on Nov 10, 2017. It is now read-only.
/ CVE-2017-0199-Fix Public archive

Quick and dirty fix to OLE2 executing code via .hta

Notifications You must be signed in to change notification settings

NotAwful/CVE-2017-0199-Fix

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 

Repository files navigation

CVE-2017-0199 Fix

Remove CVE-2017-0199's ability to execute code by changing the default handler for .hta files. The default handler for files invoked through OLE2 (COM Objects) is stored separately from the local system's default application and can only be changed through the registry.

Basic Logic Exploit

This is one practical example of this exploit, and is explained as I understand it. Not all occurances may follow this pattern and my assessment may be incorrect. The fix presented in the next section however does work in the situations I have tested it in.

  1. RTF document hosted on web server has malicious hypertext application (HTA) payload 'cat'ed to the end of it.
  2. Hosting server responds to GET requests for the file with a header stating the content is a HTA file.
  3. Microsoft Word runs a OLE2 object to fetch the RTF document from the web server.
  4. Microsoft Word is forced to validate the filetype as the extension .rtf does not match the content type of HTA.
  5. Microsoft Word checks from the end of file for recognizable data structures and matches HTA data structures to HTA content type.
  6. Microsoft Word auto-corrects the filetype and passes it to the COM handler for HTA files (mshta.exe).
  7. Mshta.exe runs the malicious hypertext application code from the end of the file.

COM handlers are stored separately from system handlers in the registry to prevent errors in the filetype validation process.

Basic Fix

  1. In RegEdit.exe navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon
  2. Open the advanced permissions for DefaultIcon
  3. Change owner to Administrators (group)
  4. Add your current user account to the list of security principals, assign it "Full Control"
  5. Edit the (Default) key to be C:\Windows\System32\notepad.exe,1
  6. In Advanced Permissions for DefaultIcon remove your user, and reassign SYSTEM as the owner
  7. Repeat Steps 1 through 6 for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32, changing the (Default) key value to C:\Windows\System32\notepad.exe

This removes CVE-2017-0199's ability to execute code by changing the default handler for .hta objects invoked through OLE2 to notepad. This will apply to all instances of OLE2 invoking .hta files. This will cause notepad to open and will throw errors, but code will not execute.

ORIGINAL REGISTRY KEYS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\SysWOW64\mshta.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\SysWOW64\mshta.exe

EDITED REGISTRY KEYS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\System32\notepad.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\System32\notepad.exe

ENVIRONMENT

  • 1 Ubuntu 16.04.2 LTS Server with LAMP stack and SSH Server
  • 1 Windows 10 Client with Office 365 (2016)

REFERENCES

LESSONS

  • Do not edit HKCR directly. Edit the associated keys in either HKCU or HKLM.
  • You can return ownership of a registry key back to SYSTEM or others after taking it.
  • Don't screw with the registry. Leave it how you found it once you've made your changes.
  • Process Monitor has powerful right-click filtering to cut noise.
  • Process Monitor's find feature searches for a string in all fields.
  • pscp.exe (Putty) is a command-line SSH file transfer tool.
  • Linux is still a big pain.

Closing Remark

I take no responsibility for any damages or problems cause by this mitigation or user confusion resulting from notepad and a bunch of errors. This is a dirty fix and I do not know if this will cause wider issues in a production environment. As always, evaluate mitigations with your specific environment and needs in mind.

I will add screenshots later to show before and after effects of this mitigation. Also this can be done as a script, but I am having difficulties with changing permissions to the registry key and so I'll handle that later.

About

Quick and dirty fix to OLE2 executing code via .hta

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published