Remove CVE-2017-0199's ability to execute code by changing the default handler for .hta files. The default handler for files invoked through OLE2 (COM Objects) is stored separately from the local system's default application and can only be changed through the registry.
This is one practical example of this exploit, and is explained as I understand it. Not all occurances may follow this pattern and my assessment may be incorrect. The fix presented in the next section however does work in the situations I have tested it in.
- RTF document hosted on web server has malicious hypertext application (HTA) payload 'cat'ed to the end of it.
- Hosting server responds to GET requests for the file with a header stating the content is a HTA file.
- Microsoft Word runs a OLE2 object to fetch the RTF document from the web server.
- Microsoft Word is forced to validate the filetype as the extension .rtf does not match the content type of HTA.
- Microsoft Word checks from the end of file for recognizable data structures and matches HTA data structures to HTA content type.
- Microsoft Word auto-corrects the filetype and passes it to the COM handler for HTA files (mshta.exe).
- Mshta.exe runs the malicious hypertext application code from the end of the file.
COM handlers are stored separately from system handlers in the registry to prevent errors in the filetype validation process.
- In RegEdit.exe navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon
- Open the advanced permissions for DefaultIcon
- Change owner to Administrators (group)
- Add your current user account to the list of security principals, assign it "Full Control"
- Edit the (Default) key to be C:\Windows\System32\notepad.exe,1
- In Advanced Permissions for DefaultIcon remove your user, and reassign SYSTEM as the owner
- Repeat Steps 1 through 6 for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32, changing the (Default) key value to C:\Windows\System32\notepad.exe
This removes CVE-2017-0199's ability to execute code by changing the default handler for .hta objects invoked through OLE2 to notepad. This will apply to all instances of OLE2 invoking .hta files. This will cause notepad to open and will throw errors, but code will not execute.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
C:\Windows\SysWOW64\mshta.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
C:\Windows\SysWOW64\mshta.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
C:\Windows\System32\notepad.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
C:\Windows\System32\notepad.exe
- 1 Ubuntu 16.04.2 LTS Server with LAMP stack and SSH Server
- 1 Windows 10 Client with Office 365 (2016)
- Exploit Proof of Concept: https://rewtin.blogspot.ca/2017/04/cve-2017-0199-practical-exploitation-poc.html (Accessed 2017-04-17)
- CVE-2017-0199 Analysis: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html (Accessed 2017-04-17)
- Do not edit HKCR directly. Edit the associated keys in either HKCU or HKLM.
- You can return ownership of a registry key back to SYSTEM or others after taking it.
- Don't screw with the registry. Leave it how you found it once you've made your changes.
- Process Monitor has powerful right-click filtering to cut noise.
- Process Monitor's find feature searches for a string in all fields.
- pscp.exe (Putty) is a command-line SSH file transfer tool.
- Linux is still a big pain.
I take no responsibility for any damages or problems cause by this mitigation or user confusion resulting from notepad and a bunch of errors. This is a dirty fix and I do not know if this will cause wider issues in a production environment. As always, evaluate mitigations with your specific environment and needs in mind.
I will add screenshots later to show before and after effects of this mitigation. Also this can be done as a script, but I am having difficulties with changing permissions to the registry key and so I'll handle that later.