Part of this month’s Patch Tuesday is an update for a zero-day information disclosure vulnerability (CVE-2017-0022), which we privately reported to Microsoft in September 2016. This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. CVE-2017-0022 likely replaced the similar CVE-2016-3298 and CVE-2016-3351 vulnerabilities from the same campaign, which were addressed by previous patches.
An attacker exploiting CVE-2017-0022 could use phishing attacks to lure potential targets to malicious websites. Successful exploitation of this vulnerability could allow a cybercriminal access to information on the files found in the user’s system. In particular, the attacker would be able to detect if the system is using specific security solutions—especially ones that analyze malware.
Analysis of CVE-2017-0022
The sample we analyzed was found in the wild, first with the AdGholas campaign in July 2016, and again with the Neutrino exploit kit in September 2016.
A typical malvertising campaign exploiting the CVE-2017-0022 vulnerability follows this flow:
Here is a breakdown of how CVE-2017-0022 detects the existence of certain files in a user’s system:
Microsoft.XMLDOM has a function defined as follows:
LoadXML( string )
The string can be in the following format:
<!DOCTYPE rootElement SYSTEM “URIreference”>
The URIreference can be a string which represents res protocol resources. The format is as follows:
The zero day vulnerability exists in the following version resource:
|Hardware-dependent icon resource.|
|Side-by-side assembly manifest.|
The mshtml module will instruct the above function to process the res protocol.
If the sFile does not exist, the LoadLibraryExW will fail and return errorCode 0x80070485. However, if the file is found to exist, the function will get the resource located in the sFile. This resource is not a valid DTD file, thus when the XMLParser::Run processes the resource as a DTD file, it will return the errorCode 0x80004005.
Using the different return values, the vulnerability can check if a specific sFile exists or not.
If CVE-2017-0022 is integrated into an exploit kit such as Neutrino, it analyzes the system for signs of security software and checks if the browser is using any sandbox solutions. In addition, it inspects the system for the presence of any packet capture software. A sample code can be found below:
Microsoft’s Patch Tuesday for March addressed this vulnerability via the MS17-022 security bulletin, which changed how MSXML handles objects in memory. Cybercriminals can often resort to exploiting non-critical vulnerabilities given that these kinds of bugs tend to be put on the backburner when it comes to updates unless given specific attention.
A sample code before patching can be seen below:
In contrast, here is the code after patching:
Before patching, if file exists, IsCrossDomainDownload is set as true, otherwise do not set IsCrossDomainDownload. After the vulnerability is patched, IsCrossDomainDownload will be true whether or not the file exists.
In xmlparser::run function, has the following code:
If IsCrossDomainDownlaod is true, it will set the errorCode to 0x80004005. After it is patched, the return errorCode will be 0x80004005 whether or not the file exists.
Trend Micro Solutions
In addition to Microsoft’s security update, users can take steps to ensure that their system’s exposure to threats are minimized. Keeping up-to-date with the latest patches plays a critical role in mitigating the risks for end-users and especially businesses.
- 1008173-Microsoft XML Core Service Information Disclosure Vulnerability (CVE-2017-0022)
TippingPoint customers are protected from attacks exploiting these vulnerabilities with these MainlineDV filters:
- 27047: HTTP: Microsoft Internet Explorer parseError Information Disclosure Vulnerability
- 27061: HTTP: Microsoft Internet Explorer ActiveX parseError.errorCode Invocation
Deep Discovery Inspector protects customers from this threat via this DDI Rule:
- Rule 2358 – CVE-2017-0022 – Microsoft XML Information Disclosure – HTTP (Response)
With additional insights from Joseph C. Chen
Trend Micro would also like to thank @kafeine for his contribution to this article.