RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch...
Transcript of RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch...
![Page 1: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/1.jpg)
RTF Abuse:Exploitation, Evasion and Counter
Measures
Devon Greene
![Page 2: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/2.jpg)
Member of Ixia’s Application and
Threat Intelligence (ATI) Team
Focus on Malware Analysis, Exploit
Development and Product
Development.
<3 CTFTime.org & Vulnhub
Challenges
Opinions are my own, not Ixia’s
\*\author
@DasMe_Devon
![Page 3: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/3.jpg)
Inspiration Slide
How I Met RTF
Working on a strike.
Created 6 new evasion profiles
… in Ruby (Not better than Python)
![Page 4: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/4.jpg)
Identify malicious RTF documents
Enhance detection capabilities
System hardening techniques
\*\blueTeamPoints
Key Points Blue Team
![Page 5: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/5.jpg)
Obfuscation Techniques
Vulnerability Discovery Approaches
Exploitation Techniques
\*\redTeamPoints
Red TeamKey Points
![Page 6: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/6.jpg)
To Understand RTF…
You Must RTFM!
![Page 7: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/7.jpg)
\*\Features
Ability to Query DBs / Flat Files
Hyperlinks
Object Linking and Embedding
Document Variables
Functions and Parameters (limited)
Interesting Features
Embedded Fonts
Pictures
Hex / Unicode Support
Much moar!
Features You Expect
![Page 8: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/8.jpg)
\*\markupComparison
Hyper Text Markup Language (HTML)
Rich Text Format (RTF)
![Page 9: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/9.jpg)
\*\featureDemo1
Build an RTF doc from scratch
Use an RTF doc to perform a DB
query
Quick look at built-in functions
Let’s Play
![Page 10: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/10.jpg)
Exploitation
![Page 11: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/11.jpg)
N-Day Vulnerabilities (Automagic)
Embedded Font Vulnerabilities
Insecure Library Loading Vulns
Packager Objects (CVE-Free)
\*\Exploitation
Attack Paths Death From Above!
![Page 12: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/12.jpg)
\*\cveFish
CVE-2016-7193
![Page 13: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/13.jpg)
\*\fontemb
Historically Powerful
DuQu Malware leveraged 0-Day TTF
Exploit (CVE-2011-3402)
Font engine lives in the Windows
Kernel
Downside: bloats the file quite a bit.
![Page 14: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/14.jpg)
\*\insecureLibraryLoading
How It Works…
![Page 15: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/15.jpg)
\*\insecureLibraryLoading
![Page 16: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/16.jpg)
\*\noMacros
![Page 17: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/17.jpg)
\*\noMacros
Embed file in word document
Save as RTF
Copy/Paste \pict object
Forging Images
Place any file you want in a users
%temp% directory
Seriously… any file.
Email Providers Don’t Care
Interesting Packager Quirks
![Page 18: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/18.jpg)
Few Fun Techniques
Take advantage of %temp%
Take advantage of local env
Compatible with other doc types
\*\exploitDemo1
Embedded Objects
![Page 19: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/19.jpg)
Noted earlier, bypasses Packager Checks.
Warning: VM gonna go BOOM!
Note: this is a packaged font file, not an \embfont tag.
\*\exploitDemo2
Embedded Font File
![Page 20: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/20.jpg)
Vulnerability Discovery
![Page 21: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/21.jpg)
\*\fuzzing
Mutation Based
Researcher defines how the
input should be formed.
Generation Based
![Page 22: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/22.jpg)
\*\fuzzingTips
Search for “MUST”
![Page 23: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/23.jpg)
\*\fuzzingDemo
Built a thorough data model of the RTF specification.
Distributed fuzzing amongst 6 machines
1 Cycle was approximately 2,189,235 fuzzing iterations
500+ crashes // 6 unique
![Page 24: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/24.jpg)
\*\foodForThought
Open Office
Corel Word Perfect
Text Wrangler
Cloud-based document
services
MS Office on other
Platforms
Other Targets
![Page 25: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/25.jpg)
Obfuscation Techniques
![Page 26: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/26.jpg)
\*\evasions
Jan.01 – Jun.30 Generation Based
725 .doc exts
100 .rtf exts
< 10 .docx exts
300 other exts
Extension MS Word 2010
MS Word2016
DOC Y Y
DOCHTML Y N
DOT Y Y
DOTHTML Y N
WBK Y Y
WIZ Y Y
![Page 27: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/27.jpg)
\*\evasions
Magic File Tampering
MS Word respects {\rt as a
minimum magic file
header.
MS Wordpad requires {\rtf#
Mixed Case
Utilized anywhere
#PCDATA is defined.
Useful in bypassing static
signatures
![Page 28: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/28.jpg)
\*\evasions
Encoding Contrast
URL Encoding
A = %41
Double URL Encoding
A = %2541
Unicode Escaping
A = 0x41
A = \u0041
Hex Escaping
A = 0x41
A = \’41
![Page 29: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/29.jpg)
\*\evasions
![Page 30: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/30.jpg)
\*\evasions
Bin Substitution
Works in MS Office Only
Does not work in MS
Wordpad
Whitespace
Simple and Effective
Chunk up your payloads
and other shady stuff
\r \n \t \s
Syntax:\bin# <ASCII>
![Page 31: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/31.jpg)
\*\evasions
Fictitious Control Words
Detection Slayer
Double Edged Sword
Some AV heuristic checks
will catch this.
\*\random
Syntax:{\*\HELLO WORLD}
![Page 32: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/32.jpg)
\*\evasions
![Page 33: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/33.jpg)
\*\evasionDemo1
Bypassing RTFScan.exe
By applying evasion techniques,
can we throw off RTFScan.exe’s
analysis capabilities?
![Page 34: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/34.jpg)
\*\evasionDemo2
Bypassing AVs?
By applying evasion techniques,
can we make a bad guys
malicious document harder to
detect?
![Page 35: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/35.jpg)
Counter Measures
![Page 36: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/36.jpg)
\*\ruleWritingTips7
Focus On
File Extensions
IE: .doc
Malformed file headers
IE: {\rtvpn
Embedded objects
IE: \objdata
Unknown RTF tags
IE: \*\HaiMom
Special Cases
Non required params
IE: \objclass
Encoding Techniques
IE: \u0041
Mixed Cases
IE: \objclass name
![Page 37: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/37.jpg)
\*\ruleWritingTips1
Focus On
This… obvious... Tag…
Generator tag
\*\generator MsftEdit
Obvious is Obvious
![Page 38: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/38.jpg)
\*\systemHardening3
3 Tips
Set Office Killbit on the
packager clsid
Update Executable
Extensions
Change .rtf association
back to Wordpad
DIY
![Page 39: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/39.jpg)
\*\analysisTools4
RTF Analysis Tools
Didier Steven’s rtfdump
Declage’s rtfobj
PhishMe psparser.py
RTFScan.exe
Fool Proof?
![Page 40: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/40.jpg)
\*\conclusionBlue
Recap
Update your magic file
header for RTF
Scrutinize \*\generator tags
Focus on required
parameters first
Lookout for .WIZ and
.WBK!
Disable Packager Objects
Punch On!
![Page 41: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/41.jpg)
\*\conclusionRed
Recap
Take advantage of
obfuscation techniques!
Trade warning signs by
using packager objects.
Save as other doc-types
when necessary!
Fuzz the hell out of RTF!
Ninja Alert
![Page 42: RTF Abuse - SecTor ATI_RTF...Rich Text Format (RTF) \*\featureDemo1 Build an RTF doc from scratch Use an RTF doc to perform a DB query Quick look at built-in functions Let’s Play](https://reader033.fdocuments.us/reader033/viewer/2022042909/5f39d575d28ca06b7444edeb/html5/thumbnails/42.jpg)
Questions?