MS09-002, XML/DOC and initial infection vector
Last Updated: 2009-02-19 21:02:13 UTC
by Bojan Zdrnja (Version: 1)
The MS09-002 exploit that we posted a diary about two days ago (http://isc.sans.org/diary.html?storyid=5884) was initially introduced to the target as a Word document. This confused a lot of people as the vulnerability is really in Internet Explorer (it has nothing to do with Microsoft Word), but the attackers used an interesting trick which probably helped a lot as the infection vector.
The attackers created a Word document which was an XML file. Microsoft Office supports XML documents for quite some time already and you can normally save any document as XML. These are fully featured Word documents which means that they can have references to various objects. And this is exactly what the attacker used – what makes it easier is the fact that you can change the extension to .DOC and Word will happily render it. The screenshot below shows a part of the exploit used with MS09-002 (I have deliberately removed part of the URL):
The XML document creates a reference to an object with class ID of AE24FDAE-03C6-11D1-8B76-0080C744F389. This object is a reference to mshtml.dll which features Internet Explorer’s HTML rendering engine. In other words, it will make Word connect to the target web page and render it inside the document, without requiring absolutely any user interaction! As you can guess, since it uses Internet Explorer’s engine, the exploit will get executed unless the machine has been patched against the MS09-002 vulnerability. The w:data tag in this sample just contains the BASE64 encoded URL to the exploit.
While researching this I found two more interesting things:
First, this way of rendering HTML web pages work in fully patched Microsoft Word 2007. This is pretty nasty considering that people can make your web browser render any content on any web page just by opening a Word document. This technique, though, appears to be well known since May 2008 though.
Second, the XML document contains the timestamp of when it was created. While this field can be obviously very easily spoofed, the date it contains is 6th of February 2009, which is before Microsoft released the patch. This could mean that the exploit was known to the attacker before and that there was no reverse engineering of the patch involved as I initially thought.
So, to wrap this up – make sure that your client machines are fully patched but also pay attention to e-mails you receive. Remember that this was sent as a .DOC file, but contained plain text (XML) tags. It makes one wonder how many AV programs fail to properly render this (there are signatures for this specific file).
Thanks to Ivan Macalintal from Trend Micro.