BadWinmail and Email Security on Outlook

Haifei Li (haifei.li@intel.com)
Chong Xu (chong.c.xu@intel.com)

About Us - Haifei
Security Researcher @ Intel Security (formerly McAfee)
Previously: Microsoft, Fortinet
Work on 2 questions (for good purposes):
1) how to find vulnerabilities?
2) how to exploit them?
At McAfee my interests have been extended to the 3rd:

3) how to detect the effect by answering the 1st & 2nd ?

work on research-backed projects aimed to detect the most
steady (zero-day) exploits

Presented stuff some times (BlackHat Europe 2010, REcon

2012, Syscan360 2012, CanSecWest 2011/2014/2015,
Black Hat USA 2015)

About Us - Chong
Ph.D from Duke University
Senior Director @ Intel Security
Focus
Advanced (0-day) exploit and malware defense
APT detection
Threat intelligence
Innovation
Next generation network/host solutions

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

Outlook 101
Outlook

is a key application in enterprise

environment
Not

just exchanging emails

Meetings / personal information
Sharing files (shared folder), integrated w/ Lync
(now called Skype for Business)
Probably more commonly used than browsers
Its

the most direct way that an attacker can

reach into your enterprise, by sending emails
Behind

the firewalls
Highly targeted victim
Outlook

security deserves attention

Outlook Bugs in Recent Years

CVE-2014-2730, April,

DoS only in parsing XML; not really exploitable

No MS patch info found

CVE-2013-3905,

Sep, 2013

Double-free in handling nested S/MIME certificates; potentially allow

RCE, but most unlikely to exploit, as explained in
http://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-adifficult-to-exploit-double-free-in-outlook.aspx
Fixed in MS13-068

CVE-2013-0095,

Nov, 2013

Info-disclosure in handing X.509 certificate, e.g. allow port-scan in

internal network
Fixed in MS13-094

CVE-2013-3870,

2014

March, 2013

Outlook for MAC only, crafted HTML email will use Webkit engine to
render remote web content automatically; allow info-leak (whether
the victim read the email or not).
Fixed in MS13-026

Outlook Bugs in Recent Years

CVE-2010-2728,

Heap-based overflow in parsing TNEF format; seems not easy to

exploit.
Fixed in MS10-064

CVE-2010-0266,

July, 2010

Logical fault in verifying file types when user opens email

attachments; requires few user interaction, but easy to exploit (still
very dangerous).
Fixed in MS10-045

CVE-2010-0816,

Sep, 2010

May, 2010

Integer overflow in handling POP3 response; only in Outlook Express

edition.
Fixed in MS10-030

Its

just an email client that has seen few

vulnerabilities in recent years, how insecure
can it be? But

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

Lets Talk About OLE First

Embedding a document in another document

Just double-clicking on the checklist documents,

readers open another document

Whats OLE?
OLE

provides the majority of interoperability

functions in Office
Its just a subset of COM

OLE

COM

2 types of OLE objects

In-process OLE (in-process COM), loaded via

ole32!OleLoad()
Separate-process OLE (separate-process COM), loaded
via ole32!OleRun()

Whats OLE?

We have explained the OLE (for in-process OLE)

internals as well as the attack surface at Black Hat
USA 2015.

https://sites.google.com/site/zerodayresearch/Attacking_Intero
perability_OLE_BHUSA2015.pdf, which has been referenced

by many researchers as it has helped their research

against Office-based threats

Our BlackHat talk is about OLE on

Word/PowerPoint/Excel/WordPad only, i.e., its for
Word/PowerPoint/Excel documents and RTF file formats

But OLE has wider existence!

OLE in Outlook

We may receive an email similar to this

This is an Excel Spreadsheet embedded in the email body,

not as an attachment as we usually see

OLE in MSG

This email can be saved as .msg, which has the binary as

If you have dealt with OLE in other Office formats before, you
see an OLE object structure here!

OLE in MSG

Microsoft [MS-OXMSG].pdf tells us the secrete

Theres even an example in the specification

OLE in MSG

It seems like an OLE object stored in the MSG file format

Using the knowledge from our BH presentation, we

Changed the CLSID of the _substg1.0_3701000D Storage

to Flash OLE CLSID D27CDB6E-AE6D-11cf-96B8-444553540000

Manually injected a Contents stream containing the flash exploit into

the .msg file.

OLE in MSG

When the .msg was opened in Outlook, the exploit is triggered,

i.e., the content stream is loaded by Flash OLEs
IPersistentStorage::Load() function, which triggers the exploit.

Attack Scenario of OLE in MSG

At

this point, its pretty sure that this is a really

dangerous (and previously-unknown) attack vector, or
a novel exploit delivering method.

Attackers

may attach the .msg file in an email, and

send it to the victim, as long as the victim preview
the .msg attachment, the embedded Flash exploit
will run!

.msg attachment is considered as safe file type by

Outlook Outlook even uses itself to preview .msg
attachment

More OLE Objects Under Attack

We

know Flash OLE object could be loaded

Its reasonable to guess more OLE objects could be
loaded in Outlook
Indeed, such as:

Adobe Flash (pwning via Flash 0day)

Adobe Reader (pwning via PDF 0day?)
etc

OLE in TNEF
Wait!

Is that all?

About

the time I was going to send the report to

Microsoft, I happened to read this clue webpage

https://support.microsoft.com/en-us/kb/241538

Turns

out TNEF (the winmail.dat) supports OLE too!

After some investigation, I found

Winmail.dat

Remember when someone sent you a strange attachment named

winmail.dat and you have no idea how to open it?

OLE in TNEF

TNEF is another Microsoft-invented email file format,

described in [MS-OXTNEF].pdf

Its a binary file format (like MSG), but it will be parsed

directly as long as the user reads the email! (MSG could only
be sent as email attachments)

Following is a sample .eml (which could be sent via email

protocols) that contains OLE.

OLE in TNEF
Here

is what a TNEF file looks like (after the

decoding from .eml file)

0x223E9F78 is the Magic Number

OLE in TNEF

Looking at the whole data of the file, we find some

interesting bytes in that TNEF winmail.dat

D0 CF 11 E0 A1 B1 1A E1 => the Magic Number for a

OLE Structured Storage (OLESS)

With the help of the identifying the length fields marked

with red, we were able to dump the OLESS stream

OLE in TNEF
The

dumped OLESS could be opened/edited by many

structured storage tools

Here I used the open-sourced OpenMcdf

Isnt

it the same as in MSG?

OLE in TNEF
can play the old trick as how we hacked the
MSG

We

Modify the CLSID to Flash OLEs CLSID

Add a Contents stream, put our exploit there

After

that

Re-pack the modified OLESS into winmail.dat

Remember to update the length fields

Encod (base64) that winmail.dat into an email file

Send that email via email protocols

It Worked!
And

when Outlook receives that TNEF email

OLE in TNEF

As mentiond, TNEF specification is actually well described in

[MS-OXTNEF].pdf

Our exercise is to modify an existing TNEF email sample; but

one can build the TNEF file with his own

In order to let TNEF render the attachment (its another

concept than the email attachment) as OLE object, the
AttachTypeFile should be set to 0x02 (AttachTypeOLE)

This could be used to detect TNEF email that contains OLE

objects

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

Its Really Bad

Users get pwned as long as they just read the email

Flash is installed on most Windows

No matter you preview the email or start a new window to read

email in Outlook
Its installed by default on every Windows 8, 8.1, 10!
On Windows 7, just need the victim to install the Flash ActiveX
version (for IE)
Note: Flash is not the only one object Outlook can load, as we
have discussed before

Having a reliable Flash zero-day exploit, is fairly easy

for someone who wants to launch a targeted attack

Up to 50,000 USD (according to Zerodium)

Read various other industry posts/papers/presentations talking
about how many Flash zero-days they analyzed and how many
Flash CVEs theyve found

Its Really Bad

Theres

no sandbox on Outlook!

Yes, you read it right, for such an important app!

Getting code execution in Outlook = taking control of the

computer

to the nature of email-based attack, its an ideal

way to launch highly-targeted attack

Due

What is a real APT? This is

Its

wormable!

When hacked one computer via email, the worm may gather
all the contacts and then sends the same exploit through
email to all the contacts to spread itself
It doesnt usually happen in Windows ecosystem nowadays

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

The Disclosure Thing

Disclosure

Timeline

The issue was reported to MSRC in late October 2015

Fix was released on December 8th, 2015 during Patch
Tuesday (CVE-2015-6172, MS15-131)

MSRC and the Office team patched it within 1.5 months,

fastest patching speed Ive ever seen.

80+ email exchanges were made for this case, including 1

online meeting

2 face-to-face status updates

Thanks to Jason Shirk (MSRC) for coming to Vancouver
Per request, paper and demo were released 1 week (on
December 15th) after the patch, allowing more people to install
the patch

The paper was released at:

https://sites.google.com/site/zerodayresearch/BadWinmail.pdf

After the Fix

I

wrote a script monitoring the email samples we have

to see if theres an ITW BadWinmail attack
The usual threat intelligence thing
Glad no alert so far
There were reports of some samples detected by AV,
they are FP

Id

like to share my view on patch

The weird Fix

I

spent time on this because I saw a weird thing

After the fix, my PoC still loads the Flash binary!

Isnt the best patch blocking Outlook from loading Flash

binary at all?

So

I fired my debugger, and confirmed that the

CoCreateInstance(CLSID_Flash,..) is indeed called
mso!Ordinal4312+0xa5b:
64c7a954 ff15cc1ac464 call dword ptr [mso!Ordinal10691+0x1acc
(64c41acc)] ds:0023:64c41acc={ole32!CoCreateInstance (76039d0b)}
0:000> db poi(esp) L10
0012ac64 6e db 7c d2 6d ae cf 11-96 b8 44 45 53 54 00 00

The weird Fix

So,

whats going on?

But, our exploit is indeed not working!

So

I step-by-step debugging from the

CoCreateInstance, and found that
After the CoCreateInstance (which loads the binary)
and before the IPersistStorage::Load() (which loads
our Flash exploit), a check was added (in wwlib.dll)
The new check blocks the OLE initialization process
(IPersistStorage::Load()) to prevent exploit from being
loaded

The weird Fix

The

0x00000040 bit is set here

Confirming

this is easy - when we reset the bit

to 0 in memory, our exploit works again

The weird Fix

Some
This

takeaways from our diggings in the fix

fix is weird because that after the fix, the Flash

binary is supposed to not be loaded in the Outlook
process at all
However, this fix is effective anyway
Theres 1 bit in the memory controlling the feature
We believe this is app-depended, which means as
long as the container is Outlook, OLE object
shouldnt be initialized
We currently dont know if the bit is from any Outlook
customization settings (like from Registry)

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

Outlook vs. Attachment-based Threats

Outlook

is not just a normal app, in fact, its a threat

entrance for many organizations

Victims often get hacked starting from malicious attachments

Do you know the BlackEnergy trojan that caused the Ukraine
electric power outage was started from a Macroembedded .xls attachment?

Office

documents are supposed to be opened in the

Protected View mode by default

Its a strong sandbox, according to this MWR research

So, in the BlackEnergy case, the victim did

1) Click the Enable Editing to disable the Protected View (PV)

2) Click the Enable Content to enable the embedded Macro

The Problem

But, we found that sometimes in domain-joined environment,

Office attachments will be opened w/o the Protected View!

If the attachment is sent within the organization, no Protected

View

Outlook + Exchange Server, domain-joined

Typical environment for many organizations use Microsoft
solutions

e.g., adam@example.com sends a .docx to bill@example.com

For external senders, weve seen all the 3 possibilities:

Attachments from all external senders will be opened in PV

If the external sender is a known address for the user, no PV
otherwise there is PV
Attachments from all external senders will be opened w/o PV

Wed like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and
Dennis Dwyer (@dunit50) for helping us on testing the behavior.

Its an Expected Behavior..

Microsoft

knows this already

The registry key, MarkInternalAsUnsafe, when set,

forces users to open any Office files in Protected View
mode (https://support.microsoft.com/en-us/kb/2714439)

However,

the flag is not set by default..

Remember, when we talk about security issues, we need

to think from average users
According to our tests, no organization sets this flag for
their employees

The Risks
simple word, Outlook doesnt protect against inside
threats by default

In

For example, If one employee (could be anyone) gets

hacked, the attacker could use his/her email account to
send a malicious Office exploit to the CEO, which allows
the threat actor to hack the CEOs computer much easier
Did you know the Hacking Team use Flash exploit
embedding in Office documents? It will work in this case

Regarding

external emails, wed like to call IT

administrators to perform their own tests
As we have seen different organizations act differently
Probably depending on the Exchange Server versions or
some configurations on Exchange Server

Agenda

A Look Back at Outlook Security

The Journey of the BadWinmail Discovery

How Bad Is It?

The Fix

Outlook vs. Email Attachments

Conclusion

Conclusion

BadWinmail was an ideal attacking technique for

targeted/APT attacks, and its wormable

No Protected View for internal emails pose a real-world

security concern

Outlook is not secure as you think (even after Badwinmail)

Exploitation - Outlook does not have a Sandbox!

The attack surface is actually pretty wide

Outlook supports many formats, most are binary formats, namely

MSG/TNEF/RPMSG (fuzzing is needed!)
A lot of features most people dont know yet, features bring bugs
We dont know Outlook supports OLE before
Outlook is highly-integrated with the Office system, i.e., they share
a lot of libraries, which means vulnerabilities in other Office apps
may affect Outlook too

Major References
[1] Haifei Li and Bing Sun, Attacking Interoperability: An OLE Edition [Online]
https://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdf
[2] Microsoft, [MS-OXMSG]: Outlook Item (.msg) File Format [Online]
https://msdn.microsoft.com/en-us/library/cc463912(v=exchg.80).aspx

[3] Microsoft, Description of Transport Neutral Encapsulation Format (TNEF) in Outlook 2000, [Online]
https://support.microsoft.com/en-us/kb/241538
[4] Microsoft, [MS-OXTNEF]: Transport Neutral Encapsulation Format (TNEF) Data Algorithm, [Online]
https://msdn.microsoft.com/en-us/library/cc425498(v=exchg.80).aspx
[5] Haifei Li, BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook [Online]
https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
[6] Robert Lipovsky and Anton Cherepanov, BlackEnergy trojan strikes again: Attacks Ukrainian
electric power industry [Online]
http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electricpower-industry
[7] Microsoft, Office document attachments open in Protected View in Outlook [Online]
https://support.microsoft.com/en-us/kb/2714439

Thank You!

haifei.li@intel.com
chong.c.xu@intel.com