Documente Academic
Documente Profesional
Documente Cultură
Haifei Li (haifei.li@intel.com)
Chong Xu (chong.c.xu@intel.com)
About Us - Haifei
Security Researcher @ Intel Security (formerly McAfee)
Previously: Microsoft, Fortinet
Work on 2 questions (for good purposes):
1) how to find vulnerabilities?
2) how to exploit them?
At McAfee my interests have been extended to the 3rd:
About Us - Chong
Ph.D from Duke University
Senior Director @ Intel Security
Focus
Advanced (0-day) exploit and malware defense
APT detection
Threat intelligence
Innovation
Next generation network/host solutions
Agenda
The Fix
Conclusion
Outlook 101
Outlook
the firewalls
Highly targeted victim
Outlook
CVE-2013-3905,
Sep, 2013
CVE-2013-0095,
Nov, 2013
CVE-2013-3870,
2014
March, 2013
Outlook for MAC only, crafted HTML email will use Webkit engine to
render remote web content automatically; allow info-leak (whether
the victim read the email or not).
Fixed in MS13-026
CVE-2010-0266,
July, 2010
CVE-2010-0816,
Sep, 2010
May, 2010
Its
Agenda
The Fix
Conclusion
Whats OLE?
OLE
OLE
COM
Whats OLE?
https://sites.google.com/site/zerodayresearch/Attacking_Intero
perability_OLE_BHUSA2015.pdf, which has been referenced
OLE in Outlook
OLE in MSG
If you have dealt with OLE in other Office formats before, you
see an OLE object structure here!
OLE in MSG
OLE in MSG
OLE in MSG
Attackers
OLE in TNEF
Wait!
Is that all?
About
https://support.microsoft.com/en-us/kb/241538
Turns
Winmail.dat
OLE in TNEF
OLE in TNEF
Here
OLE in TNEF
OLE in TNEF
The
Isnt
OLE in TNEF
can play the old trick as how we hacked the
MSG
We
After
that
It Worked!
And
OLE in TNEF
Agenda
The Fix
Conclusion
no sandbox on Outlook!
Due
Its
wormable!
When hacked one computer via email, the worm may gather
all the contacts and then sends the same exploit through
email to all the contacts to spread itself
It doesnt usually happen in Windows ecosystem nowadays
Agenda
The Fix
Conclusion
Timeline
Id
So
So
Confirming
Agenda
The Fix
Conclusion
Office
The Problem
Wed like to thank Randy Zhong (@randy_zhong), Steeve Barbeau (@steevebarbeau), and
Dennis Dwyer (@dunit50) for helping us on testing the behavior.
However,
The Risks
simple word, Outlook doesnt protect against inside
threats by default
In
Regarding
Agenda
The Fix
Conclusion
Conclusion
Major References
[1] Haifei Li and Bing Sun, Attacking Interoperability: An OLE Edition [Online]
https://sites.google.com/site/zerodayresearch/Attacking_Interoperability_OLE_BHUSA2015.pdf
[2] Microsoft, [MS-OXMSG]: Outlook Item (.msg) File Format [Online]
https://msdn.microsoft.com/en-us/library/cc463912(v=exchg.80).aspx
[3] Microsoft, Description of Transport Neutral Encapsulation Format (TNEF) in Outlook 2000, [Online]
https://support.microsoft.com/en-us/kb/241538
[4] Microsoft, [MS-OXTNEF]: Transport Neutral Encapsulation Format (TNEF) Data Algorithm, [Online]
https://msdn.microsoft.com/en-us/library/cc425498(v=exchg.80).aspx
[5] Haifei Li, BadWinmail: The "Enterprise Killer" Attack Vector in Microsoft Outlook [Online]
https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
[6] Robert Lipovsky and Anton Cherepanov, BlackEnergy trojan strikes again: Attacks Ukrainian
electric power industry [Online]
http://www.welivesecurity.com/2016/01/04/blackenergy-trojan-strikes-again-attacks-ukrainian-electricpower-industry
[7] Microsoft, Office document attachments open in Protected View in Outlook [Online]
https://support.microsoft.com/en-us/kb/2714439
Thank You!
haifei.li@intel.com
chong.c.xu@intel.com