Wednesday, November 5, 2014

CVE-2014-6352 When defenses fall - eliminating the use of .inf files and bypassing Antiviruses!




Regarding CVE-2014-6352 and CVE-2014-4114 as we know .inf files were used in malware samples found in the wild to execute the executable payloads. One of the workaround from Microsoft was to Block the launching of executables via Setup information files (https://technet.microsoft.com/en-us/library/security/ms14-060.aspx)

But  CVE-2014-6352 requires .inf files to execute the payload is a myth which we are going to bust in this blog.

We took a public sample with embedded executable and .inf. When we unzipped it there were 2 ole objects there

OleObject1.bin - which is embedded executable
OleObject2.bin - which is exbedded .inf file

We created another ole object with putty.exe as executable payload. Renamed it as OleObject2.bin

Replaced it in exploit sample and created .ppsx file. When we executed the POC ppxs BOOM our payload got executed proving that using .inf files in not necessary in this particular exploit.

With this method we bypassed 3 things:

1) One of the workaround from MS to prevent the exploit
2) Antivirus signatures
3) Size limit of the executable

Below is the AV scan report of the POC we created. And its a bad news that none of the major AV detects the exploit.