RTF zero day in the wild

FireEye recently published an RTF zero day that has been used in the wild since July. This zero day was used to spread FinSpy/FinFisher malware, a “lawful intercept” product with RAT-like capabilities.

The disclosed vulnerability is a logical vulnerability, which means most EMET style anti-exploitation techniques (ASLR, DEP, CFG) are irrelevant. As are any other pre-execution security mechanisms due to the nature of the logical vulnerability.

The SentinelOne behavioral engine successfully detects and blocks this vulnerability before any malicious code is executed.

The vulnerability, CVE-2017-8759, impacts the .NET framework and allows a malicious attacker to inject arbitrary code during the parsing parts of the RTF document: SOAP WSDL definitions. The function, PrintClientProxy, that parses URLs encoded in the document fails with improper input validation. When multiple addresses are provided in a SOAP response, everything after the first address is prefixed with two slash signs (//), marking the rest of the line as a comment, including that address in it. However, the two slash signs comment marker is only in effect until the line ends. Therefore in order to execute attacker controlled code – all needed is to include a line break (CR;LF) in the address, following any malicious code. This validation issue has been successfully used by attackers to exploit and infiltrate.

Take a look at this video to see SentinelOne in action with build 1.8.3705 detecting this sophisticated zero day.