[HN Gopher] Technical Analysis of an Office RCE Exploit ___________________________________________________________________ Technical Analysis of an Office RCE Exploit Author : arkadiyt Score : 41 points Date : 2022-01-08 19:06 UTC (3 hours ago) (HTM) web link (billdemirkapi.me) (TXT) w3m dump (billdemirkapi.me) | pixl97 wrote: | >Since the original "hidusi[.]com" domain was down, we needed to | host our version of side.html. Hosting a file is easy, but how do | we make the Word document use our domain instead | | What's interesting here is the author just didnt host their own | internal dns infrastructure. Editing the file is simple in it's | own way, but I guess coming from an operations side I'd have | setup a DNS and http server to handle it. | kjaftaedi wrote: | Every system has a hosts file that you can edit for exactly | this purpose. | | No need to set up DNS at all. | | Your system will resolve whatever hostnames you want to | whatever IP addresses you want. You just add the entries to a | text file. | | It will always override whatever results come from DNS. | | The author definitely went the long way with this approach. | BillDemirkapi wrote: | Author here. Yes simply editing my hosts file would have been | much easier. The reason I went the longer approach of setting | up the payload on a remote web server was because there is | the concept of security zones in Internet Explorer. Visiting | localhost in Internet Explorer gets treated with a different | level of trust compared to randomwebsite.com. For example, if | you go to your security settings in Internet Explorer, there | is an "Internet" zone but also a "Local intranet" zone. If | you compare the two, you'll see they have different security | settings. By hosting the payload on an external domain, we | ensure that we are simulating an identical environment that | existed for the attack (and are not subject to a different | level of trust). | EvanAnderson wrote: | Editing the HOSTS file has nothing to do with where the | resource is hosted. It just allows you to control name | resolution without doing it in DNS. Internet Explorer | security zones work the same way irrespective of whether a | local HOSTS file for DNS resolves the name. | BillDemirkapi wrote: | Yes, but at the time I already had an existing domain | with a web server I could use. You are correct that I | could have setup a separate site for hidusi[.]com and | then point the domain directly at my web server's IP, but | since I already had a domain/web server configured, it | was much easier just to swap the domain in the document. | flatiron wrote: | was it https? makes it a bit trickier if it is as you would | have to self sign the cert. guy is use ida pro. i assume they | know how dns works | pixl97 wrote: | That is if you're using a single host network. If your | simulations go beyond a single VM it can be useful. | | In general when performing malware analysis you want a | logging DNS cache to keep track of any lookup the software | makes. | pplanel wrote: | Very nice write up, thanks. ___________________________________________________________________ (page generated 2022-01-08 23:00 UTC)