[HN Gopher] Technical Analysis of an Office RCE Exploit
___________________________________________________________________
Technical Analysis of an Office RCE Exploit
Author : arkadiyt
Score : 41 points
Date : 2022-01-08 19:06 UTC (3 hours ago)
(HTM) web link (billdemirkapi.me)
(TXT) w3m dump (billdemirkapi.me)
| pixl97 wrote:
| >Since the original "hidusi[.]com" domain was down, we needed to
| host our version of side.html. Hosting a file is easy, but how do
| we make the Word document use our domain instead
|
| What's interesting here is the author just didnt host their own
| internal dns infrastructure. Editing the file is simple in it's
| own way, but I guess coming from an operations side I'd have
| setup a DNS and http server to handle it.
| kjaftaedi wrote:
| Every system has a hosts file that you can edit for exactly
| this purpose.
|
| No need to set up DNS at all.
|
| Your system will resolve whatever hostnames you want to
| whatever IP addresses you want. You just add the entries to a
| text file.
|
| It will always override whatever results come from DNS.
|
| The author definitely went the long way with this approach.
| BillDemirkapi wrote:
| Author here. Yes simply editing my hosts file would have been
| much easier. The reason I went the longer approach of setting
| up the payload on a remote web server was because there is
| the concept of security zones in Internet Explorer. Visiting
| localhost in Internet Explorer gets treated with a different
| level of trust compared to randomwebsite.com. For example, if
| you go to your security settings in Internet Explorer, there
| is an "Internet" zone but also a "Local intranet" zone. If
| you compare the two, you'll see they have different security
| settings. By hosting the payload on an external domain, we
| ensure that we are simulating an identical environment that
| existed for the attack (and are not subject to a different
| level of trust).
| EvanAnderson wrote:
| Editing the HOSTS file has nothing to do with where the
| resource is hosted. It just allows you to control name
| resolution without doing it in DNS. Internet Explorer
| security zones work the same way irrespective of whether a
| local HOSTS file for DNS resolves the name.
| BillDemirkapi wrote:
| Yes, but at the time I already had an existing domain
| with a web server I could use. You are correct that I
| could have setup a separate site for hidusi[.]com and
| then point the domain directly at my web server's IP, but
| since I already had a domain/web server configured, it
| was much easier just to swap the domain in the document.
| flatiron wrote:
| was it https? makes it a bit trickier if it is as you would
| have to self sign the cert. guy is use ida pro. i assume they
| know how dns works
| pixl97 wrote:
| That is if you're using a single host network. If your
| simulations go beyond a single VM it can be useful.
|
| In general when performing malware analysis you want a
| logging DNS cache to keep track of any lookup the software
| makes.
| pplanel wrote:
| Very nice write up, thanks.
___________________________________________________________________
(page generated 2022-01-08 23:00 UTC)