The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain

By Chintan Shah · August 24, 2023

Executive Summary

On July 11 2023, Microsoft released a patch fixing multiple actively exploited RCE vulnerabilities and disclosed a phishing campaign conducted by the threat actor, identified as Storm-0978, which targeted entities in Europe and North America. This campaign used a zero-day vulnerability tracked as CVE-2023-36884, a remote code execution vulnerability in windows search files that is exploited via crafted Office Open eXtensible Markup Language (OOXML) documents with specific geopolitical lures related to Ukraine World Congress (UWC). While, there was a workaround suggested to mitigate this vulnerability, on August 8 2023, Microsoft Office Defense in Depth update was released breaking the exploitation chain which led to RCE through windows search (*.search-ms) files.

Hardening of operating systems and several exploit mitigation features have resulted in steady decline in the exploitation and weaponizing of memory corruption vulnerabilities. Abusing features of Microsoft Office has been at the forefront and the top techniques for adversaries to execute targeted attacks. This is fundamentally because of its rich set of features exposing larger attack surface, wider adoption, and ease of exploitation, ultimately becoming a lucrative attack vector. We’ve had many such instances in the past like CVE-2022-30190, CVE-2021-40444 and many others where Office documents had been used either as a carrier for other file format exploits or used to link them to the malicious external resources or objects, which in turn exploits vulnerabilities via invoking respective object renderers. Office documents historically also have been used to chain multiple vulnerabilities together to achieve Remote Code Execution (RCE). Previously, we blogged about CVE-2022-37985, an information disclosure vulnerability in Windows Graphics Component, which can be exploited through Office documents, and when chained with other vulnerabilities giving arbitrary write primitives, has potential to achieve code execution. 

In this blog, we will take a deeper look at the malicious OOXML, and embedded Rich Text Format (RTF) document exploit used in targeted attacks against government entities and visualize the attack sequence and chain of exploits. We will also attempt to reconstruct the document lures programmatically using the same technique with sample code and further highlight the Trellix IPS and product coverage against the exploits used in this attack.

Introduction

In this attack campaign, threat actors used multiple OOXML documents with the name and hashes:

Overview_of_UWCs_UkraineInNATO_campaign.docx [2400b169ee2c38ac146c67408debc9b4fa4fca5f]

Letter_NATO_Summit_Vilnius_2023_ENG (1).docx [3de83c6298a7dc6312c352d4984be8e1cb698476]

While quickly scanning OOXML lures through in-house built Office file analysis engine, we noticed RTF document embedded inside and on further analysing RTF through the same scanning engine, multiple suspicious indicators were noticed as shown below. This triggered our investigation on the technique used to embed RTF into OOXML and see if we can apply the same method to reconstruct the lures leading to chain of infection.

Document structure of both exploits used in this campaign are similar to the one used in the Follina attack (CVE-2023-30190). However, in the Follina exploit, Object Linking was used to link the OOXML document to the externally hosted HTML file as detailed in our previous blog. While in the OOXML exploiting CVE-2023-36884, Alternate Format Chunk (AltChunk / aFChunk) embeds an RTF file within the OOXML. Use of the AltChunk class is indicated by the w:altChunk element tag in the document.xml file when the container document is deflated as shown below:

Use of “Alternative Chunk” in CVE-2023-36884

Traditionally, Office exploits used Object Linking and Embedding (OLE) to embed external content into the container application. In this exploit, altChunk (stands for Alternative Chunk) is used, which is an OpenXML standard providing the way to merge two documents into a single larger document. The AltChunk element indicates the container application to import the content stored in the alternative part of the document (in this case, an RTF document).

The altChunk element specifies the location in the OOXML document for inserting the content of the specified file into the target document. The content type to be inserted and the location of the file is specified by the relationship Type and Target elements with the same relationship id as used above in document.xml.rels within the /word/_rels directory as shown in the exploit below.  

As per the specifications, the relationship Type should be “…/relationships/aFChunk”, as shown above, and the TargetMode should be specified as “Internal,” which is missing but Office seems to ignore the attribute and still processes the document. Multiple content types can be imported with this method including application/rtf, application/html, application/text, application/xml, etc, which effectively allows OOXML documents to be used as a carrier for other file format exploits.

Analysis of embedded RTF (afChunk.rtf)

Taking a deeper look at the embedded RTF document, it has precisely two embedded objects which download additional malware payloads through redirection chains. One of the embedded OLE objects inside the RTF is a linked object indicated by a “objautlink” RTF control word followed by “objupdate”, which forces the objects / links to update before displaying the contents of the linked object.  

Additionally, the embedded object contains the Universal Naming Convention (UNC) path to the external IP, initiating the connection to the externally hosted SMB server to download another file file001.url (SHA-1 70560aff35f1904f822e49d3316303877819eef8). This is again the Word document embedding the HTML content with iframe source, which is rendered upon launching the original document.

While another OLE object is also a linked object, with objclass of “xmlfile” and oleclsid of “StdOleLink” object. This effectively means the StdOleLink OLE object is used to link the RTF to an externally hosted XML file. This was one of the widely adopted techniques and was also used in massively exploited CVE-2017-1099. However, this linking feature can still be used in the similar fashion to exploit logic flaws in other renderer components. Once the RTF is launched, connection is initiated to the external IP to retrieve start.xml which is then rendered by SAX XML Reader 6.0 ( msxml6.dll). This retrieved XML file in turn has embedded iframe source pointing to another file RFile.asp in the same path. Part of the infection chain can be visualized below.

As seen in the RFile.asp code below, it starts with the timeout of 30000 seconds and then it loads another iframe contained within which retrieves a .htm file from the same attacker-controlled server 104.234.239.26, which has the dynamically generated file based on the IP address of the victim and the unique id in the path of the HTTP request.

Apparently, the infection chain turns out to be a series of iframe redirects and resumes with the fetching of the .htm file and subsequently search-ms files, and eventually ends up downloading the final payload. The entire infection chain can be very well visualized with following infographic:

Can we reconstruct the exploit using URL Moniker and “AltChunk”?

The below C# sample code uses the DocumentFormat.OopenXML package and demonstrates how we can reconstruct the OOXML document with embedded RTF using the “altChunk” class as used by attackers in this campaign. This code will embed Document1.rtf into Document2.docx and will create another file with the name CVE-2023-36884.docx.

To be able to altChunk the RTF document into OOXML, the code first initializes a unique altChunkId as a relationship id. It then creates the new AlternativeFormatImportPart with the altChunkID and calls OpenXML API AddAlternativeFormatImportPart with AlternativeFormatImportPartType as the RTF, adding to the main document (CVE-2023-36884.docx). As mentioned in the previous sections, AlternativeFormatImportPartType is of type enum which specifies content types to be imported.

Subsequently, after creating the new AltChunk, contents of the Document1.rtf are inserted at the end of the main document (CVE-2023-36884). We believe that the same technique must have been used by authors to build the exploit.

Trellix IPS protection and Product Coverage against this attack

Trellix NSP has been one of the most advanced IPS in the security industry, consistently engaged in protecting customers from advanced attacks. Some of the cutting-edge IPS features like Microsoft Office Deep File Inspection and Multi Attack ID Correlation protect customers against a variety of file format attacks and help correlate multiple low or medium severity alerts in the attack cycle, increasing overall confidence level. Trellix IPS released following the detections for protection against this attack.

Trellix Product Coverage

Conclusion

Microsoft Office continues to be the top target for attackers, especially when it comes to abusing features and exploiting design and logic flaws. As the native memory corruption flaws gradually decline along with the inherent challenges in weaponizing them, this feature rich application, with its wider attack surface, provides an attacker a path of least resistance. In one of our previous blogs, we predicted this exploitation trend, and CVE-2023-36884 is yet another validation of that. We believe this trend is going to continue with vulnerabilities in the application features and their easy exploitation remaining a challenge for organizations. Consequently, endpoint and network security solutions will have to continuously evolve to address those challenges. By applying secure application design and development, we can certainly break the exploitation chain and remain protected against these attacks.

Indicators of Compromise (IOCs)

Hashes of malicious files

Get the latest cybersecurity insights from our LinkedIn Digest. Subscribe on LinkedIn