cve-2017-8759 sig added

tylabs · Sep 14, 2017 · cde64d3 · cde64d3
1 parent cf3a872
commit cde64d3
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 26 deletions.
diff --git a/libqs.c b/libqs.c
@@ -2,7 +2,7 @@
  * @tylabs
  * QuickSand.io - Document malware forensics tool
  *
- * File libqs.c   May 24 2017
+ * File libqs.c   Sep 12 2017
  * Original source code available from https://github.com/tylabs/quicksand_lite
  * 
  * Decode and look in streams of Office Documents, RTF, MIME MSO.
@@ -1776,7 +1776,7 @@ void report_error(
     else
     {
 
-            fprintf(stderr, "%s(%d): warning: %s\n", file_name, line_number, message);
+            //fprintf(stderr, "%s(%d): warning: %s\n", file_name, line_number, message);
     }
 }
 

diff --git a/libqs.h b/libqs.h
@@ -2,7 +2,7 @@
  * @tylabs
  * QuickSand.io - Document malware forensics tool
  *
- * File libqs.h   May 24 2017
+ * File libqs.h   Sep 12 2017
  * Original source code available from https://github.com/tylabs/quicksand_lite
  * 
  * Decode and look in streams of Office Documents, RTF, MIME MSO.
@@ -23,7 +23,7 @@
 
 //#include <stdio.h>
 
-char *QUICKSAND_VERSION = "01.01.003";
+char *QUICKSAND_VERSION = "01.01.004";
 
 
 #define QUICKSAND_MAX_ITEM 512

diff --git a/quicksand_exploits.yara b/quicksand_exploits.yara
@@ -774,31 +774,54 @@ rule warning_vb_fileio {
 }
 
 
-    rule warning_ole2link_embedded {
+rule warning_ole2link_embedded {
     meta:
-        is_exploit = false
-        is_warning = true
-        is_feature = true
+        is_exploit = true
+        is_warning = false
+        is_feature = false
         rank = 1
-        revision = "1"
-        date = "April 11 2017"
-        author = "@tylabs"
-	release = "lite"
-        copyright = "QuickSand.io (c) Copyright 2017. All rights reserved."
+        revision = "3"
+        date = "September 12 2017"
+        author = "David Cannings"
+        copyright = "source https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.md"
         tlp = "white"
-        sigtype = "cryptam_exploit"
-        desc = "Office OLE2Link unsafe remote content"
+        sigtype = "cryptam_warning"
+        desc = "Office OLE2Link unsafe content such as remote risky content"
     strings:
-        $s4 = "00000300-0000-0000-c000-000000000046" nocase
-        $s5 = "0000030000000000c000000000000046"
-        //$s6 = {0000030000000000c000000000000046}
-        $s7 = "OLE2Link" ascii wide
-        $s8 = "0030000-0000-0000-c000-000000000046" nocase
-        $s9 = "0003000000000000c000000000000046"
-        //$s10 = {0003000000000000c000000000000046}
-        
-    condition:
-        1 of them
+        // Parsers will open files without the full 'rtf'
+        $header_rtf = "{\\rt" nocase
+        $header_office = { D0 CF 11 E0 }
+        $header_xml = "<?xml version=" nocase wide ascii
+
+        // Marks of embedded data (reduce FPs)
+        // RTF format
+        $embedded_object   = "\\object" nocase
+        $embedded_objdata  = "\\objdata" nocase
+        $embedded_ocx      = "\\objocx" nocase
+        $embedded_objclass = "\\objclass" nocase
+        $embedded_oleclass = "\\oleclsid" nocase
+    
+        // XML Office documents
+        $embedded_axocx      = "<ax:ocx"  nocase wide ascii
+        $embedded_axclassid  = "ax:classid"  nocase wide ascii
+
+        // OLE format
+        $embedded_root_entry = "Root Entry" wide
+        $embedded_comp_obj   = "Comp Obj" wide
+        $embedded_obj_info   = "Obj Info" wide
+        $embedded_ole10      = "Ole10Native" wide
+
+        $data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
+        $data1 = { 0003000000000000C000000000000046 }
+        $data2 = "OLE2Link" nocase wide ascii
+        $data3 = "4f4c45324c696e6b" nocase wide ascii
+        $data4 = "StdOleLink" nocase wide ascii
+        $data5 = "5374644f6c654c696e6b" nocase wide ascii
+
+      condition:
+        // Mandatory header plus sign of embedding, then any of the others
+        1 of ($header*) and 1 of ($embedded*) 
+            and (1 of ($data*))
     }
 
 rule warning_EPS_xor_exec {
@@ -846,4 +869,32 @@ rule warning_vbs_embed {
 		$s4 = "Ole10Native" wide
 	condition:
             3 of them
-}
+}
+
+rule exploit_cve_2017_8759 {
+    meta:
+        is_exploit = true
+        is_warning = false
+        is_feature = false
+        rank = 10
+        revision = "1"
+        date = "September 12 2017"
+        author = "@tylabs"
+	release = "lite"
+        copyright = "QuickSand.io (c) Copyright 2017. All rights reserved."
+        tlp = "green"
+        sigtype = "cryptam_exploit"
+        desc = "OLE WSDL Parser Code Injection in PrintClientProxy CVE-2017-8759"
+
+    strings:
+        $c5 = "wsdl=" ascii wide nocase
+        $c7 = "wsdl=http" ascii wide nocase
+	$c1 = "ECABB0C7-7F19-11D2-978E-0000F8757E2A"
+	$c2 = "SoapMoniker"
+	$c3 = "c7b0abec-197f-d211-978e-0000f8757e2a"
+	$c4 = "c7b0abec197fd211978e0000f8757e2a"
+	$c6 = {c7b0abec197fd211978e0000f8757e2a}
+        
+    condition:
+        warning_ole2link_embedded and 1 of ($c*)
+}