Sunday, May 4, 2014

Cryptam Document Analysis + OpenXML embedded in RTF

Recently there have been a number of reports of RTF exploits using a new trick of embedding OpenXML exploits to create a multi-exploit master key to cover a number of recent patched exploits in one RTF with low AV detection. In particular the file tweeted on March 29 by @botherder got our attention and was covered by Mcafee and Bluecoat.





MD5: af17892aa82b48282d956adeb5e70e65
Original filename: aircanada_eticket_820910108.doc
Cryptam report.
VirusTotal: 29/51



While superficially within the RTF component, there is the use of CVE-2010-3333, there is also an Open XML (docx) file exploiting CVE-2012-1856, and an embedded Tiff exploiting CVE-2013-3906. AV detection of the most obvious, and old, CVE-2010-3333 can be misleading when assuming you're patched against this threat.


RTF content with embedded OpenXML (zip header):


OpenXML embedded content and CVE-2012-1856 ActiveX files:

CVE-2012-1856 classID referenced in activeXNN.xml files:

RTF Start of CVE-2013-3906 Tiff referenced as a jpeg:


We quietly added support for OpenXML (docx etc) in RTF a couple weeks ago to Cryptam, but are just now getting the word out. Our testing has shown most of the embedded OpenXML files are likely manually created as their magic numbers tend to match a regular Zip as opposed to a properly generated OpenXML file. Both the Cryptam web suite and command line versions now process Embedded OpenXML files to automatically extract and scan. To accommodate handling of corrupt zip information by the built-in zip support, we now use an external zip command.

Use Cryptam free on our website.