Wednesday, September 13, 2017

Signature Dev using QuickSand.io for RTF zero day CVE-2017-8759

After reading the FireEye blog on CVE-2017-8759 we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use QuickSand.io, naturally.

First we searched for the FireEye reported hash fe5c4d6bb78e170abf5cf3741868ea4c in QuickSand.io.

The first hex block looks interesting:
Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a. Reversing the first three block's byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A

This handy list reveals the SoapMoniker class:



After some testing, we pushed out a CVE-2017-8759 signature to QuickSand.io and the free open source version.

No comments:

Post a Comment