GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → NotAwful → Cve 2017 0199 Fix

NotAwful / Cve 2017 0199 Fix

Quick and dirty fix to OLE2 executing code via .hta

Labels

windowsguideregistry

Projects that are alternatives of or similar to Cve 2017 0199 Fix

Ethereum Development With Go Book
📖 A little book on Ethereum Development with Go (golang)
Stars: ✭ 754 (+5285.71%)
Mutual labels:  guide
React Native Full Example
第一个完整的react-native项目。包括服务端和移动端两部分。服务端使用express+bootstrap进行搭建,主要功能有登录、退出、模块选择、查看、修改、删除、分页等后台管理的基本功能;移动端主要用到组件View、Text、Image、ScrollView、ListView等常用的组件,也使用了第三方的地图服务(高德地图),作为初学者。是一个很好的学习案例。
Stars: ✭ 809 (+5678.57%)
Mutual labels:  registry
Initior
A command line application that let's you initialize your new projects the right way, replaces npm and yarn's init 🎆
Stars: ✭ 17 (+21.43%)
Mutual labels:  registry
Nvim Lua Guide
A guide to using Lua in Neovim
Stars: ✭ 750 (+5257.14%)
Mutual labels:  guide
Mac Setup
Installing Development environment on macOS
Stars: ✭ 6,510 (+46400%)
Mutual labels:  guide
High School Guide To Machine Learning
Being a high schooler myself and having studied Machine Learning and Artificial Intelligence for a year now, I believe that there fails to exist a learning path in this field for High School students. This is my attempt at creating one.
Stars: ✭ 831 (+5835.71%)
Mutual labels:  guide
Anylayer
Android稳定高效的浮层创建管理框架
Stars: ✭ 745 (+5221.43%)
Mutual labels:  guide
Xcode Complete Guide
Productivity guide for Xcode.
Stars: ✭ 19 (+35.71%)
Mutual labels:  guide
Lerna Yarn Workspaces Example
How to build TypeScript mono-repo project with yarn and lerna
Stars: ✭ 787 (+5521.43%)
Mutual labels:  guide
Skpm
💎📦 A utility to build and publish Sketch plugins
Stars: ✭ 890 (+6257.14%)
Mutual labels:  registry
Machine Learning Curriculum
💻 Make machines learn so that you don't have to struggle to program them; The ultimate list
Stars: ✭ 761 (+5335.71%)
Mutual labels:  guide
Hidden
Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc
Stars: ✭ 768 (+5385.71%)
Mutual labels:  registry
Sessiongopher
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
Stars: ✭ 833 (+5850%)
Mutual labels:  registry
Docker Registry Ui
The simplest and most complete UI for your private registry
Stars: ✭ 756 (+5300%)
Mutual labels:  registry
Gitpr
Quick reference guide on fork and pull request workflow
Stars: ✭ 902 (+6342.86%)
Mutual labels:  guide
Awesome Berlin
🇩🇪 A guide aiming to help newcomers to have a successful start in Berlin!
Stars: ✭ 753 (+5278.57%)
Mutual labels:  guide
Win Lock Screen
🔒 Enable / Disable the Lock Screen for Windows 8, 8.1 & 10.
Stars: ✭ 6 (-57.14%)
Mutual labels:  registry
Envtool
Utility to check and search along environment variables. Or where Python/Cmake/Man-pages/pkg-modules/VCPKG-packages are located.
Stars: ✭ 10 (-28.57%)
Mutual labels:  registry
Machinelearningstocks
Using python and scikit-learn to make stock predictions
Stars: ✭ 897 (+6307.14%)
Mutual labels:  guide
Horde
Horde is a distributed Supervisor and Registry backed by DeltaCrdt
Stars: ✭ 834 (+5857.14%)
Mutual labels:  registry
View All Similar Projects ➔

CVE-2017-0199 Fix

Remove CVE-2017-0199's ability to execute code by changing the default handler for .hta files. The default handler for files invoked through OLE2 (COM Objects) is stored separately from the local system's default application and can only be changed through the registry.

Basic Logic Exploit

This is one practical example of this exploit, and is explained as I understand it. Not all occurances may follow this pattern and my assessment may be incorrect. The fix presented in the next section however does work in the situations I have tested it in.

  1. RTF document hosted on web server has malicious hypertext application (HTA) payload 'cat'ed to the end of it.
  2. Hosting server responds to GET requests for the file with a header stating the content is a HTA file.
  3. Microsoft Word runs a OLE2 object to fetch the RTF document from the web server.
  4. Microsoft Word is forced to validate the filetype as the extension .rtf does not match the content type of HTA.
  5. Microsoft Word checks from the end of file for recognizable data structures and matches HTA data structures to HTA content type.
  6. Microsoft Word auto-corrects the filetype and passes it to the COM handler for HTA files (mshta.exe).
  7. Mshta.exe runs the malicious hypertext application code from the end of the file.

COM handlers are stored separately from system handlers in the registry to prevent errors in the filetype validation process.

Basic Fix

  1. In RegEdit.exe navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon
  2. Open the advanced permissions for DefaultIcon
  3. Change owner to Administrators (group)
  4. Add your current user account to the list of security principals, assign it "Full Control"
  5. Edit the (Default) key to be C:\Windows\System32\notepad.exe,1
  6. In Advanced Permissions for DefaultIcon remove your user, and reassign SYSTEM as the owner
  7. Repeat Steps 1 through 6 for HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32, changing the (Default) key value to C:\Windows\System32\notepad.exe

This removes CVE-2017-0199's ability to execute code by changing the default handler for .hta objects invoked through OLE2 to notepad. This will apply to all instances of OLE2 invoking .hta files. This will cause notepad to open and will throw errors, but code will not execute.

ORIGINAL REGISTRY KEYS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\SysWOW64\mshta.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\SysWOW64\mshta.exe

EDITED REGISTRY KEYS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\DefaultIcon\(Default)
	C:\Windows\System32\notepad.exe,1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}\LocalServer32\(Default)
	C:\Windows\System32\notepad.exe

ENVIRONMENT

  • 1 Ubuntu 16.04.2 LTS Server with LAMP stack and SSH Server
  • 1 Windows 10 Client with Office 365 (2016)

REFERENCES

LESSONS

  • Do not edit HKCR directly. Edit the associated keys in either HKCU or HKLM.
  • You can return ownership of a registry key back to SYSTEM or others after taking it.
  • Don't screw with the registry. Leave it how you found it once you've made your changes.
  • Process Monitor has powerful right-click filtering to cut noise.
  • Process Monitor's find feature searches for a string in all fields.
  • pscp.exe (Putty) is a command-line SSH file transfer tool.
  • Linux is still a big pain.

Closing Remark

I take no responsibility for any damages or problems cause by this mitigation or user confusion resulting from notepad and a bunch of errors. This is a dirty fix and I do not know if this will cause wider issues in a production environment. As always, evaluate mitigations with your specific environment and needs in mind.

I will add screenshots later to show before and after effects of this mitigation. Also this can be done as a script, but I am having difficulties with changing permissions to the registry key and so I'll handle that later.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].