Section 0: SetupSection 1: Macro AttacksSection 2: Other File AttacksSection 2: Other File AttacksECE 4112 Internetwork SecurityLab X: Windows XP File-Based ExploitsGroup Number:_____________Member Names: ______________________ _______________________ Date Assigned: Date Due: Last Edited:Lab Authored By: Chris Dalbec & Chris Woodard Spring 2007Please read the entire lab and any extra materials carefully before starting. Be sure to start earlyenough so that you will have time to complete the lab. Answer ALL questions and be sure youturn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due. Goal: This lab will introduce several types of file-based exploits and methods to defend against them.Summary:Files used will include MS Office files and other Windows file types. Students will also create macro viruses and then attempt to defend their system from them.Equipment List:Windows XP virtual machine with Office installed from the NASBackground and Theory: MacrosBackground: What are macros? Macros are defined as a simple program statement that expands to execute more than on command. Once Window came long the term macro became the commonplace name for the programming language included in Microsoft office document and a 1few others. This macro programming language is also known as Visual Basics for Application (VBA). VBA can gain access to almost any program installed and running on your computer. This makes it easy for say “word” to communicate with “Excel” documents. This luxury isn’t without sacrifice. VBA, because of its easy access to your operating system, can be used maliciously. In fact it was one of the most common attacks made against computers. The VBA editor can be accessed inside any file that takes advantage of VBA, below is what the editor generally looks like Please read entire lab along with appendices before you began.Malformed PointerWhat causes the vulnerability?When a user opens a specially crafted Word document using a malformed object pointer, it may corrupt system memory in such a way that an attacker could execute arbitrary code.What might an attacker use the vulnerability to do?An attacker who successfully exploited this vulnerability could take complete control of the affected system.How could an attacker exploit the vulnerability?In a Web-based attack scenario, an attacker would have to host a Web site that contains an Officefile that is used to attempt to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.2In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user as an attachment and persuading the user to open the attachment.From http://www.microsoft.com/technet/security/Bulletin/MS06-027.mspx Trident or MSHTMLTrident (also known as MSHTML) is the name of the layout engine for the Microsoft Windows version of Internet Explorer. It was first introduced with the release of Internet Explorer version 4 in October 1997, has been steadily upgraded and remains in use today. For version 7 of InternetExplorer, Microsoft made significant changes to the Trident layout engine to improve compliance with web standards and add support for new technologies. Despite these changes, Trident remains significantly less compliant than competing layout engines Gecko, Presto and WebCore.Trident was designed as a software component to allow software developers to easily add web browsing functionality to their own applications. It presents a COM interface for accessing and editing web pages in any COM-supported environment, like C++ and .NET. For instance, a web browser control can be added to a C++ program and Trident can then be used to access the page currently displayed in the web browser and retrieve element values. Events from the web browser control can also be captured. Trident functionality becomes available by connecting the file mshtml.dll to the software project.From http://en.wikipedia.org/wiki/MSHTMLVector Markup LanguageVector Markup Language (VML) is an XML language used to produce vector graphics. VML was submitted as a proposed standard to the W3C in 1998 by Microsoft, Macromedia, and others. VML was rejected as a web standard because Adobe, Sun, and others submitted a competing proposal known as PGML. The two standards were joined and improved upon to create SVG.The vulnerability is stack-based buffer overflow vulnerability. When locating an overly long fill parameter inside a rect tag on a Web page triggers the buffer overflow state. The vulnerable component is VML rendering library Vgx.dll (according to vendor “Microsoft Vector Graphics Rendering(VML)”). Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine. Executing arbitrary code is done with the recent privileges of logged user.From http://en.wikipedia.org/wiki/Vector_Markup_Languageand http://blogs.securiteam.com/index.php/archives/640 3Windows MetafileWMF is a graphics file format on Microsoft Windows systems, originally designed in the early 1990s and not commonly used after the rise of the World Wide Web and the widely used graphicsformats such as GIF and JPEG. It is a vector graphics format which also allows the inclusion of raster graphics. Essentially, a WMF file stores a list of function calls that have to be issued to the Windows graphics layer GDI in order to restore the image. Since some GDI functions accept pointers to callback functions for error handling, a WMF file may include executable code. It is somewhat similar in purpose and design to the PostScript format used in the Unix world.The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware, typically through drive-by downloads.According to Secunia, “The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the