Understanding Microsoft Word OLE Exploit Primitives
Until November 2013 (CVE-2013-3906), exploit primitives for Object Linking and Embedding (OLE) objects were not discussed publicly. This changed at BlackHat USA 2015, when Haifei Bing presented “Attacking Interoperability: An OLE Edition”. This talk examined the internals of OLE embedding. Over the past few months, several malware campaigns targeting high-profile organisations were discovered to be exploiting separate flaws within OLE objects. These attacks leveraged similar exploitation tactics to those seen in the original CVE-2013-3906 malware sample.
Again, OLE exploitation is not new, but in the past, research about OLE has only focused on analysing malware for incident response and forensic purposes. This research attempts to document the necessary information for exploiting similar issues.
This paper is a written form of a presentation given at ToorCon San Diego in October 2015. It details the exploitation tactics used for exploiting the CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free vulnerability discovered by Yong Chuan, Koh of MWR Labs.
Published date: 30 October 2015
Written by: Dominic Wang