RTF数组溢出漏洞挖掘技术研究

doi:10.11959/j.issn.1000-436x.2017104

通信学报 ›› 2017, Vol. 38 ›› Issue (5): 96-107.doi: 10.11959/j.issn.1000-436x.2017104

RTF数组溢出漏洞挖掘技术研究

乐德广^1,^2,³,龚声蓉¹,吴少刚²,徐锋³,刘文生⁴

¹ 常熟理工学院计算机科学与工程学院，江苏常熟 215500
² 苏州大学计算机科学与技术学院，江苏苏州 215006
³ 中科梦兰电子科技有限公司，江苏常熟 215500
⁴ 泉州市公安局公共信息网络安全监察支队，福建泉州 362000

修回日期:2017-04-05 出版日期:2017-05-01 发布日期:2017-05-28
作者简介:乐德广（1975-），男，福建三明人，博士，常熟理工学院副教授，主要研究方向为信息安全与下一代互联网技术等。|龚声蓉（1966-），男，湖北天门人，博士，常熟理工学院教授、博士生导师，主要研究方向为图像处理与信息安全等。|吴少刚（1973-），男，安徽宿松人，博士，中科梦兰电子科技有限公司研究员，主要研究方向为计算机系统结构、并行与分布式计算等。|徐锋（1981-），男，江苏常熟人，中科梦兰电子科技有限公司高级工程师，主要研究方向为计算机体系结构及自主安全。|刘文生（1969-），男，福建泉州人，泉州公安局高级工程师，主要研究方向为网络安全。
基金资助:
国家自然科学基金资助项目(61202440);国家自然科学基金资助项目(61402057);江苏省产学研前瞻性联合研究基金资助项目(BY2016050-01);江苏省科技计划基金资助项目(BK20160411)

Research on RTF array overflow vulnerability detection

De-guang LE^1,^2,³,Sheng-rong GONG¹,Shao-gang WU²,Feng XU³,Wen-sheng LIU⁴

¹ School of Computer Science ＆Engineering,Changshu Institute of Technology,Changshu 215500,China
² School of Computer Science and Technology,Soochow University,Suzhou 215006,China
³ Lemote Electronic Technology Co.,Ltd.,Changshu 215500,China
⁴ Public Information Network Safety Supervision Division,Quanzhou Municipal Public Security Bureau,Quanzhou,362000,China

Revised:2017-04-05 Online:2017-05-01 Published:2017-05-28
Supported by:
The National Natural Science Foundation of China(61202440);The National Natural Science Foundation of China(61402057);The Production and Research Prospective Joint Research Project of Jiangsu Province(BY2016050-01);The Jiangsu Provincial Natural Science Foundation of China(BK20160411)

摘要/Abstract

摘要：

在虚函数执行中，由于错误操作C++对象的虚函数表而引起数组溢出漏洞。通过攻击虚函数造成系统崩溃，甚至导致攻击者可直接控制程序执行，严重威胁用户安全。为尽早发现并修复此类安全漏洞，对该安全漏洞的挖掘技术进行深入研究，结合MS Word解析RTF文件和虚函数调用之间的联系，发现MS Word在解析异常的RTF文件时存在数组溢出漏洞，并进一步提出基于文件结构解析的Fuzzing测试方法来挖掘RTF数组溢出漏洞。在此基础上，设计了RTF数组溢出漏洞挖掘工具（RAVD，RTF array vulnerability detector）。通过RAVD对RTF文件进行测试，能够正确挖掘出数组溢出漏洞。实际的模糊测试表明，设计的工具相比传统的漏洞挖掘工具具有更高的挖掘效率。

关键词: RTF文件, 漏洞挖掘, Fuzzing测试, 数组溢出

Abstract:

When the virtual function was executed,it could cause array overflow vulnerability due to error operation of the virtual function table of C++ object.By attacking the virtual function,it could cause the system crash,or even the attacker to control the execution of program directly was allowed,which threatened user’s security seriously.In order to find and fix this potential security vulnerability as soon as possible,the technology for detecting such security vulnerability was studied.Based on the analysis of the virtual function call during the MS Word parsing RTF files,the array overflow vulnerability generated by MS Word parsing abnormal RTF files,and a new RTF array overflow vulnerability detection method based on the file structure analytical Fuzzing was proposed.Besides,an RTF array overflow vulnerability detection tool (RAVD,RTF array vulnerability detector) was designed.The test results show RAVD can detect RTF array overflow vulnerabilities correctly.Moreover,the Fuzzing results show RAVD has higher efficiency in comparison with traditional file Fuzzing tools.

Key words: RTF document, vulnerability detection, Fuzzing test, array overflow

中图分类号:

TP393

乐德广,龚声蓉,吴少刚,徐锋,刘文生. RTF数组溢出漏洞挖掘技术研究[J]. 通信学报, 2017, 38(5): 96-107.

De-guang LE,Sheng-rong GONG,Shao-gang WU,Feng XU,Wen-sheng LIU. Research on RTF array overflow vulnerability detection[J]. Journal on Communications, 2017, 38(5): 96-107.

图/表 15

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表1

表2

图12

表3

参考文献 24

[1]	CABALLERO J，LIN Z . Type inference on executables[J]. ACM Computing Surveys, 2016,48(4): 65.
[2]	HUANG S K , HUANG M H , HUANG P Y ,et al. Software crash analysis for automatic exploit generation on binary programs[J]. IEEE Transactions on Reliability, 2014,63(1): 270-289.
[3]	刘奇旭, 温涛, 闻观行 ,等. Flash 跨站脚本漏洞挖掘技术研究[J]. 计算机研究与发展, 2014,51(7): 1624-1632.
	LIU Q X , WEN T , WEN G X ,et al. Detection of XSS vulnerabilities in online flash[J]. Journal of Computer Research and Development, 2014,51(7): 1624-1632.
[4]	MASSACCI F , NGUYEN V H . An empirical methodology to evaluate vulnerability discovery models[J]. IEEE Transactions on Software Engineering, 2014,40(12): 1147-1162.
[5]	乐德广, 章亮, 郑力新 ,等. 面向RTF文件的Word漏洞分析[J]. 华侨大学学报（自然科学版）, 2015,36(1): 17-22.
	LE D G , ZHANG L , ZHENG L X ,et al. Research on Word vulnerability analysis for the RTF file[J]. Journal of Huaqiao University (Natural Science), 2015,36(1): 17-22.
[6]	乐德广, 章亮, 龚声蓉 ,等. 面向RTF的OLE对象漏洞分析研究[J]. 网络与信息安全学报, 2016,2(1): 34-45.
	LE D G , ZHANG L , GONG S R ,et al. Research on OLE object vulnerability analysis for RTF file[J]. Chinese Journal of Network and Information Security, 2016,2(1): 34-45.
[7]	王清 . 0day 安全软件漏洞分析技术[M]. 北京市:电子工业出版社. 2011: 345-346.
	WANG Q . 0day security:software vulnerability analysis techniques[M]. Beijing:Publishing House of Electronics Industry. 2011: 345-346.
[8]	DEWEY D , GIFFIN J T . Static detection of C++ vtable escape vulnerabilities in binary code[C]// 19th Annual Network and Distributed System Security Symposium (NDSS). 2012: 1-14.
[9]	JANG D , TATLOCK Z , LERNER S . SAFEDISPATCH:securing C++ virtual calls from memory corruption attacks[C]// 21th Annual Network and Distributed System Security Symposium (NDSS). 2014: 1-15.
[10]	PRAKASH A , HU X , YIN H . VfGuard:strict protection for virtual function calls in COTS C++ binaries[C]// 22th Annual Network and Distributed System Security Symposium (NDSS). 2015: 1-15.
[11]	BOUNOV D , KLCL R G , LERNER S . Protecting C++ dynamic dispatch through VTable interleaving[C]// 23th Annual Network and Distributed System Security Symposium (NDSS). 2016: 1-15.
[12]	李舟军, 张俊贤, 廖湘科 ,等. 软件安全漏洞检测技术[J]. 计算机学报, 2015,38(4): 717-732.
	LI Z J , ZHANG J X , LIAO X K ,et al. Survey of software vulnerability detection techniques[J]. Chinese Journal of Computers, 2015,38(4): 717-732.
[13]	COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// 7th Conference on USENIX Security Symposium (USENIX). 1998: 5-15.
[14]	STOJANOVSKI N , GUSEV M , GLIGOROSKI D ,et al. Bypassing data execution prevention on microsoft Windows XP SP2[C]// The Second International Conference on Availability,Reliability and Security. 2007: 1222-1226.
[15]	KHARBUTLI M , JIANG X W , SOLIHIN Y ,et al. Comprehensively and efficiently protecting the heap[J]. ACM Sigops Operating Systems Review, 2006,40(5): 207-218
[16]	ZHANG C , CARR S A , LI T X ,et al. VTrust:regaining trust on virtual calls[C]// 23th Annual Network and Distributed System Security Symposium (NDSS). 2016: 1-15.
[17]	RTF 1.9.1.Rich text format (RTF) specification[S]. Microsoft Corporation, 2008.
[18]	VOSTOKOV D . Windows debugging:practical foundations[M]. Monkstown: Opentask PublisherPress, 2009: 79-81.
[19]	LI J X , XU X , LIAO L J ,et al. Concolic execute Fuzzing based on control-flow analysis[C]// 11th International Conference on Computational Intelligence and Security (CIS). 2015: 385-389.
[20]	MS-DOC 6.1.Word (.doc) binary file format[S]. Microsoft Corporation, 2017.
[21]	OUYANG Y J , ZENG S , CAO Y ,et al. A region-sensitive Fuzzing test based on multi-objective programming[J]. Lecture Notes on Software Engineering, 2016,4(2): 116-122.
[22]	HU C J , Li Z J , MA J X ,et al. File parsing vulnerability detection with symbolic execution[C]// 6th IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE), 2012: 135-142.
[23]	COHN R , RUSSELL J . OllyDbg[M]. VSD Publisher, 2012: 24-26.
[24]	KENNEDY D , O'GORMAN J , KEARNS D ,et al. Metasploit:the penetration tester's guide[M]. San Francisco: No Starch PressPress, 2011: 56-58.

RTF关键字段	FileFuzz	MiniFuzz	RAVD
\listoverridecount	√	×	√
\lfolevel	×	×	√
\listid	×	×	×
\listoverride	×	×	×
\listsimple	×	×	×
\levelnfc	×	×	×
\levelnfc	×	×	×
\listhybrid	√	√	√
\leveljc	×	×	×
\levelnfcn	√	√	√
\levelold	√	×	√
\levelnumbers	×	×	×

CVE ID	触发漏洞字段	触发漏洞模块	检测结果
CVE-2006-2492	\smarttags	mso.dll	√
CVE-2008-1091	\do	mso.dll	×
CVE-2008-4028	\dppolyline	mso.dll	×
CVE-2010-0134	\ls	rtfsr.dll	×
CVE-2010-1902	\do	mso.dll	×
CVE-2012-2528	\listid	winword.exe	×
CVE-2012-2539	\listoverridecount	wwlib.dll	×
CVE-2010-3333	\pFragments	mso.dll	×
CVE-2012-0158	\object	mscomctl.ocx	×
CVE-2012-1856	\object	mscomctl.ocx	×
CVE-2013-3906	\pict	ogl.dll	√
CVE-2014-1761	\listoverridecount	wwlib.dll	√
CVE-2014-1761	\lfolevel	wwlib.dll	√
CVE-2015-1641	\smarttags	msvcr71.dll	√
CVE-2015-1770	\object	osf.dll	×
CVE-2015-2424	\object	mscomctl.ocx	×
CVE-2015-2369	\object	rapi.dll	×
CVE-2016-0010	\pict	winword.exe	×

RTF数组溢出漏洞挖掘技术研究

Research on RTF array overflow vulnerability detection

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 24

相关文章 8

Metrics

推荐阅读 0

测试用例数量	FileFuzz	MiniFuzz	RAVD
100	0	0	2
300	2	0	6
500	7	3	16
1 000	13	12	42

[1]	孙鸿宇,何远,王基策,董颖,朱立鹏,王鹤,张玉清. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018, 39(8): 1-17.
[2]	王志强,刘奇旭,张玉清. Android平台NFC应用漏洞挖掘技术研究[J]. 通信学报, 2014, 35(Z2): 117-123.
[3]	陈曦,田有亮,马卓,马建峰. 商业银行移动支付安全研究[J]. 通信学报, 2014, 35(Z2): 131-139.
[4]	王志强，刘奇旭，张玉清. Android平台NFC应用漏洞挖掘技术研究[J]. 通信学报, 2014, 35(Z2): 16-123.
[5]	陈曦，田有亮，马卓，马建峰. 商业银行移动支付安全研究[J]. 通信学报, 2014, 35(Z2): 18-139.
[6]	李伟明，于俊清，艾少波. PyFuzzer：自动化高效内存模糊测试方法[J]. 通信学报, 2013, 34(Z2): 13-68.
[7]	李伟明,于俊清,艾少波. PyFuzzer：自动化高效内存模糊测试方法[J]. 通信学报, 2013, 34(Z2): 64-68.
[8]	张友春,魏强,刘增良,周颖. 信息系统漏洞挖掘技术体系研究[J]. 通信学报, 2011, 32(2): 42-47.