RTF数组溢出漏洞挖掘技术研究

doi:10.11959/j.issn.1000-436x.2017104

Abstract

Abstract:

When the virtual function was executed,it could cause array overflow vulnerability due to error operation of the virtual function table of C++ object.By attacking the virtual function,it could cause the system crash,or even the attacker to control the execution of program directly was allowed,which threatened user’s security seriously.In order to find and fix this potential security vulnerability as soon as possible,the technology for detecting such security vulnerability was studied.Based on the analysis of the virtual function call during the MS Word parsing RTF files,the array overflow vulnerability generated by MS Word parsing abnormal RTF files,and a new RTF array overflow vulnerability detection method based on the file structure analytical Fuzzing was proposed.Besides,an RTF array overflow vulnerability detection tool (RAVD,RTF array vulnerability detector) was designed.The test results show RAVD can detect RTF array overflow vulnerabilities correctly.Moreover,the Fuzzing results show RAVD has higher efficiency in comparison with traditional file Fuzzing tools.

Key words: RTF document, vulnerability detection, Fuzzing test, array overflow

CLC Number:

TP393

De-guang LE,Sheng-rong GONG,Shao-gang WU,Feng XU,Wen-sheng LIU. Research on RTF array overflow vulnerability detection[J]. Journal on Communications, 2017, 38(5): 96-107.

Figures/Tables 15

References 24

[1]	CABALLERO J，LIN Z . Type inference on executables[J]. ACM Computing Surveys, 2016,48(4): 65.
[2]	HUANG S K , HUANG M H , HUANG P Y ,et al. Software crash analysis for automatic exploit generation on binary programs[J]. IEEE Transactions on Reliability, 2014,63(1): 270-289.
[3]	刘奇旭, 温涛, 闻观行 ,等. Flash 跨站脚本漏洞挖掘技术研究[J]. 计算机研究与发展, 2014,51(7): 1624-1632.
	LIU Q X , WEN T , WEN G X ,et al. Detection of XSS vulnerabilities in online flash[J]. Journal of Computer Research and Development, 2014,51(7): 1624-1632.
[4]	MASSACCI F , NGUYEN V H . An empirical methodology to evaluate vulnerability discovery models[J]. IEEE Transactions on Software Engineering, 2014,40(12): 1147-1162.
[5]	乐德广, 章亮, 郑力新 ,等. 面向RTF文件的Word漏洞分析[J]. 华侨大学学报（自然科学版）, 2015,36(1): 17-22.
	LE D G , ZHANG L , ZHENG L X ,et al. Research on Word vulnerability analysis for the RTF file[J]. Journal of Huaqiao University (Natural Science), 2015,36(1): 17-22.
[6]	乐德广, 章亮, 龚声蓉 ,等. 面向RTF的OLE对象漏洞分析研究[J]. 网络与信息安全学报, 2016,2(1): 34-45.
	LE D G , ZHANG L , GONG S R ,et al. Research on OLE object vulnerability analysis for RTF file[J]. Chinese Journal of Network and Information Security, 2016,2(1): 34-45.
[7]	王清 . 0day 安全软件漏洞分析技术[M]. 北京市:电子工业出版社. 2011: 345-346.
	WANG Q . 0day security:software vulnerability analysis techniques[M]. Beijing:Publishing House of Electronics Industry. 2011: 345-346.
[8]	DEWEY D , GIFFIN J T . Static detection of C++ vtable escape vulnerabilities in binary code[C]// 19th Annual Network and Distributed System Security Symposium (NDSS). 2012: 1-14.
[9]	JANG D , TATLOCK Z , LERNER S . SAFEDISPATCH:securing C++ virtual calls from memory corruption attacks[C]// 21th Annual Network and Distributed System Security Symposium (NDSS). 2014: 1-15.
[10]	PRAKASH A , HU X , YIN H . VfGuard:strict protection for virtual function calls in COTS C++ binaries[C]// 22th Annual Network and Distributed System Security Symposium (NDSS). 2015: 1-15.
[11]	BOUNOV D , KLCL R G , LERNER S . Protecting C++ dynamic dispatch through VTable interleaving[C]// 23th Annual Network and Distributed System Security Symposium (NDSS). 2016: 1-15.
[12]	李舟军, 张俊贤, 廖湘科 ,等. 软件安全漏洞检测技术[J]. 计算机学报, 2015,38(4): 717-732.
	LI Z J , ZHANG J X , LIAO X K ,et al. Survey of software vulnerability detection techniques[J]. Chinese Journal of Computers, 2015,38(4): 717-732.
[13]	COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// 7th Conference on USENIX Security Symposium (USENIX). 1998: 5-15.
[14]	STOJANOVSKI N , GUSEV M , GLIGOROSKI D ,et al. Bypassing data execution prevention on microsoft Windows XP SP2[C]// The Second International Conference on Availability,Reliability and Security. 2007: 1222-1226.
[15]	KHARBUTLI M , JIANG X W , SOLIHIN Y ,et al. Comprehensively and efficiently protecting the heap[J]. ACM Sigops Operating Systems Review, 2006,40(5): 207-218
[16]	ZHANG C , CARR S A , LI T X ,et al. VTrust:regaining trust on virtual calls[C]// 23th Annual Network and Distributed System Security Symposium (NDSS). 2016: 1-15.
[17]	RTF 1.9.1.Rich text format (RTF) specification[S]. Microsoft Corporation, 2008.
[18]	VOSTOKOV D . Windows debugging:practical foundations[M]. Monkstown: Opentask PublisherPress, 2009: 79-81.
[19]	LI J X , XU X , LIAO L J ,et al. Concolic execute Fuzzing based on control-flow analysis[C]// 11th International Conference on Computational Intelligence and Security (CIS). 2015: 385-389.
[20]	MS-DOC 6.1.Word (.doc) binary file format[S]. Microsoft Corporation, 2017.
[21]	OUYANG Y J , ZENG S , CAO Y ,et al. A region-sensitive Fuzzing test based on multi-objective programming[J]. Lecture Notes on Software Engineering, 2016,4(2): 116-122.
[22]	HU C J , Li Z J , MA J X ,et al. File parsing vulnerability detection with symbolic execution[C]// 6th IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE), 2012: 135-142.
[23]	COHN R , RUSSELL J . OllyDbg[M]. VSD Publisher, 2012: 24-26.
[24]	KENNEDY D , O'GORMAN J , KEARNS D ,et al. Metasploit:the penetration tester's guide[M]. San Francisco: No Starch PressPress, 2011: 56-58.

Metrics

Recommended 0

No Suggested Reading articles found!

RTF关键字段	FileFuzz	MiniFuzz	RAVD
\listoverridecount	√	×	√
\lfolevel	×	×	√
\listid	×	×	×
\listoverride	×	×	×
\listsimple	×	×	×
\levelnfc	×	×	×
\levelnfc	×	×	×
\listhybrid	√	√	√
\leveljc	×	×	×
\levelnfcn	√	√	√
\levelold	√	×	√
\levelnumbers	×	×	×

CVE ID	触发漏洞字段	触发漏洞模块	检测结果
CVE-2006-2492	\smarttags	mso.dll	√
CVE-2008-1091	\do	mso.dll	×
CVE-2008-4028	\dppolyline	mso.dll	×
CVE-2010-0134	\ls	rtfsr.dll	×
CVE-2010-1902	\do	mso.dll	×
CVE-2012-2528	\listid	winword.exe	×
CVE-2012-2539	\listoverridecount	wwlib.dll	×
CVE-2010-3333	\pFragments	mso.dll	×
CVE-2012-0158	\object	mscomctl.ocx	×
CVE-2012-1856	\object	mscomctl.ocx	×
CVE-2013-3906	\pict	ogl.dll	√
CVE-2014-1761	\listoverridecount	wwlib.dll	√
CVE-2014-1761	\lfolevel	wwlib.dll	√
CVE-2015-1641	\smarttags	msvcr71.dll	√
CVE-2015-1770	\object	osf.dll	×
CVE-2015-2424	\object	mscomctl.ocx	×
CVE-2015-2369	\object	rapi.dll	×
CVE-2016-0010	\pict	winword.exe	×

Research on RTF array overflow vulnerability detection

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 15

References 24

Related Articles 3

Metrics

Recommended 0

测试用例数量	FileFuzz	MiniFuzz	RAVD
100	0	0	2
300	2	0	6
500	7	3	16
1 000	13	12	42

[1]	Jiawei QIN, Hua ZHANG, Hanbing YAN, Nengqiang HE, Tengfei TU. Research on context-aware Android application vulnerability detection [J]. Journal on Communications, 2021, 42(11): 13-27.
[2]	Zun-ying QIN,Guo-dong LI,Wei LI,Xu-chang HUANG. Design and implementation of OSPF vulnerability analysis and detection system [J]. Journal on Communications, 2013, 34(Z2): 58-63.
[3]	. Design and implementation of OSPF vulnerability analysis and detection system [J]. Journal on Communications, 2013, 34(Z2): 12-63.