Threat Research
Zero-Day HWP Exploit
FireEye recently
identified several malicious documents in the wild that exploit a
previously unknown vulnerability (CVE-2015-6585) in the Hangul Word
Processor (HWP). HWP, published by a South Korean company, is a Korean
word processing application. It is widely used in South Korea,
primarily by government and public institutions. Some HWP programs are
frequently used by private organizations, such as HWP Viewer. The
payloads and infrastructure in the attack are linked to suspected
North Korean threat actors. Hancom patched CVE-2015-6585 with a security
update on September 7, 2015.
Exploit Details
HWP 2014 introduced support for the KS (Korean Industrial Standards) standardized HWP file format (HWPX). Although HWPX-formatted documents use the .hwpx extension by default, they may also use the file extension .hwp of older HWP files. The new format, OWPML (Open Word- Processor Markup Language), uses XML files within a zip archive. The structural differences between HWP and HWPX documents are similar to those between Microsoft Word .doc and .docx files.
Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.
Read more about the exploit here.