Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out Office 0day vulnerability CVE-2018-0802 analysis, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

A new security patch was released at Microsoft in January 2018, which fixes the first office 0day vulnerability (CVE-2018-0802). The technical principle of this vulnerability is similar to the 17-year-old vulnerability (CVE-2017-11882) because the office formula editor component EQNEDT32.EXE does not check the length of font names, allowing attackers to execute arbitrary code by constructing malformed font names.

Introduction of loopholes

Threat type: arbitrary code execution

Threat level: high

Vulnerability name: CVE-2018-0802

Affected system and application version:

Microsoft Office 2007 Service Pack3

Microsoft Office 2010 Service Pack2 (32-bit editions)

Microsoft Office 2010 Service Pack2 (64-bit editions)

Microsoft Office 2013 Service Pack1 (32-bit editions)

Microsoft Office 2013 Service Pack1 (64-bit editions)

Microsoft Office 2016 (32-bitedition)

Microsoft Office 2016 (64-bitedition)

Download address of the patch:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

Loophole analysis

CVE-2018-0802 is a patch for CVE-2017-11882 that bypasses the vulnerability and the type is stack overflow. The root cause is that Microsoft did not fix another stack overflow when copying font FaceName in the patch of CVE-2017-11882. This vulnerability will only cause crash in unpatched versions, but it can be perfectly exploited in patched versions. Let's analyze the CVE-2018-0802 vulnerability through poc samples.

Figure 1 vulnerability program version information

As with CVE-2017-11882, the trigger data for this vulnerability is in the "Equation Native" stream of the extracted OLE object.

Fig. 2 data constructed by samples

Equation Native data structure

According to the information made public on the Internet, the data of the whole "EquationNative" is composed of:

EquationNative StreamData = EQNOLEFILEHDR + MTEFData

In the exploit document, the structure is as follows:

Figure 3 EQNLEFILEHDR header structure data

Figure 4 MTEFData structure

Figure 5 MTEFData data

When initializing a LOGFONT structure, the program does not check the length of the font name entered by the user, and copy overflow occurs directly. Vulnerability function:

Figure 6 functions triggered by vulnerabilities

The pointer to the LOGFONT structure is passed in by the sub_421774 function that calls sub_421E39, and the structure exists on the function stack of sub_421774, so it can cause the stack to overflow, overwrite the return address, and hijack the execution flow.

Figure 7 overflow function

In the process of analysis, a suspected recursion is found in the sub_421774 function. Sub_421774 first calls the vulnerability function sub_421E39 to initialize a LOGFONT structure, then calls the relevant API, passes in the structure, and obtains a font name from the system to save to Name. Then, it compares the obtained Name with the lpLogFont provided by the user, and if it is inconsistent, it calls the sub_4115A7 function, which indirectly calls the vulnerability function of CVE-2017-11882. If the patch CVE-2017-11882 is not installed, it will crash here, and then continue to call or not call itself according to the conditions specified by A3, which is the third parameter of the sub_421E39 function. The third parameter passed in when calling itself is 0, and the passed lpLogFont is the Name obtained from the system, so the second overflow will not occur and the recursion will not continue, so the function can return normally.

Figure 8 function call flow

Vulnerability exploitation

Through the analysis, we found that the overflow occurred in the sub_421774 function because the overflow occurred when initializing the lfFaceName field of the LOGFONT structure. Through figure 2 in the vulnerability analysis, we can see that the structure exists at the distance from the function stack to the return address (0xAC+0x4), while the offset of the lfFaceName field in the LOGFONT structure is 0x1c, as shown in the figure below, so the data that needs to be populated (0xAC+0x4-0x1c) needs to be filled in to overwrite the return address.

Fig. 9 LOGFONT structure

By looking at the protection properties of the program, it is found that ALSR protection is turned on, but data execution protection is not enabled. It is worth mentioning that the source buffer pointer of the font name is passed in as the first parameter of the overflow function, and the function uses the stdcall call protocol, that is, when the function returns, the address of the source buffer of the font name will be saved at the top of the stack, at this time we can jump to the memory of the source buffer of the font name as long as we can execute a ret instruction. At this point, we just need to bypass ALSR to find a ret instruction with a reliable address. It is necessary to say that ALSR is not completely address randomization, ALSR will only take 0x10000 as a unit, random, assuming that we return the address is 0xc014e2, then if we find a ret instruction in the memory address from 0xc00000 to 0xc0ffff, and can only cover the low address of the return address 2 bytes, because it is the string copy, so the range is narrowed down to 0xc00000 to 0xc000ff.

Find the address of 0xc00025 by searching

According to the previous conclusion, there is a space of (0xAC+0x4-0x1c = 0x94) size before overwriting the return value, and the size of shellcode must be less than or equal to 0x94, which is sufficient, shellcode layout:

Figure 9 shellcode layout

The function returns twice, returns to the source buffer of the font name to execute the code, the meta-buffer for our constructed shellcode, the shellcode is executed, and the vulnerability is triggered

Figure 10 scenario after the vulnerability is triggered

Treatment plan:

Update the patch in a timely manner

Download address of the patch:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

2. Disable this module through the registry, which can be alleviated by modifying the registry and disabling the following COM controls, where XX.X is the version number

Enter in the run:

Reg add "HKLM\ SOFTWARE\ Microsoft\ Office\ XX.X\ Common\ COMCompatibility\ {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

Reg add "HKLM\ SOFTWARE\ Wow6432Node\ Microsoft\ Office\ XX.X\ Common\ COMCompatibility\ {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

The above content is how to analyze Office 0day vulnerabilities in CVE-2018-0802. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.