Shulou(Shulou.com)05/31 Report--

This article will explain in detail how the detailed analysis of Office vulnerabilities is, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

In November of windows2017 released a patch, fixed including cve-2017-11882, in 2018 continued to release patches, fixed a number of vulnerabilities, including CVE-2018-0802, and this time CVE-2018-0802 once again took advantage of the EQNEDT32.EXE formula editor stack overflow vulnerability, and this vulnerability is the CVE-201-11882 patch to bypass the vulnerability, there are two kinds of vulnerability combination of POC, let's take a look at this vulnerability.

Loophole analysis

Analytical environment: win7

Office version: office2007 SP3 with CVE-2017-11882 patch

Let's first take a look at the properties of EQNEDT32.exe after the patch.

If we look at POC's RTF file, we can see that we continue to use the objupdate field to automatically update and load OLE objects.

Then we extract the OLE object through rtfobj.py

We can look at the structure of the 28-byte EQNOLEFILEHDR in front. Let's take a look at the MIEF data behind, which corresponds to the shadow below. The first byte 03 represents the version number of the MTEF, the second byte 01 indicates that it is generated on the windows platform, and the third byte 01 indicates that this is generated by the formula editor, followed by the major version number of the product and the minor version number of the product.

And then there's the formula data stream, and this series of records bytes 08 represents Font record, and we use the document

Let's take a specific look at this font byte, which is tface and style and name, respectively. It seems that this time it was font name that went wrong, and last time CVE-2017-11882 was also this font name.

Let's start with dynamic debugging to determine the next leak point.

Set windbg as the default debugger, and set the default debugger for EQNEDT32.EXE to windbg, so that EQNEDT32.EXE will be attached to windbg by default when it starts

By constructing Crash and stack backtracking, we locate the vulnerability location. The function address is 012D1774 and the base address is 0x12B0000. The dynamic debugging address may be different because the module has ASLR enabled.

Through the dynamic analysis, we find that the leak is in the sub_1201E39 of the crash function.

The overflow point is in the copy function. We can see that this key function is mainly used to initialize a LOGFONT structure.

We can see that there is an obvious stack overflow in the copy, and this time the copy is 0x94 bytes until 0x00 is encountered, and this time only 0x1c bytes are allocated, obviously stack overflow occurs

This time, just to overwrite the return address, let's look at how to overwrite the return address and how to bypass ASLR. We can see that the return address before the override is 012014e2, and this function is also the next instruction after the crash function call.

Let's take a look at what the return address looks like after overwriting, which becomes 01200025.

The address of 0x01200025 is the retn instruction, and it is through this overwrite that ASLR is bypassed. We know that in 32-bit processes, only the high 2 bytes of the address are randomized at a time, while the lower two bytes are unchanged, and it is this feature that bypasses ASLR.

Let's take a look at why we chose this ret instruction, because it executes the first parameter of the crash function.

It is lpLogfont, that is, the FontName that the sample can control.

Since DEP is not enabled, you can execute code on the stack. You can take a look at this shellcodes

Another problem is that this vulnerability will not be executed in unpatched systems, because the length required for CVE-2017-11882 to cover the return address is much smaller than this sample, and when executing this sample, it will trigger CVE-2017-11882 to cause Crash, and there is also a combination of the two holes on the Internet. POC, which is not successfully exploited in CVE-2017-11882, will take advantage of CVE-2018-0802.

Vulnerabilities are aimed at EQNEDT32.EXE formula editor. Combined attacks with CVE-2017-11882 vulnerabilities will cause great harm. It is recommended to patch or disable EQNEDT32.EXE modules as soon as possible.

Bug repair recommendations

Patch download address https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

Or disable this module directly through the registry

Reg add "HKLM\ SOFTWARE\ Microsoft\ Office\ XX.X\ Common\ COMCompatibility\ {0002CE02-0000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0 × 400

Regadd "HKLM\ SOFTWARE\ Wow6432Node\ Microsoft\ Office\ XX.X\ Common\ COMCompatibility\ {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0 × 400

On how the detailed analysis of Office vulnerabilities is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.