Shulou(Shulou.com)06/01 Report--

How to analyze the Microsoft Office memory damage vulnerability CVE-2017-11882, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

In November 2017, Microsoft fixed a serious vulnerability in Office remote code execution, numbered CVE-2017-11882, in a routine system patch release. The vulnerability type is a buffer overflow and the bit is an EQNEDT32.EXE component. When a victim opens a malicious office document, it is possible to execute malicious code without interaction.

It is reported that this component is developed by Design Science Inc. It was developed and later acquired by Microsoft. The component was compiled and embedded in office in 2001 without any further modifications. So the loophole has existed for 17 years. Affects all office versions that are popular at this stage.

360CERT confirmed that there is a risk of remote command execution in this vulnerability after analysis, and it is recommended that users update the corresponding patch as soon as possible.

Overview of 0x01 vulnerabilities

EQNEDT32.EXE is used to insert and edit equations in a document. Any formula inserted into the document is an OLE object. The component is designed under the OLE technical specification. First launched in Microsoft Office 2000 and Microsoft 2003. Since the Microsoft Office 2007 suite, the method of displaying and editing equations has changed, and although EQNEDT32.EXE has become out of date, it has not been removed from the Office suite to maintain version compatibility.

EQNEDT32.EXE implements a set of standard COM interfaces for OLE.

IOleObject

IDataObject

IOleInPlaceObject

IOleInPlaceActiveObject

IpersistStorage

The problem lies in the position of IpersistStorage:Load. Because of its long history, the component was developed without vulnerability mitigation measures such as ASLR. It's more convenient to use.

0x02 vulnerability analysis

The POC that detected this vulnerability on VirusTotal was labeled CVE-2017-11882 by several detection agencies. (at first, only Microsoft can detect it)

As mentioned above, through malicious sample analysis, the problem lies in the sub_41160F function in EQNEDT.EXE. As shown in the figure, the strcpy function does not check the length of the copy, resulting in an overflow.

By debugging, you can guess that under normal circumstances, the eax register, the first parameter, should be the font name.

The OLE object in the sample is extracted by rtfobj, and it is found that the font name is cmd.exe.

In the filled AAA... Then comes 0x430C12, where WinExec is called in EQNEDT.EXE.

The return address is overwritten as 0x430C12 to execute the command.

The final execution effect:

0x03 affects version

Office 365

Microsoft Office 2000

Microsoft Office 2003

Microsoft Office 2007 Service Pack 3

Microsoft Office 2010 Service Pack 2

Microsoft Office 2013 Service Pack 1

Microsoft Office 2016

0x04 repair recommendation

360CERT recommends that users update patches in a timely manner to improve system security.

Mitigation measures: this problem can be alleviated by modifying the registry and disabling the module. Where XX.X is the version number.

Reg add "HKLM\ SOFTWARE\ Microsoft\ Office\ XX.X\ Common\ COM Compatibility\ {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

Reg add "HKLM\ SOFTWARE\ Wow6432Node\ Microsoft\ Office\ XX.X\ Common\ COM Compatibility\ {0002CE02-000000-0000-C000-0000000046}" / v "Compatibility Flags" / t REG_DWORD / d 0x400

This is the answer to the question on how to analyze the Microsoft Office memory damage vulnerability CVE-2017-11882. I hope the above content can be of some help to you. If you still have a lot of doubts to solve, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.