CVE-2017-11882 technical analysis

Introduction 

This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability.

Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilation, it was used in all currently upported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as it’s own process and can accept commands from other processes.

Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide.  This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker command

Tools 
Hash: 080b3a6dc6ddf645f6c156e1561eb0b8

Analysis
Search the file in virustotal (https://www.virustotal.com/) with virustotal-search.py to get an initial idea of  file whether it was detected by any anti-virus vendors. 
 Run rtfdump.py to see the available options, the necessary options to analyze this file have been highlighted. rtfdump.py shows the streams associated with the file
Observe the associated streams with this file and also the vulnerable stream object which invokes Microsoft equation editor EQNEDT32.exe 

View the vulnerable stream with -s option
Observe the stream content is in hexadecimal
Use -H option to decode and render it in ASCII format

Use grep to look for interesting strings or walk through entire stream to look at vulnerable equation editor component
Observe the invocation to get an hta file and execute it. Here the rtf1.txt is file is downloaded using wget to analyse it further. The malicious object can also be dumped using -d option
View the malicious object using cat 
The rtf1.txt is downloaded using wget. The script shows that further it starts powershell in hidden mode to fetch an executable and execute it 

The executable is fetched again using wget and can be analysed offline ( static or dynamic malware analysis). Below is  the has of 888_cr.exe

Hash: e8d4e87d7f31eb396cff677b616e9db6





Comments

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1