Introduction
This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability.
Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilation, it was used in all currently upported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as it’s own process and can accept commands from other processes.
Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker command
Tools
Use -H option to decode and render it in ASCII format
This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability.
Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilation, it was used in all currently upported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as it’s own process and can accept commands from other processes.
Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide. This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker command
Tools
- RTFDUMP https://blog.didierstevens.com/2016/08/02/rtfdump-update-and-videos/
- REMNux https://remnux.org/
Hash: 080b3a6dc6ddf645f6c156e1561eb0b8
Analysis
Search the file in virustotal (https://www.virustotal.com/) with virustotal-search.py to get an initial idea of file whether it was detected by any anti-virus vendors.
Run rtfdump.py to see the available options, the necessary options to analyze this file have been highlighted. rtfdump.py shows the streams associated with the file
Observe the associated streams with this file and also the vulnerable stream object which invokes Microsoft equation editor EQNEDT32.exe
View the vulnerable stream with -s option
Observe the stream content is in hexadecimal
Use grep to look for interesting strings or walk through entire stream to look at vulnerable equation editor component
Observe the invocation to get an hta file and execute it. Here the rtf1.txt is file is downloaded using wget to analyse it further. The malicious object can also be dumped using -d option
View the malicious object using cat
The rtf1.txt is downloaded using wget. The script shows that further it starts powershell in hidden mode to fetch an executable and execute it 
The executable is fetched again using wget and can be analysed offline ( static or dynamic malware analysis). Below is the has of 888_cr.exe
Hash: e8d4e87d7f31eb396cff677b616e9db6
The executable is fetched again using wget and can be analysed offline ( static or dynamic malware analysis). Below is the has of 888_cr.exe
Hash: e8d4e87d7f31eb396cff677b616e9db6
Comments
Post a Comment