Skip to main content

CVE-2017-11882 technical analysis

Introduction 

This post explains how to analyse an office RTF document to identify CVE-2017-11882 vulnerability.

Microsoft Equation Editor is a Microsoft Office component, contains a stack buffer overflow vulnerability that enables remote code execution on a vulnerable system. The component was compiled on November 9, 2000, over 17 years ago. Without any further recompilation, it was used in all currently upported versions of Microsoft Office. Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, meaning it runs as it’s own process and can accept commands from other processes.

Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such attacks. However, because of the manner in which eqnedt32.exe was linked, it will not use these features, subsequently allowing code execution. Being an out-of-process COM server, protections specific to Microsoft Office such as EMET and Windows Defender Exploit Guard are not applicable to eqnedt32.exe, unless applied system-wide.  This provides the attacker with an avenue to lure targets into opening specially crafted documents, resulting in the ability to execute an embedded attacker command

Tools 
Hash: 080b3a6dc6ddf645f6c156e1561eb0b8

Analysis
Search the file in virustotal (https://www.virustotal.com/) with virustotal-search.py to get an initial idea of  file whether it was detected by any anti-virus vendors. 
 Run rtfdump.py to see the available options, the necessary options to analyze this file have been highlighted. rtfdump.py shows the streams associated with the file
Observe the associated streams with this file and also the vulnerable stream object which invokes Microsoft equation editor EQNEDT32.exe 

View the vulnerable stream with -s option
Observe the stream content is in hexadecimal
Use -H option to decode and render it in ASCII format

Use grep to look for interesting strings or walk through entire stream to look at vulnerable equation editor component
Observe the invocation to get an hta file and execute it. Here the rtf1.txt is file is downloaded using wget to analyse it further. The malicious object can also be dumped using -d option
View the malicious object using cat 
The rtf1.txt is downloaded using wget. The script shows that further it starts powershell in hidden mode to fetch an executable and execute it 

The executable is fetched again using wget and can be analysed offline ( static or dynamic malware analysis). Below is  the has of 888_cr.exe

Hash: e8d4e87d7f31eb396cff677b616e9db6





Comments

Post a Comment

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Introduction 
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 


WannaCry 
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Discalimer
You are dealing with real malware samples Don’t expose them to internal networks or internet Analyze them in a controlled environme…

Memory dump analysis of Donny's System

Introduction 

This post solves the mystery of Donny's System  and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps

Tools: Volatility, Yara  & Windows Powershell

Analysis

Six-step investigative methodology by SANS

Identify rogue processes Analyze process DLLs and handles  Review network artifacts Look for evidence of code injection Check for signs of rootkitDump suspicious processes and drivers  Run volatility imageinfo plugin  to identify profile  PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo
Run Volatility pslist plugin to see active running processes
PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist
Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence
game.exe clearly looks suspicious as it ran and exit in a short span of time. The most interesting part was explor…

Malicious document analysis Part - 1

Introduction 
A basic and quick approach to analyse phishing documents to identify indicators of maliciousness. FYI this post doesn't cover complete & in depth analysis of malicious documents

Tools 
Didier Stevens Suite sudo pip install oletools Yara - A pattern matching Swiss knife Analysis  All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 
Hash 1: e07c84f98332b07ae40a22f15c32cbf794586e26576a7539def667881e15beae

Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Download Didier Stevens Suite and check for yara rules.
Run various rules against the sample document to identify any sort of maliciousness
The below rule can identify an executable file embedded in OLE objects
 Run above yara rule against the downloaded document
Observe the below mald…