Student Name: Peiran Sun, Yufeng Ge
Date:2022.2.20
Today we are going to talk about a vulnerability that affects everyone who uses Microsoft office for almost two decades.
When you opened a Microsoft Office file, have you ever noticed this annoying warning?
I always wonder, how can a file display only text and pictures, maybe sometimes video, harming your computer?
After thorough research on this topic, it turns out things are more complicated than text and pictures in the Microsoft office suite. Today, we are going to talk about one of the most popular vulnerabilities researchers found inside the Microsoft office, called Microsoft Office Memory Corruption Vulnerability.
Vulnerability reference link First, let us discuss a little about how this vulnerability works.
This vulnerability is based on a stack overflow error inside the equation editor component used by the office software. Attackers could exploit this vulnerability by designing an office file targeting this error. Once that file is opened, one could execute a script of a certain length under the user group of the current user.
The script then will be able to download and execute any remote script with no limitations on the affected host. A common choice of the payload script will be info-stealer software or ransomware.
Main reference History reference Equaltion editor reference History reference 2
So what is wrong with the office, and how do hackers exploit this?
To understand this, we need a little historical background.
In 2000, Microsoft would like to add mathematical equation functionality to its Office suite.
As a major corporation, the way Microsoft accomplished this was by using a mature product from a third party.
They purchased the license of a math equation editor and embedded that editor in every following office suite. Reference
At the same time, this vulnerability that is not easy to find is also embedded in it.
For the following years, many new protection methods were added to the windows system. The office suite also got a new math editor in 2007.Reference
However, to accommodate users with older software versions, Microsoft decided to include the old editor alongside the new one, so that old files can be processed by the new software.
As for the buffer overflow bug, it is supposed to be no big deal. For modern computer OS, a small buffer overflow will soon be discovered by the operating system, and all the anti-malware utilities will brutally kill the process.
And all modern software utilized address space layout randomization. Meaning the stack memory locations are scrambled and allocated by the compiler, and the malicious script will not be able to spot buffer overflow locations even if there is one.
With all the protection, what could go wrong?
The answer is Microsoft.
For some reason, Microsoft has never recompiled the math equation component, hence the majority of the software-side security measures never applied to this component. Some voices mention that they lost the source code for this component, but since nothing went wrong yet, they just did not pay any attention to it.
Then we know what happens next. In 2017, after this vulnerability sees the sunlight and soon becomes one of the most popular windows vulnerabilities used by attackers. Reference
Microsoft quickly released a patch to fix this vulnerability. However, early versions of the office suites were license-based, many users just did not like the concept of updating software.
For this reason, this vulnerability was quickly exploited by hacker groups all over the world. In 2020, it has been rated by the FBI as the top 10 vulnerability for hacker groups to routinely exploit.(Reference)
Based on the information from CVE stalker, we can see the release of the patch didn’t prevent this exploit from going wild in recent years.(CVE stalker)
Web analytics also found that, due to the recent conflict in Ukraine, this exploit was also used by civilian hackers and military attackers.(Reference)
Main Reference Coding reference Infection cycle reference
So how do hackers exploit this vulnerability?
Remember from the course that a stack-overflow may enable the hacker to execute any malicious code. And we have one inside the office equation editor process. For the reasons Peiran discussed, that process is not well protected.
Furthermore, the office suite supports a file notation known as Rich Text Format. It was to allow the display of more media files inside office documents. For example pictures, charts, even some videos. And math equations can also be expressed using this format.
Hence, to demonstrate the exploit concept, we only need to open an RTF file targeting this vulnerability.
Here is an sample RTF file (Sample)
It targets the math equation module of the office suite. Once executed, it will open the Windows calculator to demonstrate a successful exploit.
You can based on the general look of this file to see this was targeting a buffer overflow.
This is a link to the proof of concept video of the above exploit.
However, even though many protection methods were invalidated, a file like this will also be detected by the anti-virus software on the local machine. Moreover, files that look so geeky and dangerous may not lure the victim into clicking them.
Hence here is a more common infection chain for this exploit.Reference
It all starts with a normal email with an office document attached.
The target victims will be those who need to edit the file, for example, a receipt confirmation. To accomplish that, they have to willingly disable the Microsoft-protected view.
Office allows a technology known as Object Linking and Embedding. It is a way to link RTF into your document. The link can also be specified by a URL, meaning you can store the linked object in a remote location.
Unfortunately, this also means the malicious document can be put in a distant location to avoid detection.
In this image, you can see the infected document was requesting another external word document from a foregin website. The requested payload will be the malicious RTF.
Then an anomaly GET request was discovered by the web researcher soon after the file request. Meaning the malicious RTF downloaded and tried to execute a script.
The signature of the downloaded script soon is identified as commercial Information-stealing software known as Loki.
CVE-2018-0798 CVE-2018-0802 Additional reference
Two weeks after the public release of this vulnerability, Microsoft released a security update including a patch to solve the memory overflow problem. That patch was added manually to the compiled program via reverse engineering. However, a patch does not solve the fact that this module was compiled almost two decades ago, and lacks every modern mechanism to ensure security.
Not surprisingly, this module was exploited few more times after the initial patch, documented by CVE-2018-0798 ,CVE-2018-0802 and this article .