CVE-2018-0802: Debugging analysis of secondary overflow vulnerability in font name field of Microsoft office formula editor

\x01 Preface

• CVE-2018-0802This is CVE-2017-11882another font nameoverflow vulnerability discovered about the field, also known as the " second generation nightmare formula ". Coincidentally, the two vulnerabilities are actually sub_421774caused by the same function, and both belong to stack overflow. It is said that domestic security vendor 360 took the lead in intercepting the world's first attack that exploited this vulnerability, and immediately announced the specific details of the vulnerability, giving security vendors valuable time to avoid further expansion of the attack. OfficeThe specific details of this vulnerability, as well as patches for each version , are available in Microsoft's routine security updates in January 2018 .
  

Note: It should be noted that since the vulnerability was analyzed according to the author's own process, some places may not be written in detail, resulting in incomprehension. If you do not understand anything, you can leave a message.

• CVE-2018-0802Affected Officesoftware versions:
  

\x02 Debugging environment

• Virtual machine: VMware 15 Pro + Windows 7 Ultimate ( ASLR && DEP turned off )
• Vulnerable software: Office 2016 64-bit (extraction code: fc1b) + EQNEDT32.EXE (version 2000.11.9.0)
• Equation editor plug-in: EQUATION (without CVE-2017-11882 patch, extraction code: behx) + EQUATION (with CVE-2017-11882 patch, extraction code: ck8o)
• Vulnerability sample and Python production script packaging: CVE-2018-0802.zip (extraction code: 7x0x)
• Hexadecimal editor: C32Asm (hexadecimal analysis file tool, extraction code: 4sj8)
• Disassembly tool: x64dbg + IDA 7.2 (extraction code: zksm)
• CVE-2017-11882 patch address: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
• CVE-2018-0802 patch address: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802
  

Note: CVE-2018-0802 is triggered based on the CVE-2017-11882 patch. In other words, the existence of the CVE-2017-11882 vulnerability and the patch must be met to trigger CVE-2018-0802. Therefore, based on this point, it is recommended to first study and analyze the CVE-2017-11882 vulnerability before analyzing CVE-2018-0802.

\x03 Debugging and analyzing the cause of the vulnerability

• First, build CVE-2017-11882an environment based on and apply patches to ensure that CVE-2018-0802it can be triggered.
  
• Use cve-2018-0802_poc.pya script to generate test.docsample files.
  
• Double-clicking test.docthe sample successfully pops up the calculator, indicating that the vulnerability does exist and is triggered before the document is loaded. Let’s study why the calculator pops up when opening a document...
  
• First set x64dbgto additional debugging mode, so that the debugger can be automatically opened for debugging when Officeloading the module. This is also one of the most convenient ways to debug child processes.EQNEDT32.EXE
  
• Then reopen test.docthe document. After the debugger is successfully attached, set WinExecbreakpoints on the upper and lower functions, because the operation of popping up the calculator is completed by this function.
  
  
• Since this vulnerability has been analyzed before CVE-2017-11882, based on the previously set breakpoints, it sub_421774can be concluded that after the function is called, it will break on . WinExecNext, the return value of this function will be analyzed to determine whether the problem lies in sub_421774. Record sub_421774breakpoints conditionally at the beginning and end of the function.
  
  
  
  
  
• After setting the breakpoint, reopen test.docthe document and get the log as shown below. After analysis, it can be concluded that EQNEDT32.EXEthe module called sub_421774functions multiple times during operation. It should be noted that sub_421774there was a problem when calling at the end (in the red circle). startThe return address pushed when pushing the stack at was 0x004214E2, but endthe return address changed when popping the stack 0x00420025, indicating that the return address was maliciously overwritten. From this, it is determined sub_421774that there is a memory leak in the function. Let's start debugging the function to find out what causes it.
  
• Set a conditional breakpoint according to the log and break at the timestart to facilitate debugging.esp == 18F308 && [esp] == 4214E2
  
• After reopening the document sub_421774, it is broken on and meets esp == 18F308 && [esp] == 4214E2the conditions of . Then after debugging, it was discovered that the vulnerability appeared in sub_421E39this function, because the return value will be overwritten after executing this function, and the sub_421E39copy string instruction in the function repis the root cause of the vulnerability. Since the size of the local variable is, as 0xAClong as the copy length exceeds 0xACIt will cause a stack overflow.
  
  
  
  
• Check repthe status of the stack after the instruction is executed. sub_421774The return address of the stack space function has been overwritten 0x00420025. Moreover, the copied data is font namea string address, which is passed in through parameters, as shown in the memory window below:
  
• The comparison data in the sample is shown in the figure below. The data is embedded in the RTFfile \objectgroup and belongs to the Equation Editor Object (OLE).
  
• Then the return operation sub_421774will be performed at the end of the run ret.
  
• After sub_421774the function returns, it successfully hijacks the program EIPand runs to 0x00420025location.
  
  
• Finally, the purpose of executing arbitrary code was achieved (security restrictions bypassed and shellcodewill be analyzed later).
  
  

\x04 CVE-2017-11882 patch + CVE-2018-0802 combined analysis

• Since CVE-2018-0802it is CVE-2017-11882triggered based on the patch, let's study why. For switching between patched and unpatched, EQNEDT32.EXEjust replace the file directly, and don't forget to make a backup.
  
• First restore to the version before the patch, that is, CVE-2017-11882the version that can trigger, then open it CVE-2018-0802and see what happens. Due to the previous conditional breakpoint, it breaks after running sub_421774.
  
• After running sub_421E39, because the copied data font name（lpLogFont）is larger than the size of the local variable 0xAC, the stack overflows and the return value is overwritten 0x00420025. So far, there is no problem.
  
  
  
• Then run to sub_4115A7the function and F7enter the function. Note that the parameters passed in are font namefields.
  
  
• Run sub_41160Feverywhere and F7enter again. The parameters passed in still include font namethe field.
  
  
• As shown in the figure below, 0x00411658the address is CVE-2017-11882the trigger point of the vulnerability. repThe instruction will font namecopy the field to the local variable of the current function. Since the local variable only has 0x28the size, it will cause stack overflow again.
  
  
• Then run to sub_44C430the function and F7enter the function.
  
• An exception will occur when running the statement as shown in the figure, because the second parameter passed into the function has been overwritten by the font namefield, causing mov dl，byte ptr ds:[ecx]data at an unknown address to be read, so an exception is triggered.
  
  
  
• The exception causes the program to run directly to 0x7DE915EEthe address, causing the program to exit without running to the return address.
  
• Run flow chart:
  
• Comparing the effect after applying the patch, it was triggered after CVE-2017-11882running , and the return address was overwritten .sub_421E39CVE-2018-08020x00420025
  
  
• Then enter sub_41160Fthe function and trigger CVE-2017-11882.
  
  
• Since the patch is applied, font namethe length of the field will be judged. If font namethe length of the field exceeds 0x21, the length of the copy will be limited to 0x20.
  
  
• sub_44C430In this case mov dl，byte ptr ds:[ecx], the exception will not be triggered because ecxit is not maliciously covered by the field. This is also the fundamental reason why it can be triggered only after font nameapplying the patch .CVE-2017-11882CVE-2018-0802
  
  
• Then you can successfully run to sub_421774the end of the function and jump to 0x00420025the address of .
  
• Run flow chart:
  

Note: When performing CVE-2018-0802and CVE-2017-11882double POCconstruction, if they are in the same object, you need to pay attention to avoid exceptions

\x05 Security restriction bypass analysis

• If the system has not been turned on originally ASLR, it needs to be turned on ASLR. This experimental system is Windows 7, so it needs to be opened with EMET(Microsoft's Enhanced Disaster Mitigation Tool ) ASLR, and this tool can also be closed ASLR.
  
• If DEPit is turned on at the same time, you need to turn it off because this sample cannot be bypassed DEP.
  
• Then use Immunity Debuggerthe !mona modulescommand to check the enabled protection and find that CVE-2017-11882it is enabled after applying the patch ASLR.
  
• Let's see how the sample bypasses ASLR. After opening test.docthe sample, run directly to sub_421774the return point of the function. At this time, the return address in the stack has been overwritten.
  
• There are two main points for ASLRthe basic knowledge of , the first is the randomization of the image base address, the second is the randomization of the stack address (the other is the TEB/PEBrandomization of ), for 32the program, the randomization of the image base address (module base address) Only the first half of the address is targeted, for example, only the part of is 0x00240035randomized , while remains unchanged; while stack address randomization is all randomization compared to stack development.0x00240x0035
• Combined with the sample analysis, the return address only covers the second half of the address 0x0025in order to retain the first half for bypassing ASLR.
  
• Then F8run, the program returns directly to 0x00240025, the address is an retinstruction (for retinstruction selection, just search for the instruction directly in the module)
  
  
• Then continue F8single-step operation and return to the address, which is the data in the 0x001DF084overflow field. This step is to complete the conversion of memory data to program instructions.font name
  
• The instruction sub esp，edxwill espsubtract 0x200the purpose of this is to shellcodeuse the uninitialized stack space, avoid damage to the stack space, and allow the program to run smoothly.
  
  
• After completing the above operations, use to F7enter as shown callin the figure below, the address is 0x0051EC82, the address is stored shellcode.
  
  
• shellcodeThe implementation of is very simple. The thread environment block is used to dynamically call WinExec APIthe function. The function address is stored in eaxand the parameters are stored in and called ebxby the instruction.jmp
  
• in the sample shellcodelooks like this:
  
• Finally, it will run to WinExecthe address of and perform the operation of opening the calculator.
  
  

\x06 CVE-2018-0802 patch analysis

• OfficeGo to the Microsoft official website and download the corresponding patch according to each version. The version for this experiment is 2016（64bit）installed after the download is completed.
  
  
• Use to IDAdirectly locate CVE-2018-0802the vulnerability, that is sub_421E39, then analyze the patch. But nothing seems to have changed.
  
• And the calculator can still pop up after running it.
  
• Installing the update again also shows that this system already has the update installed.
  
• Well, I don’t know why, but in view of the above situation, it is recommended to turn on the system’s DEPprotection to mitigate CVE-2018-0802the harm...

This concludes the vulnerability analysis of CVE-2018-0802 . If there are any errors, please correct them.