\x01 Preface
CVE-2018-0802
This isCVE-2017-11882
anotherfont name
overflow vulnerability discovered about the field, also known as the " second generation nightmare formula ". Coincidentally, the two vulnerabilities are actuallysub_421774
caused by the same function, and both belong to stack overflow. It is said that domestic security vendor 360 took the lead in intercepting the world's first attack that exploited this vulnerability, and immediately announced the specific details of the vulnerability, giving security vendors valuable time to avoid further expansion of the attack.Office
The specific details of this vulnerability, as well as patches for each version , are available in Microsoft's routine security updates in January 2018 .
Note: It should be noted that since the vulnerability was analyzed according to the author's own process, some places may not be written in detail, resulting in incomprehension. If you do not understand anything, you can leave a message.
CVE-2018-0802
AffectedOffice
software versions:
\x02 Debugging environment
- Virtual machine: VMware 15 Pro + Windows 7 Ultimate ( ASLR && DEP turned off )
- Vulnerable software: Office 2016 64-bit (extraction code: fc1b) + EQNEDT32.EXE (version 2000.11.9.0)
- Equation editor plug-in: EQUATION (without CVE-2017-11882 patch, extraction code: behx) + EQUATION (with CVE-2017-11882 patch, extraction code: ck8o)
- Vulnerability sample and Python production script packaging: CVE-2018-0802.zip (extraction code: 7x0x)
- Hexadecimal editor: C32Asm (hexadecimal analysis file tool, extraction code: 4sj8)
- Disassembly tool: x64dbg + IDA 7.2 (extraction code: zksm)
- CVE-2017-11882 patch address: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
- CVE-2018-0802 patch address: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802
Note: CVE-2018-0802 is triggered based on the CVE-2017-11882 patch. In other words, the existence of the CVE-2017-11882 vulnerability and the patch must be met to trigger CVE-2018-0802. Therefore, based on this point, it is recommended to first study and analyze the CVE-2017-11882 vulnerability before analyzing CVE-2018-0802.
\x03 Debugging and analyzing the cause of the vulnerability
- First, build
CVE-2017-11882
an environment based on and apply patches to ensure thatCVE-2018-0802
it can be triggered.
- Use
cve-2018-0802_poc.py
a script to generatetest.doc
sample files.
- Double-clicking
test.doc
the sample successfully pops up the calculator, indicating that the vulnerability does exist and is triggered before the document is loaded. Let’s study why the calculator pops up when opening a document...
- First set
x64dbg
to additional debugging mode, so that the debugger can be automatically opened for debugging whenOffice
loading the module. This is also one of the most convenient ways to debug child processes.EQNEDT32.EXE
- Then reopen
test.doc
the document. After the debugger is successfully attached, setWinExec
breakpoints on the upper and lower functions, because the operation of popping up the calculator is completed by this function.
- Since this vulnerability has been analyzed before
CVE-2017-11882
, based on the previously set breakpoints, itsub_421774
can be concluded that after the function is called, it will break on .WinExec
Next, the return value of this function will be analyzed to determine whether the problem lies insub_421774
. Recordsub_421774
breakpoints conditionally at the beginning and end of the function.
- After setting the breakpoint, reopen
test.doc
the document and get the log as shown below. After analysis, it can be concluded thatEQNEDT32.EXE
the module calledsub_421774
functions multiple times during operation. It should be noted thatsub_421774
there was a problem when calling at the end (in the red circle).start
The return address pushed when pushing the stack at was0x004214E2
, butend
the return address changed when popping the stack0x00420025
, indicating that the return address was maliciously overwritten. From this, it is determinedsub_421774
that there is a memory leak in the function. Let's start debugging the function to find out what causes it.
- Set a conditional breakpoint according to the log and break at the time
start
to facilitate debugging.esp == 18F308 && [esp] == 4214E2
- After reopening the document
sub_421774
, it is broken on and meetsesp == 18F308 && [esp] == 4214E2
the conditions of . Then after debugging, it was discovered that the vulnerability appeared insub_421E39
this function, because the return value will be overwritten after executing this function, and thesub_421E39
copy string instruction in the functionrep
is the root cause of the vulnerability. Since the size of the local variable is, as0xAC
long as the copy length exceeds0xAC
It will cause a stack overflow.
- Check
rep
the status of the stack after the instruction is executed.sub_421774
The return address of the stack space function has been overwritten0x00420025
. Moreover, the copied data isfont name
a string address, which is passed in through parameters, as shown in the memory window below:
- The comparison data in the sample is shown in the figure below. The data is embedded in the
RTF
file\object
group and belongs to the Equation Editor Object (OLE).
- Then the return operation
sub_421774
will be performed at the end of the runret
.
- After
sub_421774
the function returns, it successfully hijacks the programEIP
and runs to0x00420025
location.
- Finally, the purpose of executing arbitrary code was achieved (security restrictions bypassed and
shellcode
will be analyzed later).
\x04 CVE-2017-11882 patch + CVE-2018-0802 combined analysis
- Since
CVE-2018-0802
it isCVE-2017-11882
triggered based on the patch, let's study why. For switching between patched and unpatched,EQNEDT32.EXE
just replace the file directly, and don't forget to make a backup.
- First restore to the version before the patch, that is,
CVE-2017-11882
the version that can trigger, then open itCVE-2018-0802
and see what happens. Due to the previous conditional breakpoint, it breaks after runningsub_421774
.
- After running
sub_421E39
, because the copied datafont name(lpLogFont)
is larger than the size of the local variable0xAC
, the stack overflows and the return value is overwritten0x00420025
. So far, there is no problem.
- Then run to
sub_4115A7
the function andF7
enter the function. Note that the parameters passed in arefont name
fields.
- Run
sub_41160F
everywhere andF7
enter again. The parameters passed in still includefont name
the field.
- As shown in the figure below,
0x00411658
the address isCVE-2017-11882
the trigger point of the vulnerability.rep
The instruction willfont name
copy the field to the local variable of the current function. Since the local variable only has0x28
the size, it will cause stack overflow again.
- Then run to
sub_44C430
the function andF7
enter the function.
- An exception will occur when running the statement as shown in the figure, because the second parameter passed into the function has been overwritten by the
font name
field, causingmov dl,byte ptr ds:[ecx]
data at an unknown address to be read, so an exception is triggered.
- The exception causes the program to run directly to
0x7DE915EE
the address, causing the program to exit without running to the return address.
- Run flow chart:
- Comparing the effect after applying the patch, it was triggered after
CVE-2017-11882
running , and the return address was overwritten .sub_421E39
CVE-2018-0802
0x00420025
- Then enter
sub_41160F
the function and triggerCVE-2017-11882
.
- Since the patch is applied,
font name
the length of the field will be judged. Iffont name
the length of the field exceeds0x21
, the length of the copy will be limited to0x20
.
sub_44C430
In this casemov dl,byte ptr ds:[ecx]
, the exception will not be triggered becauseecx
it is not maliciously covered by the field. This is also the fundamental reason why it can be triggered only afterfont name
applying the patch .CVE-2017-11882
CVE-2018-0802
- Then you can successfully run to
sub_421774
the end of the function and jump to0x00420025
the address of .
- Run flow chart:
Note: When performing
CVE-2018-0802
andCVE-2017-11882
doublePOC
construction, if they are in the same object, you need to pay attention to avoid exceptions
\x05 Security restriction bypass analysis
- If the system has not been turned on originally
ASLR
, it needs to be turned onASLR
. This experimental system isWindows 7
, so it needs to be opened withEMET
(Microsoft's Enhanced Disaster Mitigation Tool )ASLR
, and this tool can also be closedASLR
.
- If
DEP
it is turned on at the same time, you need to turn it off because this sample cannot be bypassedDEP
.
- Then use
Immunity Debugger
the!mona modules
command to check the enabled protection and find thatCVE-2017-11882
it is enabled after applying the patchASLR
.
- Let's see how the sample bypasses
ASLR
. After openingtest.doc
the sample, run directly tosub_421774
the return point of the function. At this time, the return address in the stack has been overwritten.
- There are two main points for
ASLR
the basic knowledge of , the first is the randomization of the image base address, the second is the randomization of the stack address (the other is theTEB/PEB
randomization of ), for32
the program, the randomization of the image base address (module base address) Only the first half of the address is targeted, for example, only the part of is0x00240035
randomized , while remains unchanged; while stack address randomization is all randomization compared to stack development.0x0024
0x0035
- Combined with the sample analysis, the return address only covers the second half of the address
0x0025
in order to retain the first half for bypassingASLR
.
- Then
F8
run, the program returns directly to0x00240025
, the address is anret
instruction (forret
instruction selection, just search for the instruction directly in the module)
- Then continue
F8
single-step operation and return to the address, which is the data in the0x001DF084
overflow field. This step is to complete the conversion of memory data to program instructions.font name
- The instruction
sub esp,edx
willesp
subtract0x200
the purpose of this is toshellcode
use the uninitialized stack space, avoid damage to the stack space, and allow the program to run smoothly.
- After completing the above operations, use to
F7
enter as showncall
in the figure below, the address is0x0051EC82
, the address is storedshellcode
.
shellcode
The implementation of is very simple. The thread environment block is used to dynamically callWinExec API
the function. The function address is stored ineax
and the parameters are stored in and calledebx
by the instruction.jmp
- in the sample
shellcode
looks like this:
- Finally, it will run to
WinExec
the address of and perform the operation of opening the calculator.
\x06 CVE-2018-0802 patch analysis
Office
Go to the Microsoft official website and download the corresponding patch according to each version. The version for this experiment is2016(64bit)
installed after the download is completed.
- Use to
IDA
directly locateCVE-2018-0802
the vulnerability, that issub_421E39
, then analyze the patch. But nothing seems to have changed.
- And the calculator can still pop up after running it.
- Installing the update again also shows that this system already has the update installed.
- Well, I don’t know why, but in view of the above situation, it is recommended to turn on the system’s
DEP
protection to mitigateCVE-2018-0802
the harm...
This concludes the vulnerability analysis of CVE-2018-0802 . If there are any errors, please correct them.