How a Microsoft Office File Exploits a Vulnerability

A nasty vulnerability that utilizes a Microsoft Office file to execute malicious commands and hurt your system and your company is causing a lot of dammage. In order for this vulnerability to be exploited, a user is required to open a file that was specially crafted to include an affected version of Microsoft Office or Microsoft WordPad software.

The malicious file can enter your organization via email, direct download from the web or the cloud, removable media or in any way. As this is an unknown vulnerability, it cannot be detected by any of the traditional security solutions placed in most organizations.

The vulnerability is widely used by several APTs (Advanced Persistent Threat Group):

· APT34 – Iranian nation-state group which targets Middle-East companies.

· Cobalt Hacking Group – A well known hacking group targeting many sectors around the world.

· APT10 – (aka StonePanda, Red-Apollo,CloudHopper) Chinese nation-state group targeting IT and Financial sector companies around the world.

During 2018, a campaign targeting financial sector in Mississippi was detected using this vulnerability. The estimated loss to local banks was over 500 million dollars.

So, how does this attack works?

General attack flow:

The vulnerability enters the organization via email or another way that will include a WordPad file containing the malicious code. When the user opens the file the malware executes and starts its malicious journey through your system.

Technical Information:

An attacker can leverage a buffer overflow vulnerability in the old version of the Equation Editor (File version is 2000.11.9.0) to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial of service conditions.

The Equation Editor component was compiled on Nov 9th, 2000 and was patched by Microsoft on November 14, 2017 as part of the monthly security update process.
The Microsoft Equation Editor is an out-of-process COM server that is hosted by eqnedt32.exe, which means it runs as a separate process and can accept commands from other processes.
Memory Security features as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) should protect against such type of attacks but because of the manner in which eqnedt32.exe is linked, they will not. Being an out-of-process COM server, protections specific to Microsoft Office such as Windows Defender Exploit Guard are not applicable to eqnedt32.exe.
The vulnerability lets an attacker load malicious code directly into the memory of the process without using any intermediate file.
The vulnerability can be exploited by many different vectors (OLE objects, Fileless code execution etc).
There are several available POCs and exploitation kits (Python scripts, Metasploit modules and more). A python script used alongside msfvenom (Metasploit malware creation tool) enables creation of malicious MS-Office files to exploit the vulnerability as described in –https://github.com/rxwx/CVE-2017-11882

Example:

1. Creating a file with rtf / doc extension

2. Pasting the POC code into the file.

3. Opening the file with MS-Office or Wordpad executes Calc.exe

POC code:

CVE-2017-11882

MS-Office Vulnerable Versions:

Microsoft office 2007-sp3

Microsoft office 2010-sp2

Microsoft office 2013-sp1

Microsoft office 2016

So, how can you protect yourself?