[CVE-2017-11882]: Analysis of Microsoft Office Memory Corruption Vulnerability

Severe vulnerability in MicrosoftS Office Suites, enabling remote code execution due to memory handling flaws.

Severe vulnerability in MicrosoftS Office Suites, enabling remote code execution due to memory handling flaws.

Monday, 27 May, 2024

Vulnerability
Vulnerability
Vulnerability

CVE-2017-11882 is a critical vulnerability that impacts the Microsoft Equation Editor (EQNEDT32.EXE) component in Microsoft Office. Exploiting this flaw allows attackers to execute arbitrary code remotely on the affected system. The vulnerability arises from a memory corruption issue and Detected in November 2017, CVE-2017-11882 has been actively exploited in numerous malware campaigns, posing a serious security risk to Microsoft Office users worldwide.

File Details:

Hash    : 7738f4f6d42724e34b3aaadc6f5bdddda46910969686a19a472c00b73183e6de
Magic   : Rich Text Format data, version 1
Filename: 23ca36b7cde550140f219bf20ed8a4ff.rtf
FileType: Rich Text Format 
Size    : 65.22 KB (66784 bytes)
Vulnerability Score: V3.0: 7.8 High: 2.0: 9.3 High

Technical Analysis of RTF Sample:

Malware authors often leverage RTF (Rich Text Format) files as an initial vector for malware propagation due to their broad compatibility and ability to exploit vulnerabilities in document viewers and software applications. These files can execute malicious commands or payloads, posing a significant threat to users' systems. Moreover, RTF files can be disguised to appear legitimate, increasing the likelihood of unsuspecting users opening them. 

Additionally, attackers may employ obfuscation techniques to evade detection by antivirus programs, further enhancing their success rates. Overall, the flexibility and potential for exploiting vulnerabilities make RTF files a preferred choice for malware dissemination among threat actors.

How does it work?

CVE-2017-11882 works through exploiting a memory corruption vulnerability within the Microsoft Equation Editor, present in Microsoft Office software. Malicious actors create documents containing specially crafted code, often embedded objects or scripts. Upon opening such a document using an impacted version of Microsoft Office, the malicious code triggers execution, potentially enabling the attacker to compromise the victim's system. Consequences may include malware installation, data theft, or other malicious actions.

Static Malware Analysis:

Static malware analysis involves examining malicious files without executing them. This process includes identifying file types, extracting contents, reviewing code for malicious commands, and identifying indicators of compromise. By analyzing file properties, behavior, and researching known threats, security analysts can understand the nature of the malware and mitigate potential risks.

Header of the RTF File:

Footer of the RTF File:

In this case, the footer context appears as a hexadecimal value, with additional spaces added. This technique is commonly employed by malware authors to obscure malicious code within the file.

Extraction of embedded strings:

Magic bytes: d0cf11e0

Dynamic Malware Analysis:

To conduct dynamic analysis effectively, the sample must be executed. Simultaneously, process monitoring or exploration tools should be opened alongside network capturing tools. This allows for real-time observation and recording of the sample's behavior, facilitating detailed analysis.

After executing the .rtf file, the true content of the file is revealed. However, this alone is insufficient for thorough analysis. To delve deeper, navigate to "Save As," save the file with various Word versions, and then extract it to uncover any embedded files.

Extracted Components of Word Document:

Embedded Word Document:

Captured HTTP Packet:

Sandbox Results:

Conclusion:

Despite originating in 2017, this vulnerability remains active in the wild. The persistence of this vulnerability in the wild can be attributed to several factors, including its widespread impact, the ease of exploitation, and the ongoing use of vulnerable software versions by organizations and individuals. Additionally, attackers may continue to exploit known vulnerabilities because they can yield successful compromises and provide avenues for various malicious activities, such as data theft, system compromise, and network infiltration. 

Happy Hunting !!