A use cve-2017-11882 and cve-2018-0802 combination of vulnerability a malicious document analysis-vulnerability warning-the black bar safety net

2018-12-2500:00:00

佚名

www.myhack58.com

2542

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

! [](/Article/UploadPic/2018-12/20181225205545726. png)
Recently intercepted an extension doc word document to attack the samples, which format is actually RTF format. By analyzing the document composition the use of a cve-2017-11882 and cve-2018-0802 vulnerability, and use the embedded excel object is used to trigger the vulnerability. The release of the PE file is used to collect the target user’s sensitive information.

First, the basic situation
In the experimental environment win764, the Office 2010 open the document, process monitoring, found that the winword process is executed after the 首先执行excel.exe that 然后运行EQNEDT32.exe that 接着运行cmd.exe finally run A process. X, in which EQNEDT32. exe running twice. 看到EQNEDT32.exe bottle feel should be cve-2017-11882 or cve-2018-0802 samples.
The document is opened, display as a empty document, as shown below.
! [](/Article/UploadPic/2018-12/20181225205545737. png)
On the figure, inadvertently probably thought it was empty, in fact, a closer look, found the top left a small black point icon. As shown below.
! [](/Article/UploadPic/2018-12/20181225205545312. png)
Double-click the Find pop-up window, as shown below. Display the“windows cannot open this file: A. X”. Obviously, the“small black dot”should be an external object.
! [](/Article/UploadPic/2018-12/20181225205545780. png)
Right-click the object, select“packager shell object”object, you can view the object’s“properties”. As shown below.
! [](/Article/UploadPic/2018-12/20181225205545220. png)
Its object properties as shown below:
! [](/Article/UploadPic/2018-12/20181225205545229. png)
See here, we it can be concluded that: the sample should be is to use the RTF is embedded in a PE object in the open document when the default release to the%temp%directory, then use cve-2017-11882 or cve-2018-0802 execution of the process.

Second, the RTF analysis
1, the document structure analysis
! [](/Article/UploadPic/2018-12/20181225205545186. png)
Use rtfobj attack on the document analysis, finding its embedded two objects, respectively, is a package object and an Excel. Sheet. 8 object. As shown in Fig. Package object the original file is“C:\\Users\\n3o\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\A.X”it. From this it can be seen, the author of the documentoperating systemuser name: n3o on.
Wherein A. X is the release of the malicious PE file.
The other one is an embedded excel table object, we put the extract of the excel table the suffix renamed. xls after excel is opened. Find it contains two objects AAAA and bbbb are“Equation. 3”the object, as shown below.
! [](/Article/UploadPic/2018-12/20181225205545928. png)
To extract the excel table object, which is the document structure as shown below.
! [](/Article/UploadPic/2018-12/20181225205545742. png)
The table includes two CLSID for“0002ce02-0000-0000-c000-000000000046”Microsoft Equation 3.0 object MBD0002E630 and MBD0002E631, you can see the modification time for the 2018/5/21 17:of 52.
! [](/Article/UploadPic/2018-12/20181225205545793. png)
In addition, two“Microsoft Equation 3.0”object. Ole10Native size of 59 bytes and 160 bytes, which contains a“cmd.exe /c %tmp%\A. X”used to perform A. The X process. Should be used in combination for cve-2017-11882 and cve-2018-0802 two vulnerabilities.
Thus, we can fundamental analysis clear the sample, the overall flow diagram as the following figure shown.
! [](/Article/UploadPic/2018-12/20181225205545654. png)
2, the static document
Use winhex to open, you can find the first package object in File 0x2A8A. Wherein 0x00137158 refers to the size of the object, that is, the decimal 1274200, it is the release of A. X size. Followed by IS PE file in winhex we can see that the author put the PE head 0x4D5A has been modified, inserted in the middle 0x090d is divided, so that it becomes[0x090d]4[0x090d]d[0x090d]5[0x090d]a[0x090d], in fact, is 0x4d5a, such an operation should be in order to avoid certain anti-virus of Avira, not directly to 0x4d5a9000 the look of the rendering, a look that is clearly of the PE file. Specific as shown below:
! [](/Article/UploadPic/2018-12/20181225205545840. png)
Another object in 0x299061 position, is an Exce. Sheet. 8 object. Its size is 0x00005C00, that is, the decimal 23552, and rtfobj extracted exel size consistent. The author of the compound document header has changed, with 0x0909 is divided, so that d0cf11 at the beginning of the composite document into the d[0x0909]0[0x0909]。 Should also be a certain sense offree to kill