9.3 - VU#421280

Executive Summary

Summary
Title	Microsoft Office Equation Editor stack buffer overflow

Informations
Name	VU#421280	First vendor Publication	2017-11-15
Vendor	VU-CERT	Last vendor Modification	2017-11-20
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#421280

Microsoft Office Equation Editor stack buffer overflow

Original Release date: 15 Nov 2017 | Last revised: 20 Nov 2017

Overview

Microsoft Equation Editor contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Equation Editor is a component that comes with Microsoft Office. It is an out-of-process COM server that is hosted by eqnedt32.exe. The Microsoft Equation Editor contains a stack buffer overflow vulnerability.

Memory corruption vulnerabilities in modern software are often mitigated by exploit protections, such as DEP and ASLR. More modern memory corruption protections include features like CFG. Even in a modern, fully-patched Microsoft Office 2016 system, the Microsoft Equation Editor lacks any exploit protections, however. This lack of exploit protections allows an attacker to achieve code execution more easily than if protections were in place. For example, because eqnedt32.exe was linked without the /DYNAMICBASE flag, it will not be loaded at a randomized location by default.

Because Equation Editor is an out-of-process COM server, this also means that protections specific to any Microsoft Office application may not have an effect on this vulnerability. For example, if the exploit document is an RTF document, the document will open in Microsoft Word. However, the COM server eqnedt32.exe is invoked by the Windows DCOM Server Process Launcher service, as opposed to Word itself. For this reason, EMET or Windows Defender Exploit Guard protections specific to the Microsoft Office programs themselves will not protect users. For this same reason, none of the Windows Defender Exploit Guard Attack Surface Reduction (ASR) protections will help either.

Windows 7 users who have EMET configured for ASLR to be "always on" at a system-wide level are protected against known exploitation techniques for this vulnerability. Starting with Windows 8.0, system-wide ASLR receives entropy for non-DYNAMICBASE code only if bottom-up ASLR is enabled on a system-wide level as well. Neither EMET nor Windows Defender Exploit Guard configures system-wide bottom-up ASLR though. Because of this, Windows 8.0 through Windows 10 systems must enable specific protections for this vulnerability.

Impact

By convincing a user to open a specially-crafted Office document, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the logged-on user.

Solution

Apply an update

This issue is addressed in CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability.

Disable Microsoft Equation Editor in Office

The vulnerable Equation Editor component can be disabled in Microsoft Office by importing the following registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

Add EMET or Windows Defender Exploit Guard protections to eqnedt32.exe

Exploitation of the vulnerable Equation Editor can be prevented by applying exploit mitigations to the eqnedt32.exe executable. In particular, enabling ASLR for should be sufficient to block the code re-use attack that is outlined in the Embedi documentation.

Enable system-wide ASLR in Windows

Windows with properly-enabled system-wide ASLR (see VU#817544 for more details affecting Windows 8 and newer systems) will block known exploits for this vulnerability.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Affected	-	15 Nov 2017

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	5.5	E:U/RL:OF/RC:C
Environmental	5.5	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://www.kb.cert.org/vuls/id/817544
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882
https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://msdn.microsoft.com/en-us/library/bb430720.aspx?f=255&MSPPError=-2147217396
https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms683835(v=vs.85).aspx
https://www.microsoft.com/en-us/download/details.aspx?id=54264
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

Credit

This issue was reported by Microsoft, who in turn credit Denis Selianin of Embedi with discovery.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2017-11882
Date Public:14 Nov 2017
Date First Published:15 Nov 2017
Date Last Updated:20 Nov 2017
Document Revision:24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/421280

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

Type	Description	Count
Application	Microsoft Office cpe:2.3:a:microsoft:office:2016::-::-::-: cpe:2.3:a:microsoft:office:2013:sp1:::::: cpe:2.3:a:microsoft:office:2010:sp2:::::: cpe:2.3:a:microsoft:office:2007:sp3::::::	4

Snort® IPS/IDS

Date	Description
2020-09-02	Microsoft Office Equation Editor stack buffer overflow attempt RuleID : 54621 - Revision : 1 - Type : FILE-OFFICE
2020-09-02	Microsoft Office Equation Editor stack buffer overflow attempt RuleID : 54620 - Revision : 1 - Type : FILE-OFFICE
2020-03-13	Malicious HTML application download attempt RuleID : 53090 - Revision : 1 - Type : MALWARE-TOOLS
2019-08-13	Microsoft Office Equation Editor RTF embedded OLE evasion attempt RuleID : 50685 - Revision : 1 - Type : FILE-OFFICE
2019-08-13	Microsoft Office Equation Editor RTF embedded OLE evasion attempt RuleID : 50684 - Revision : 1 - Type : FILE-OFFICE
2019-05-14	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 49776 - Revision : 1 - Type : FILE-OFFICE
2019-05-14	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 49775 - Revision : 1 - Type : FILE-OFFICE
2018-02-22	Microsoft Office Equation Editor Package objclass RTF evasion attempt RuleID : 45512 - Revision : 2 - Type : FILE-OFFICE
2018-02-22	Microsoft Office Equation Editor Package objclass RTF evasion attempt RuleID : 45511 - Revision : 2 - Type : FILE-OFFICE
2018-02-20	Microsoft Office None type objclass RTF evasion attempt RuleID : 45467 - Revision : 2 - Type : FILE-OFFICE
2018-02-20	Microsoft Office None type objclass RTF evasion attempt RuleID : 45466 - Revision : 2 - Type : FILE-OFFICE
2018-01-11	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 45135 - Revision : 2 - Type : FILE-OFFICE
2018-01-11	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 45134 - Revision : 2 - Type : FILE-OFFICE
2018-01-11	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 45133 - Revision : 2 - Type : FILE-OFFICE
2018-01-11	Microsoft Office Equation Editor object stack buffer overflow attempt RuleID : 45132 - Revision : 3 - Type : FILE-OFFICE
2017-12-29	Microsoft Office Equation Editor object with automatic execution embedded in ... RuleID : 44990 - Revision : 4 - Type : FILE-OFFICE
2017-12-29	Microsoft Office Equation Editor object with automatic execution embedded in ... RuleID : 44989 - Revision : 4 - Type : FILE-OFFICE

Nessus® Vulnerability Scanner

Date	Description
2017-11-14	Name : The Microsoft Office Products are affected by multiple vulnerabilities. File : smb_nt_ms17_nov_office.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-12-05 17:23:22	Multiple Updates
2017-11-20 21:21:39	Multiple Updates
2017-11-16 21:20:25	Multiple Updates
2017-11-16 17:20:56	Multiple Updates
2017-11-16 00:23:16	Multiple Updates
2017-11-15 21:23:58	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	4
Snort® Rule(s)	17
Nessus® Exploit(s)	1

	Related
7.8	CVE-2017-11882
0	VU#817544
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)