CVE-2017-11882 - 3 ways to perform technical analysis, 1 easy way to protect
16 هزار بار بازدید -
7 سال پیش
-
Here I show you technical
Here I show you technical analysis of a fascinating exploit CVE-2017-11882 which takes advantage of a buffer overflow vulnerability in Microsoft Office Equation Editor (EQNEDT32.exe).
I demonstrate how to quickly analyse this exploit from a behavioural point of view, show you how to run rtfdump.py to extract the malicious object and also how to attach the victim process to a debugger so you can see for yourself the buffer being overflowed.
Malicious Doc File:
insurance-2017-2018.doc
MD5: 080b3a6dc6ddf645f6c156e1561eb0b8
Tools Used:
Process Monitor: https://docs.microsoft.com/en-us/sysi...
Burp Suite : https://portswigger.net/burp
REMNux: https://remnux.org/
RTFdump: https://blog.didierstevens.com/2016/0...
gflags.exe: https://docs.microsoft.com/en-us/wind...
x64dbg: x64dbg.com
Recommended Reading:
https://embedi.com/blog/skeleton-clos...
https://researchcenter.paloaltonetwor...
Patching:
You should definitely update your Office environment. In the interim you can apply the following registry updates to disable the EQNEDT32.exe process from launching:
reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000- 0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
More here from Microsoft:
https://support.microsoft.com/en-us/h...
If you liked the video, press Like, if you loved it, please subscribe. Also, please follow me on Twitter: cybercdh
Thanks for watching!
I demonstrate how to quickly analyse this exploit from a behavioural point of view, show you how to run rtfdump.py to extract the malicious object and also how to attach the victim process to a debugger so you can see for yourself the buffer being overflowed.
Malicious Doc File:
insurance-2017-2018.doc
MD5: 080b3a6dc6ddf645f6c156e1561eb0b8
Tools Used:
Process Monitor: https://docs.microsoft.com/en-us/sysi...
Burp Suite : https://portswigger.net/burp
REMNux: https://remnux.org/
RTFdump: https://blog.didierstevens.com/2016/0...
gflags.exe: https://docs.microsoft.com/en-us/wind...
x64dbg: x64dbg.com
Recommended Reading:
https://embedi.com/blog/skeleton-clos...
https://researchcenter.paloaltonetwor...
Patching:
You should definitely update your Office environment. In the interim you can apply the following registry updates to disable the EQNEDT32.exe process from launching:
reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000- 0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400
More here from Microsoft:
https://support.microsoft.com/en-us/h...
If you liked the video, press Like, if you loved it, please subscribe. Also, please follow me on Twitter: cybercdh
Thanks for watching!
7 سال پیش
در تاریخ 1396/10/08 منتشر شده
است.
16,061
بـار بازدید شده