Thursday, January 11, 2018

The Bug That Killed Equation Editor - How We Found, Exploited And Micropatched It (CVE-2018-0802)

One of the Seven Stories Behind an Epic Bug Collision

by Mitja Kolsek, the 0patch Team

[Update 1/16/2018: The "killed" Equation Editor can be brought back to life with instructions provided in our subsequent blog post, and protected from known vulnerabilities with our free micropatches.]

Last November, Microsoft manually patched a remotely exploitable security bug in Equation Editor reported by Embedi. While waiting for Embedi to release their proof-of-concept, we tried to create one ourselves based on then-public information. And indeed, just one day before Embedi published their PoC, we created a Word file that crashed Equation Editor using an excessively long font name.

Then we applied Microsoft's update for this issue.

And then our Word file still crashed Equation Editor.

What?

Naturally, we first assumed that we didn't properly apply the update, but it turned out the update blocked Embedi's PoC while ours was still working. This started a short episode in which we created an exploit for a new vulnerability, wrote a micropatch for it, manually patched EQNEDT32.EXE to fix it, and reported this all to Microsoft. (Who then ruined it all by obliterating Equation Editor from Office.)

Apparently Microsoft got seven (!) reports for this issue, which is quite a bug collision. CheckPoint and Qihoo 360 posted their own analyses online.


The Vulnerability

Our PoC used a similar attack vector as Embedi's PoC (namely, font name), but it turned out that although Microsoft's original patch truncated our font name to 256 bytes (which fixed Embedi's buffer overflow), the truncated font name was still too long for some subsequent strcpy which copied it to a 32-byte buffer on stack.

Specifically, a long font name was able to overflow the 32-byte lfFaceName buffer in a LOGFONTA structure allocated on stack by function sub_421774 and passed as a pointer to function sub_421E39 (which is exactly the same issue Qihoo 360 found). So we had 224 bytes to turn a well-formed Windows process into a weird machine that reliably launches the calculator. And so we did.


The Exploit

When I say "we", it was really my colleague Luka Treiber who did all the work here. Not only he created the initial PoC from scarce details, but he also turned it into a calc-spawning Word document. And mind you, his job was much harder than Embedi's: they did not have to deal with ASLR, while the updated Equation Editor had ASLR enabled so simply returning to a fixed address was off the table. We're not going to release more details at this point as the main purpose of the exploit was to demonstrate to Microsoft that the bug was exploitable, and to serve as a test case for our micropatch.


The Micropatch

Our micropatch is trivial, and logically identical to those Microsoft has manually inserted in several places in the previous iteration of Equation Editor patching. Here is its source code.


; Post-CVE-2017-11882 patch for Equation Editor EQNEDT32.EXE 2017.8.14.0 
MODULE_PATH "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
PATCH_ID 312
PATCH_FORMAT_VER 2
VULN_ID 3276
PLATFORM win32

patchlet_start
 PATCHLET_ID 1
 PATCHLET_TYPE 2
 PATCHLET_OFFSET 0x00021E5B

 code_start

  cmp     ecx, 21h ; is font name length >= 32?
  jb      skip
  mov     ecx, 20h ; if so, cut it down to 32
  call PIT_ExploitBlocked ; and alert the user of the exploit
  skip:

 code_end

patchlet_end

patchlet_start
 PATCHLET_ID 2
 PATCHLET_TYPE 2
 PATCHLET_OFFSET 0x00021E67

 code_start

  xor eax, eax
  stosb ; zero-terminate the string

 code_end

patchlet_end


This micropatch has already been distributed to all 0patch Agents around the globe and is protecting Office users who haven't removed the Equation Editor yet.

The following video shows how our exploit works against a fully patched (as of January 8, 2018) Microsoft Word, and how our micropatch instantly and elegantly fixes the vulnerability.




What We Sent To Microsoft

Ordinarily, security researchers send the vendor only a proof-of-concept and the accompanying write-up to explain the vulnerability. But in the era of 0patch, we can do more than that: We sent Microsoft the PoC (RTF file) and the write-up (TXT file), but also our micropatch for this issue in form of source code (0PP file) as well as a compiled micropatch blob (REG file) that they could test in their own lab. It was our hope that they would try and see how elegantly micropatching works, and consider using it in the future. (We know a couple of billion users that would really appreciate that.)

Finally, since Equation Editor seemed to be patched manually these days, we also manually patched EQNEDT32.EXE and sent it to Microsoft so they could simply use our patched EQNEDT32.EXE, or copy-paste our patched code to their own version.



Our package for Microsoft



Timeline

November 24, 2017: Sent our package to Microsoft
November 25, 2017: Received Microsoft's receipt confirmation and case ID
November 27, 2017: Received Microsoft's notification that the product team was on the case
December 11, 2017: Received Microsoft's notification that they have successfully reproduced the issue
December 15, 2017: Microsoft confirmed that they "received a lot of reports regarding the issue"
January 3, 2018: Microsoft confirmed that this issue would be addressed in the January Patch Tuesday
January 9, 2018: Microsoft's update published, removing Equation Editor from Office
January 9, 2018: Our micropatch published, immediately distributed and applied to all 0patch Agents to protect users during their "security update gap" until they apply Microsoft's update (which sometimes means several months)


Our Call To Security Researchers

Fellow security researchers, we know you want the vulnerabilities you find to get fixed as quickly as possible (why else would you report them to vendors). So consider sharing your PoC privately with us after you've reported the bug to the vendor -  we'll make a micropatch and issue it at the same time as the vendor issues their update to protect users who can't quickly - or at all, for whatever reason - apply the official update.

This applies even more if you have a vulnerability that likely won't get an official patch at all - whether the vendor no longer exists or simply refuses to patch. Let's keep perfectly working products usable longer by closing security holes in them. If you want to, you can even create a micropatch yourself with 0patch Agent for Developers (installer and manual at the bottom of https://0patch.com/).


Cheers!

@mkolsek
@0patch

No comments:

Post a Comment