Thanks to Graham Chantry of SophosLabs for his help with this article.
Remember Microsoft’s Equation Editor?
It was written way back in 2000, before Bill Gates’s famous 2002 “trustworthy computing” email.
That email was a message to everyone at Microsoft to start writing software with security in mind up front, rather than merely as an afterthought.
In other words, the Equation Editor predated both DEP, short for Data Execution Prevention, and ASLR, short for Address Space Layout Randomisation.
These two techniques alone have made bugs such as buffer overflows much harder to exploit.
DEP means that blobs of data can no longer be directly executed as if they were programs, so hackers have to try to deflect the flow of execution into software that the operating system has already loaded.
That means the crooks have to predict in advance where Windows will load its system code for making network connections, opening files, editing the registry, and so on.
But ASLR tells Windows to pick different memory locations for its system functions every time you boot up, so the crooks can’t predict, or even reliably guess, where to go to after a buffer overflow.
Unfortunately, even though Microsoft Office had its security posture beefed up back in 2010, the Equation Editor, also known as EQNEDT32.EXE, did not.
In other words, the otherwise-secure Office apps (including, as it happened, the stripped-down WordPad document editor) could be tricked into launching an insecure sub-process…
…simply by sticking a mathematical equation into a document and saying, “This bit needs the equation editor.”
One rotten apple, as they say, spoils the barrel.
Fortunately, it took 17 years for anyone to figure out this loophole, until late in 2017 when exploits based on abusing EQNEDT32.EXE first showed up.
Microsoft promptly squashed the bug, dubbed CVE-2017-11882 (and offered instructions on how to turn off the equation editor for those who were hesitant to apply the November 2017 Patch Tuesday updates), and that should have been that.
Except that it wasn’t.
Nearly a year after the patch came out, SophosLabs researcher Gabor Szappanos lamented that CVE-2017-11882 had become the most popular document-based attack tool on the underweb.
Tools such as the NebulaOne exploit builder made it easy even for non-technical cybercrooks to churn out malware that was activated by the buggy EQNEDT32.EXE program.
Unlike Office macro macros, which are embedded document programs that you have to approve before they’ll run, booby-trapped equations can exploit the CVE-2017-11882 bug without any warning dialogs popping up.
Sadly, the equation editor bug still seems to be widely unpatched, to the point that Microsoft itself has warned of “increased activity in the past few weeks”:
The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks. Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.
— Microsoft Threat Intelligence (@MsftSecIntel) June 7, 2019
We’ve seen a similar uptick, too, with SophosLabs receiving emails like this one that tries to trick you into opening a booby-trapped attachment:
In the sample above – remember, though, that subject lines, email content and filenames change all the time – the attachment is a RAR archive that contains a .doc file.
Ironically, the RAR file has been given the name of a different archive format, .gz (short for Gzip), and the .doc file is actually in Rich Text Format (longhand for RTF), but the combination is nevertheless effective.
The booby-trapped file is blocked by Sophos products as Troj/RTFExp-EP, where RTFExp is shorthand for Rich Text Format exploit.)
Archive extraction tools will typically offer to open any file that has an archive-related extension, even if it’s mis-named, and figure out which unarchiving algorithm to use when you click on it.
Likewise, Office and WordPad will happily open .doc files on the basis of their name, and automatically recognise them as RTF files if needed.
Simply put, RTF files don’t need a .RTF extension, and RAR files don’t have to be called .RAR – the programs that handle them take care of the how once you have decided on the what.
Becuase CVE-2017-11882 can be exploited to trick EQNEDT32.EXE into doing almost anything, the details of what happens next can be altered by the crooks as easily as they can change the email subject or the attachment name.
In the example above, the booby-trapped attachment used EQNEDT32.EXE to try to download and execute a Windows program, which was given a name consisting of random string of digits followed by .EXE.
The site used to host the downloaded malware seems to be an improperly configured home user’s website in Poland. (Both the site and the download were blocked by Sophos products.)
What to do?
- Don’t skip patches. Whether by accident or design, it’s easy to miss out on a patch along the way and never go back to check that you really are up-to-date. Don’t make life easy for the crooks by leaving a door open that you could have closed 18 months ago!
- Use a on-access (real-time) anti-virus. Lots computers come with built-in security software these days, but one-size-fits-all cybersecurity should be treated as a basic layer that you use to tide you over until you can apply defence in depth.
- Filter your email. Don’t just look for known malware – take your safety one step further. If you rarely or never use RAR files, for example, or if you prefer PDFs to RTFs, block the file types you don’t need and you will end up with less to worry about.
- Keep track of your websites. Don’t enable online services or create online accounts just because they come free with your internet access contract. Crooks will happily take over forgotten or neglected accounts, leaving you to take the blame for helping them to attack the next guy.
Leave a Reply