Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Staff
Staff

Created on ‎05-28-2021 10:36 AM

Article Id 191238

How FortiEDR blocks attempt to exploit Microsoft Equation Editor vulnerability (CVE-2017-11882)

Description


Microsoft Equation Editor: 

Microsoft Equation Editor (EQNEDT32.EXE) is a legacy Microsoft Office feature that is used to display mathematical equations in Microsoft Office. It was created in 2000 and, in retrospect was vulnerable throughout its lifespan until Microsoft removed it from all versions in January 2018 and replaced it with a new equation editor.

 

CVE-2017-11882: 

Microsoft Equation Editor contains a stack buffer overflow vulnerability that allows arbitrary code execution in the context of the current user by failing to properly handle objects in memory. By exploiting this vulnerability, the document is able to download and execute yet another malicious file.


Affected versions: 

Affecting multiple Microsoft Office versions, up to Word 2016.


Pre-Execution:

FortiEDR detects a suspicious script execution and blocks the Equation Editor process from running.


Post-Execution:

By allowing the script execution, either by setting an exception on the legacy Equation Editor, or setting the Prevention policy to Simulation mode, we can observe how FortiEDR handles the shellcode execution.

 

When the malicious rtf document is opened, the vulnerability CVE-2017-11882 is exploited to download a malicious payload from the Internet Explorer process. This post-exploitation activity is detected and blocked by FortiEDR.



Threat Hunting:

The threat hunting query given below can be used to find suspicious word documents that launch equation editor process.




The below threat hunting query helps to identify equation editor processes that spawn iexplore process to download malicious payloads.



The malicious payload can be found by checking for the files created by the winword.exe process. 



IOC:


c88d0f7d623b2a2c066dd6b15597d1f4c44d89e7a8e660e28c3494f441826ea5


References:

https://www.fortinet.com/blog/threat-research/cobalt-malware-strikes-using-cve-2017-11882-rtf-vulner...

https://www.fortinet.com/blog/threat-research/new-remcos-rat-variant-is-spreading-by-exploiting-cve-...

https://www.fortinet.com/blog/threat-research/spearphishing-attack-uses-covid-21-lure-to-target-ukra...



The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile. 




582
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.