Skip to content

Instantly share code, notes, and snippets.

@rxwx
Last active Feb 21, 2020
Embed
What would you like to do?
Notes on new Equation Editor Exploit, CVE-2018-0802 variant

New Equation Editor Exploit Variant

On 19/03/18, a large number of RTF samples started triggering one of my "suspicious" RTF rules. Looking at the samples, they all appeared to have around 2-4 detections, which seemed curious. This was confirmed by Mitja Kolsek to be a new variant of CVE-2018-0802, which is already covered by 0patch, and patched by Microsoft in January 2018. However, the technique is not unique to CVE-2018-0802 and can be seen used to exploit CVE-2017-11882 aswell.

This was also seen by Shiao Qu. There is a blog post (in Chinese) explaining some of the technical details of how the obfuscation technique works.

Yara rule

rule curious_equation {
meta:
	hash = "148292d1f03cf91c127f11e6d30a002ebf1aa8b3c971ec5036038392abd79d25"
 strings:
 	$exp_clsid = "0002CE020000000000C000000000000046" ascii nocase
 	$exp_objupdate = "objupdate" ascii nocase
	$exp_ole_native = "4F006C006500310030004E00610074006900760065" ascii nocase
 	$exp_jmp_eax = /FFFFFFFFFFFFFFFFFFFFFFFFFFFF([0-9a-fA-F]{140})FFE0/ ascii nocase
 	$excl_progid = "Equation.3" ascii nocase
 	$excl_objclass = "objclass" ascii nocase
 condition:
 	uint32be(0) == 0x7B5C7274 and all of ($exp_*) and not any of ($excl_*)
}

Sample Hashes

02b54db83f58267975b810d93e5aff6d544c48b0bdaa44c950a21698c27fde3c
2ad2b34dc267027b46c04a4356e2ab8faac59779784c5532556154bd037c4807
189d2dc825a3b1f00b91d3e0b7678b7fb128e74d831d99487b80cbf5cf805a74
1bce4f3717d320f6fbea6fd18cd14014103f7f0f4f78b5c42a83d0cc6118c7df
264e31b8097300c81cc9d9e96f4236b935b3c7ed5f61dffcca09ce5a1c9043df
7bc6e558589f1e473ebb5266269fe17d3037f8fb512e641e05fcd60f90ce0e40
8805b8874bf3f72510474643d7fd5a4fda19423ce829413831f40bdaf3634785
8ef82d4b9c8c152df2ba0d7e3c881ef2d186f8fc4a903c24b76c04e4761d8b35
96ab023b085c32e067a728ba14d5274b942b3ecf366864a624434ca9759b650e
9894957f896689d89d7a184d0d10b7fcb4f3dfa72568486ff09fe1dbf7844810
a2802f06e3cf8d787b06b2b1ea41403885dffd27f90b844e5ba00ff3a204400d
a2a4e51aea034dde5a7816d859162fccd37e17e3ce1d409aa254197427eff8b0
8ea93e1c81fe840a24fa5a2e182068c5ff6a28bf2f7fa669585310148f52d04a
ad9e326ec6f2c7782d9f8215d8bb2a8636115686c7d3fb27bc612cfc17cff87f
ae69fa57455455d7dca6c4b930f08435baabbf52d2ab968707e515b2f25a4a58
ae8b637c49ab8b20da775690d0e87c760d351f45ddd0581142ff89e08c7606f0
b0b42c9a911a0c6be5ba290ef5a980a421535a1481f91a67ba6894ad2f56bfcc
b32552bf6c349d79b061e2b71ae48866aaba983dae85addfb15ec3ac883c7a15
bc5e7911f3887eb394e75d9275fabb42bd12960b7350fc3e3df518e13efa3f40
bea339ee34155a4ab58528b5eb6401558347694e29af8bc7230da8030fe2738d
d128dfce4ae162769fc43a78c1a43de6c959804d713bc005c2c4dd0ea6ff4fa5
d27e7f757c1bfe1aa88fd611775abaef37830a45deac558f8ebb75d39a795a33
da29f37ec139b87d9dcee92156af4882a1c7312e8ad54ca0912c360d4ea2f362
dc57038e7d233ffa1607438984e068106b4453ea573cd300ef0baa457bb40f8f
e1bfd6140639fc7dffd70a2a160efe597d98b1954ecb69bac2df3ea87c6f0568
e4b7b33e72ec446411b3ea929a2f1c35b1e7620c11d4b5cb218e842fff496c8e
e6c42e374a6ee452a83b91fb284c99135f1ff55d4e4283edb3d039151d10ca36
f006800a0b2092a5c663c25343017eaf4a242f258a50f45c9c28d2afb1d7fad4
f4d4150ca319b5f7eae92899d168d7e12a9387725ce6badb97881087393bef52
f73b8cbc3af50f0502175e1239dd049e91444695e2809a9f8d172357267041d3
fc9bbf4dca70e0fd84aa0e3a295e4f00bd023f97434d31f7b834ba3b8b179df9
2e19bf95b5bb20c7bb0852c8ca9c129409d730fa10fa734cb5501b27e2fcc4f5
17f95d5bde6766da82d95af2a4329a4f17b0a6d63cb1ccbbd72a1c3ed4d74090
ad929198c8cd5ac9c8b28c4469e743ef0e99acd77832c9fbe02557c59d8d181a
46bceb73f1b40bf2b74cfbfae931fd128ad7f76232d9d1a1b1d6140a18c2b068
4ef9b8fb42917c153dfae532de9154afe49c259f2bcfa94a9d937cf600af4b7b
592024180554d48970d76b9e9052fa70c23e8086a48514056b354caf5dd0ad35
657061daa8c89b6809e9fdc6da8753c69361607a9a383cb0b3dad12caaf83937
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment