Today's video covers how to analyze CVE 2017-11882: the Microsoft Office Equation Editor Buffer Overflow. We also touch on three distinct methods to debug problematic programs using assembly-fu, registry hacks, and gflag magic.
Filename: 7ccd19d3dc34c6dbee600961d73cee0c.rtf
MD5: a1fcfd23988726f5a52f173afefb9652
Video Walkthrough
CVE 2017-11882 Background
CVE 2017-11882 is a critical vulnerability discovered in November 2017. The flaw affects multiple versions of Microsoft Office, including Office 2007 through 2016. The root cause is a stack-based buffer overflow in the Equation Editor component (EQNEDT32.EXE), which allows an attacker to execute arbitrary code with the same privileges as the logged-in user.
To exploit this, an attacker crafts a malicious document (often an RTF) containing a specifically malformed Equation object. When the victim opens the file, the overflow triggers, redirecting execution to the attacker's shellcode without requiring any additional user interaction beyond opening the file.
Exploitation in the Wild
Even though Microsoft released a security patch in late 2017, this vulnerability remains a favorite for cybercriminals and APT groups alike. Because EQNEDT32.EXE is a separate process that doesn't support modern exploit mitigations like ASLR or DEP as robustly as the main Office suite, it serves as a "path of least resistance."
In many campaigns, this vulnerability is used to drop secondary payloads such as Formbook, Agent Tesla, or various types of ransomware. The impact is significant, as it can bypass certain security filters that only scan the primary Word or Excel process, leaving the legacy Equation Editor process unmonitored.
Debugging Challenges
One of the biggest hurdles in analyzing this CVE is that the vulnerable process is launched as a child of Microsoft Word. Standard "F9" debugging often fails because the process spawns and dies quickly. In the video, we demonstrate how to use GFlags (Image File Execution Options) to force a debugger to attach the moment EQNEDT32.EXE initializes, ensuring you never miss the overflow event.