Tuesday, January 16, 2018

Micropatching Brings The Abandoned Equation Editor Back To Life

How We Security-Adopted a Terminated Software Product

by Mitja Kolsek, the 0patch Team




Intro

A few days ago Microsoft's update removed Equation Editor from Microsoft Office, official reason being "security issues with its implementation." Most Office users couldn't care less about this removal, but if you've been happily using Equation Editor to edit Word documents with mathematical formulas just days ago, you suddenly can't do that anymore. You will still see your formulas in the document but you won't be able to edit them. Instead you'll get this:





We have no idea how many users are affected, but Twitter user @glyph raises an interesting point that those who work with Equation Editor may be tempted to forego this Office update - and by extension all future Office updates -, which will leave them vulnerable to exploits published in the future.   



Worse even, affected users may decide to migrate back to unsupported versions of Office that don't receive security updates at all. This user, for instance, reports going back to Office 2000 on his Windows 10 computer. Office 2000 stopped receiving security updates in 2009.

Microsoft suggested affected users can "edit Equation Editor 3.0 equations without security issues" with Wiris Suite's MathType, a commercial application that costs $97 ($57 academic). They did not specify the basis upon which the phrase "without security issues" was provided, but MathType seems to have a clean public security record so far. Which doesn't say much as that was also true for Equation Editor until someone opened its hood.

We haven't tested MathType and can't tell how easy it is to start using it instead of Equation Editor with existing Word documents, but we don't particularly like the idea of suddenly deleting from users' computers a tool they might be using, and sending them to a store to buy a replacement.

Microsoft's unwillingness to continue supporting Equation Editor is understandable. Their manual patching of its recently discovered vulnerability reveals that, for whatever reason, their standard patching process cannot be applied to Equation Editor, and a deviation like that can be expensive. Furthermore, while they aren't new to manually patching executables, such patching can sometimes be fairly difficult to do. When you patch executable files directly, you may have to come up with a different clever space-saving hack for each patch, which can sometimes be very difficult and time-consuming. For instance, Microsoft's manual patches of Equation Editor required the patch author to invent a way to get some free space in the code for additional patch logic by de-optimizing a memory-copying routine.

So when Microsoft was faced with 8 (eight!)* new vulnerabilities in Equation Editor reported after their manual patch, they gave up on the idea of continuing manual support for it.

We, on the other hand, haven't.

You see, it's much easier for us to create and support binary patches for a given executable module than it is for Microsoft. Why? Because we have a micropatch delivery agent (0patch Agent) that not only instantly downloads micropatches, but also injects them into running processes on the computer while automatically making room for the added code. So we don't have to invent a new way of making room for every micropatch we make, and can therefore focus on the patch itself. We also deliver our micropatches to agents every hour, and they are as trivial to revoke and un-apply as they are to apply. As much as we hate to repeat ourselves, this is how we believe security patching should look like in this century.

That said, we've already issued our micropatch for CVE-2017-0802, and it's been applied to all computers running 0patch Agent where the latest version of Equation Editor is still present. We're also teaming up with other security researchers who have found vulnerabilities in Equation Editor to micropatch those issues too. We urge everyone who finds additional security issues in Equation Editor to share their findings with us and help up create micropatches for them.


Bringing Equation Editor Back To Life


So you've installed Office Updates from January 9th 2018 and Equation Editor got removed from your computer. Specifically, the update deleted five files (including EQNEDT32.EXE) from the EQUATION folder, leaving the 1033 subfolder and EEINT.DLL inside it intact. It also unregistered Equation Editor as a local COM server by deleting CLSID {0002CE02-0000-0000-C000-000000000046} from registry. Note that Office 2016 still has several files in the EQUATION folder after the update, and in some cases, a 0-byte EQNEDT32.EXE file is left on the system.

The location of the EQUATION folder depends on both the Office version and whether it's 32-bit or 64-bit Office. These are the default locations:

  • 32-bit Office 2007, 2010 and 2013 on 32-bit Windows: C:\Program Files\Common Files\microsoft shared\EQUATION
  • 32-bit Office 2007, 2010 and 2013 on 64-bit Windows: C:\Program Files (x86)\Common Files\microsoft shared\EQUATION
  • 64-bit Office 2007, 2010 and 2013: C:\Program Files\Common Files\Microsoft Shared\EQUATION
  • 32-bit Office 2016 and 365 on 32-bit Windows: C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION
  • 32-bit Office 2016 and 365 on 64-bit Windows: C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION
  • 64-bit Office 2016 and 365: C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION

The following images depict the before-and-after of the EQUATION folder when applying the January 2018 Office update.


Office 2010: Content of the EQUATION folder before the update


Office 2010: Content of the EQUATION folder after the update



In order to get Equation Editor back while continuing to receive future Office security updates you need to do two things:

  1. Restore deleted Equation Editor files.
  2. Re-register Equation Editor as a local COM server.
  3. Install free 0patch Agent to keep Equation Editor patched against known vulnerabilities.

Obviously, you don't technically need the last step to get Equation Editor working again, but you don't want to be vulnerable to trivial inexpensive attacks that can be delivered in any Word document you ever receive. So just to be clear, we don't recommend performing steps A and B if you don't also perform step C.


A. Restore deleted Equation Editor files

(Disclaimer: The following is not an official Microsoft-supported procedure and is not guaranteed to work or to not have unwanted side effects. In addition, future Office updates may bring additional blocking of Equation Editor and disable its use. You're doing this at your own risk.) 

Unfortunately uninstalling the Office security update that removed Equation Editor doesn't bring the deleted files back. This leaves you with two options: (a) find a copy of Office you haven't updated yet, or (b) reinstall Office from your original media and apply all updates up to and including November 2017 updates. Once you do any of these, you will find these files in the EQUATION folder (possibly along some other files in Office 2016):

  • EQNEDT32.CNT - help file index
  • EQNEDT32.EXE - Equation Editor executable
  • eqnedt32.exe.manifest - Equation Editor manifest file
  • EQNEDT32.HLP - help file
  • MTEXTRA.TTF - MathType font file

Make sure you have EQNEDT32.EXE version 2017.8.14.0, which is the latest version provided by Microsoft.

What you don't want to do is download the missing files from the Internet, as that is not only a potential violation of your license, but also a great way to get malware on your computer. So don't do that.

Once you have the above Equation Editor files at hand, copy them to the EQUATION folder from which they have been removed on a computer with all updates (including the January 2018 Office update) installed. You will need to have administrative permissions for this, and you may be prompted to overwrite an existing 0-byte EQNEDT32.EXE, which seems to be left on some systems.


B. Re-register Equation Editor as a local COM server

Registering a local COM server requires creating a valid CLSID registry key with required subkeys and values. To make it easier for you, we prepared a template .REG file that you can edit and import in your registry. To do so, follow these instructions:

  1. Download EquationEditor.reg.
  2. Edit EquationEditor.reg, find in it the path to EQNEDT32.EXE, and change it to the actual path on your computer.
  3. Import the modified EquationEditor.reg to registry.

Voila, if everything went well, you can now edit your equation objects in Equation Editor again, and save them back to Word files. Note that it sometimes takes up to a few minutes for this registry change to come into effect; until it does, opening an equation object will result in the "Microsoft Equation is not available" error.

If Equation Editor complains that it's missing a font, reinstall MTEXTRA.TTF.

But you're not done yet! Now you have to get your Equation Editor patched. On to step C.


C. Install 0patch Agent

0patch provides free micropatches for Equation Editor (and many other software products). To install it, download and launch the installer, create a free 0patch account and register the agent to that account. You will immediately receive all Equation Editor micropatches - currently just one for CVE-2018-0802, but as we receive details on the other vulnerabilities, we'll issue additional micropatches.


Expected Questions

These are some of the questions we anticipate and would like to answer in advance.


Q: Why are you doing this? Equation Editor is a 17-year-old pile of insecure code and should die!

In today's "Move fast and break things" world we're accustomed to the idea that software must be perpetually and frequently replaced with new versions. In fact, much of the global software business is built on "incentivizing" users to buy a new version of a product that works just fine for them. Of course the underlying hardware is improving, and new attacks are being invented, so software code effectively does get worse in time even if it doesn't change a bit, but let's hold back for a moment.

"17-year-old code" sounds borderline outrageous to many, but we often forget that there are products we want to keep for 20 years or more. Say, medical devices. If an MRI machine running a  reasonably new, well tested operating system costs $500k, and its hardware can be serviced for 20 years, do we really want to throw it out after 10 years because it stops getting security updates from the OS vendor? Heck no. What we actually want is for it to remain immutable as much as possible for 20 years, and not get any software changes that aren't necessary for its function and security. This is hard to grasp if you're used to replacing half of your operating system every month.

Clearly, Equation Editor is not a life-critical piece of equipment and seems relatively cheap to replace. It does, however, allow for a nice demonstration how an abandoned software product can be "security-adopted" by a 3rd party, allowing its continued use without exposing one's environment to cheap public exploits.


Q: Isn't Equation Editor full of vulnerabilities and risky to use even if you patch the publicly known issues?

It's impossible to say whether any software product is "full of vulnerabilities" or not without thoroughly inspecting it. The fact that nine vulnerabilities have been recently found in it is easily explained by the fact that before Embedi decided to look under the hood, Equation Editor was shielded by a veil of obscurity. Once they've pointed out how its attack surface can be reached from a Word document, it became an easy toy to play with and apparently attracted many researchers. The additional eight vulnerabilities were most likely all low-hanging fruit, i.e., easy to find. But once we patch them, will it be easy to find the next one? No one knows, and if anyone claims to know, kindly ask them for evidence.  


Q: How long are you planning to provide patches for Equation Editor?

With the details we currently have about the known vulnerabilities in Equation Editor, it seems it should be easy for us to micropatch them. Should anyone find additional vulnerabilities in it (and since it's been removed from Office, very few will bother searching), we'll try to micropatch that too. It could happen, although unlikely, that a design vulnerability is found which would be extremely difficult to micropatch, or would require an unreasonable amount of effort on our part. In such case we too will abandon our security support. We hope this will not happen.


Q: How will we receive subsequent micropatches for Equation Editor?

As long as 0patch Agent on your computer has access to the Internet, all subsequent micropatches for Equation Editor will be automatically delivered to your computer and immediately, automatically applied to Equation Editor when it gets launched. If you happen to be using Equation Editor when a new micropatch arrives, the micropatch will get applied to it without disturbing you (i.e., you won't even have to relaunch Equation Editor). 


Outro

There you go. Let us know how this works for you - share your experience, questions and possible concerns in the comments below.

Note that we can only provide support for our micropatches (email to support@0patch.com) and not general technical support for Equation Editor. If you encounter any issues with Equation Editor that you haven't seen before, first disable 0patch Agent and see if the issue is still there. If disabling the Agent resolves the issue, please report it to us, otherwise contact Microsoft.


Cheers!

@mkolsek
@0patch


* The initial public perception after the January Patch Tuesday was that Equation Editor had a single reported vulnerability (CVE-2018-0802) when in fact it was eight of them. However, there have been no public details available on these additional issues as of this writing.




Thursday, January 11, 2018

The Bug That Killed Equation Editor - How We Found, Exploited And Micropatched It (CVE-2018-0802)

One of the Seven Stories Behind an Epic Bug Collision

by Mitja Kolsek, the 0patch Team


Last November, Microsoft manually patched a remotely exploitable security bug in Equation Editor reported by Embedi. While waiting for Embedi to release their proof-of-concept, we tried to create one ourselves based on then-public information. And indeed, just one day before Embedi published their PoC, we created a Word file that crashed Equation Editor using an excessively long font name.

Then we applied Microsoft's update for this issue.

And then our Word file still crashed Equation Editor.

What?

Naturally, we first assumed that we didn't properly apply the update, but it turned out the update blocked Embedi's PoC while ours was still working. This started a short episode in which we created an exploit for a new vulnerability, wrote a micropatch for it, manually patched EQNEDT32.EXE to fix it, and reported this all to Microsoft. (Who then ruined it all by obliterating Equation Editor from Office.)

Apparently Microsoft got seven (!) reports for this issue, which is quite a bug collision. CheckPoint and Qihoo 360 posted their own analyses online.


The Vulnerability

Our PoC used a similar attack vector as Embedi's PoC (namely, font name), but it turned out that although Microsoft's original patch truncated our font name to 256 bytes (which fixed Embedi's buffer overflow), the truncated font name was still too long for some subsequent strcpy which copied it to a 32-byte buffer on stack.

Specifically, a long font name was able to overflow the 32-byte lfFaceName buffer in a LOGFONTA structure allocated on stack by function sub_421774 and passed as a pointer to function sub_421E39 (which is exactly the same issue Qihoo 360 found). So we had 224 bytes to turn a well-formed Windows process into a weird machine that reliably launches the calculator. And so we did.


The Exploit

When I say "we", it was really my colleague Luka Treiber who did all the work here. Not only he created the initial PoC from scarce details, but he also turned it into a calc-spawning Word document. And mind you, his job was much harder than Embedi's: they did not have to deal with ASLR, while the updated Equation Editor had ASLR enabled so simply returning to a fixed address was off the table. We're not going to release more details at this point as the main purpose of the exploit was to demonstrate to Microsoft that the bug was exploitable, and to serve as a test case for our micropatch.


The Micropatch

Our micropatch is trivial, and logically identical to those Microsoft has manually inserted in several places in the previous iteration of Equation Editor patching. Here is its source code.


; Post-CVE-2017-11882 patch for Equation Editor EQNEDT32.EXE 2017.8.14.0 
MODULE_PATH "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE"
PATCH_ID 312
PATCH_FORMAT_VER 2
VULN_ID 3276
PLATFORM win32

patchlet_start
 PATCHLET_ID 1
 PATCHLET_TYPE 2
 PATCHLET_OFFSET 0x00021E5B

 code_start

  cmp     ecx, 21h ; is font name length >= 32?
  jb      skip
  mov     ecx, 20h ; if so, cut it down to 32
  call PIT_ExploitBlocked ; and alert the user of the exploit
  skip:

 code_end

patchlet_end

patchlet_start
 PATCHLET_ID 2
 PATCHLET_TYPE 2
 PATCHLET_OFFSET 0x00021E67

 code_start

  xor eax, eax
  stosb ; zero-terminate the string

 code_end

patchlet_end


This micropatch has already been distributed to all 0patch Agents around the globe and is protecting Office users who haven't removed the Equation Editor yet.

The following video shows how our exploit works against a fully patched (as of January 8, 2018) Microsoft Word, and how our micropatch instantly and elegantly fixes the vulnerability.




What We Sent To Microsoft

Ordinarily, security researchers send the vendor only a proof-of-concept and the accompanying write-up to explain the vulnerability. But in the era of 0patch, we can do more than that: We sent Microsoft the PoC (RTF file) and the write-up (TXT file), but also our micropatch for this issue in form of source code (0PP file) as well as a compiled micropatch blob (REG file) that they could test in their own lab. It was our hope that they would try and see how elegantly micropatching works, and consider using it in the future. (We know a couple of billion users that would really appreciate that.)

Finally, since Equation Editor seemed to be patched manually these days, we also manually patched EQNEDT32.EXE and sent it to Microsoft so they could simply use our patched EQNEDT32.EXE, or copy-paste our patched code to their own version.



Our package for Microsoft



Timeline

November 24, 2017: Sent our package to Microsoft
November 25, 2017: Received Microsoft's receipt confirmation and case ID
November 27, 2017: Received Microsoft's notification that the product team was on the case
December 11, 2017: Received Microsoft's notification that they have successfully reproduced the issue
December 15, 2017: Microsoft confirmed that they "received a lot of reports regarding the issue"
January 3, 2018: Microsoft confirmed that this issue would be addressed in the January Patch Tuesday
January 9, 2018: Microsoft's update published, removing Equation Editor from Office
January 9, 2018: Our micropatch published, immediately distributed and applied to all 0patch Agents to protect users during their "security update gap" until they apply Microsoft's update (which sometimes means several months)


Our Call To Security Researchers

Fellow security researchers, we know you want the vulnerabilities you find to get fixed as quickly as possible (why else would you report them to vendors). So consider sharing your PoC privately with us after you've reported the bug to the vendor -  we'll make a micropatch and issue it at the same time as the vendor issues their update to protect users who can't quickly - or at all, for whatever reason - apply the official update.

This applies even more if you have a vulnerability that likely won't get an official patch at all - whether the vendor no longer exists or simply refuses to patch. Let's keep perfectly working products usable longer by closing security holes in them. If you want to, you can even create a micropatch yourself with 0patch Agent for Developers (installer and manual at the bottom of https://0patch.com/).


Cheers!

@mkolsek
@0patch