cbcvebase.
CVE-2018-0802
published 2018-01-10

CVE-2018-0802: Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability…

PriorityP185high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
93.29%
99.8th percentile
Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allow a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE is unique from CVE-2018-0797 and CVE-2018-0812.

Affected

20 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftword
microsoftword
microsoftword
microsoftword
msrcmicrosoft_office_2007_service_pack_3
msrcmicrosoft_office_2010_service_pack_2
msrcmicrosoft_office_2013_service_pack_1
msrcmicrosoft_office_2016
msrcmicrosoft_office_2016_click-to-run_for_32-bit_editions
msrcmicrosoft_office_2016_click-to-run_for_64-bit_editions
msrcmicrosoft_office_compatibility_pack_service_pack_3
msrcmicrosoft_word_2007_service_pack_3
msrcmicrosoft_word_2010_service_pack_2
msrcmicrosoft_word_2013_rt_service_pack_1
msrcmicrosoft_word_2013_service_pack_1
msrcmicrosoft_word_2016

Detection & IOCsextracted from sources · hover to see the quote

domainhelpdesk[.]autodefragapp[.]com
ip99[.]83[.]154[.]118
domainmswsceventlog[.]net
domainolmajhnservice[.]com
urlhxxp[:]//olmajhnservice[.]/nxl/nx
pathC:\$Utf
filenameRdxFactory.exe
pathC:\ProgramData\Cannon\Cannondriver.exe
pathC:\ProgramData\Cannon\LBTServ.dll
pathC:\ProgramData\Cannon\Microsoft.BT
hash719f25e1fea12c8dc573e7161458ce7a5b6683dee3a49bb21a3ec838d0b35dd3
hashcdf417e67b0aaf798ac7c0f9ccb8b5b21f09b408ee6748beea5e03e76902e7fe
domaindoc.internetdocss[.]com
urlhttp://doc.internetdocss[.]com/nethelpx86.dll
ip176.31.59.232
ip144.217.174.57
path%APPDATA%\[A-Za-z]{5}.vbs
  • CVE-2018-0802 is exploited via Microsoft Equation Editor (EQNEDT32.EXE); detect spawning of EQNEDT32.EXE from Word or Excel processes, especially when it subsequently launches network connections or drops files.
  • Malicious RTF documents exploiting CVE-2018-0802 embed OLE objects with class name 'Equation 3.0'; hunt for RTF files containing this OLE class name.
  • Exploitation of CVE-2018-0802 via Royal Road (8.t RTF exploit builder) weaponized RTF files; detect RTF attachments crafted with this builder, which are known to exploit CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Post-exploitation: monitor for creation of scheduled tasks named 'Rdx' and 'RdxFac' running every five minutes, and creation of folder 'RdxFact' in the Windows tasks folder.
  • Post-exploitation: monitor for RdxFactory.exe dropped into the public user profile's music folder (C:\Users\Public\Music\RdxFactory.exe).
  • Bitter APT emails sent via JavaMail with Zimbra web client version 8.8.15_GA_4101; this header string can be used to identify campaign-related phishing emails.
  • Shellcode from CVE-2018-0802 exploitation creates folder C:\$Utf to stage the downloaded payload; monitor for creation of this unusual directory.
  • ·CVE-2018-0802 is frequently exploited alongside CVE-2017-11882 and CVE-2018-0798 in the same maldoc; detections and mitigations should account for all three vulnerabilities together, not just CVE-2018-0802 in isolation.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.