CVE-2020-1225
An exploitable code execution vulnerability exists in the HTML and XML Table functionality of Excel in Microsoft Office 2016 Professional Plus, version 2002, build 12527.20242 x86 and Microsoft Office 365 Pro Plus x86, version 1908, build 11929.20606. A specially crafted malformed file can cause remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
Microsoft Office 2016 Professonal Plus, version 2002, build 12527.20242 x86
Microsoft Office 365 Pro Plus x86, version 1908, build 11929.20606
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools for the average user, such as Outlook, Word, PowerPoint and Excel.
This vulnerability is related to the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is an allocation made :
0:000> g
Breakpoint 0 hit
eax=000001d4 ebx=00f55cee ecx=6d6c4fe8 edx=4147eb10 esi=4147eb10 edi=6731aea0
eip=012744fd esp=039f0928 ebp=039f0934 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200283
Excel!Ordinal43+0x3544fd:
0:000> !heap -p -a edx
address 4147eb10 found in
_DPH_HEAP_ROOT @ 4a11000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
41352af8: 4147eb10 4f0 - 4147e000 2000
635bab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
77a0918b ntdll!RtlDebugAllocateHeap+0x00000039
779533cd ntdll!RtlpAllocateHeap+0x000000ed
7795207b ntdll!RtlpAllocateHeapInternal+0x000006db
77951976 ntdll!RtlAllocateHeap+0x00000036
7a5fe588 mso20win32client!Ordinal951+0x00000034
00f34f73 Excel!Ordinal43+0x00014f73
01266369 Excel!Ordinal43+0x00346369
01226c2c Excel!Ordinal43+0x00306c2c
Further, because of malformed form in the HTML/XML in the XLS file content the object gets deallocated:
0:000> !heap -p -a 4147eb10
address 4147eb10 found in
_DPH_HEAP_ROOT @ 4a11000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
41352af8: 4147e000 2000
635badc2 verifier!AVrfDebugPageHeapFree+0x000000c2
77a099e3 ntdll!RtlDebugFreeHeap+0x0000003e
7794fabe ntdll!RtlpFreeHeap+0x000000ce
7794f986 ntdll!RtlpFreeHeapInternal+0x00000146
7794f3de ntdll!RtlFreeHeap+0x0000003e
7a60b43e mso20win32client!Ordinal456+0x00000050
01274503 Excel!Ordinal43+0x00354503
01cceac4 Excel!MdCallBack+0x00091e8e
0122173e Excel!Ordinal43+0x0030173e
01506cfd Excel!Ordinal43+0x005e6cfd
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets re-used inside the following function:
0:000> g
(1704.145c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
0:000> r
eax=4147eb10 ebx=039f1534 ecx=6d6ccb10 edx=039f0c74 esi=ffffffff edi=6d6ccdcc
eip=01505968 esp=039f0bb4 ebp=039f0eb4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
Excel!Ordinal43+0x5e5968:
01505968 ffb088040000 push dword ptr [eax+488h] ds:0023:4147ef98=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039f0eb4 00000000 04a45fe0 039f0f64 77a01823 Excel!Ordinal43+0x5e5968
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.
0:000> g
(1704.145c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=4147eb10 ebx=039f1534 ecx=6d6ccb10 edx=039f0c74 esi=ffffffff edi=6d6ccdcc
eip=01505968 esp=039f0bb4 ebp=039f0eb4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
Excel!Ordinal43+0x5e5968:
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039f0eb4 00000000 04a45fe0 039f0f64 77a01823 Excel!Ordinal43+0x5e5968
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 7
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-FIEQB1A
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 165
Key : Analysis.Memory.CommitPeak.Mb
Value: 109
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 279817
Key : Timeline.Process.Start.DeltaSec
Value: 309
ADDITIONAL_XML: 1
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 01505968 (Excel!Ordinal43+0x005e5968)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 4147ef98
Attempt to read from address 4147ef98
FAULTING_THREAD: 0000145c
PROCESS_NAME: Excel.exe
READ_ADDRESS: 4147ef98
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 4147ef98
STACK_TEXT:
039f0eb4 00000000 04a45fe0 039f0f64 77a01823 Excel!Ordinal43+0x5e5968
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!Ordinal43+5e5968
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {40392c8d-c128-d7d7-ec8e-63113b975295}
Followup: MachineOwner
---------
0:000> lmv m EXCEL
Browse full module list
start end module name
00f20000 03910000 Excel (export symbols) C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Thu Mar 5 07:05:26 2020 (5E6096A6)
CheckSum: 029F5A72
ImageSize: 029F0000
File version: 16.0.12527.20278
Product version: 16.0.12527.20278
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.12527.20278
FileVersion: 16.0.12527.20278
FileDescription: Microsoft Excel
0:000> lmv m mso
Browse full module list
start end module name
10050000 11805000 mso (deferred)
Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Tue Mar 3 13:41:56 2020 (5E5E5094)
CheckSum: 017B0AC8
ImageSize: 017B5000
File version: 16.0.12527.20260
Product version: 16.0.12527.20260
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.12527.20260
FileVersion: 16.0.12527.20260
2020-04-03 - Vendor Disclosure
2020-06-09 - Vendor Patched
2020-06-09 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.