Microsoft Office PowerPoint 2010 – ‘MSO!Ordinal5429’ Missing Length Check Heap Corruption

• Exploit Database
• 17 阅读

• 作者： Google Security Research
  日期： 2017-02-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/41417/

• Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
  
  Platform: Microsoft Office 2010 on Windows 7 x86
  Class: heap memory corruption
  
  The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability. 
  
  Attached files:
  2581805226.ppt: fuzzed crashing file
  
  File versions:
  mso.dll: 14.0.7173.5000
  gfx.dll: 14.0.7104.5000
  oart.dll: 14.0.7169.5000
  riched20.dll: 14.0.7155.5000
  msptls.dll: 14.0.7164.5000
  
  ((7ac.a64): Access violation - code c0000005 (first chance)
  eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
  eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  mso!Ordinal5429+0x376:
  66a19941 0fb708movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
  
  
  66a1993c 8b4104mov eax,dword ptr [ecx+4] ; Length 0x00200122
  66a1993f 03c7add eax,edi
  => 66a19941 0fb708movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
  66a19944 894dfcmov dword ptr [ebp-4],ecx
  66a19947 8a55fdmov dl,byte ptr [ebp-3]
  66a1994a 8855fcmov byte ptr [ebp-4],dl
  66a1994d 884dfdmov byte ptr [ebp-3],cl
  66a19950 66837dfc04cmp word ptr [ebp-4],4
  66a19955 0f85e0010000jne mso!Ordinal5429+0x570 (66a19b3b)
  66a1995b 8a08mov cl,byte ptr [eax]
  66a1995d 8a5001mov dl,byte ptr [eax+1]
  66a19960 8810mov byte ptr [eax],dl
  66a19962 884801mov byte ptr [eax+1],cl
  
  0:000>kb
  ChildEBP RetAddrArgs to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
  002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
  002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
  00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
  00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
  00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
  002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
  00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
  002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
  0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
  00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
  002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
  00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
  002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
  002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
  002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
  00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
  00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
  00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
  00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
  00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
  
  In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
  
  0:000> !heap -p -a 0x1febce18
  address 1febce18 found in
  _DPH_HEAP_ROOT @ 71000
  in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
  1feb171c: 1febce181e2 - 1febc000 2000
  6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
  77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
  77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
  77d05920 ntdll!RtlAllocateHeap+0x0000023a
  6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
  6fc816ac vfbasics+0x000116ac
  67080c59 mso!Ordinal9770+0x000078e2
  66a19527 mso!Ordinal10199+0x00002138
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41417.zip