Microsoft Office 2007 – OLESSDirectyEntry.CreateTime Type Confusion

  • 作者: Google Security Research
    日期: 2015-09-16
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/38216/
  • Source: https://code.google.com/p/google-security-research/issues/detail?id=465
    
    The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013. 
    
    Attached files:
    Original File: 1516065514_orig.xls
    Crashing File: 1516065514_crash.xls
    Minimized Crashing File: 1516065514_min.xls
    
    The minimized crashing file shows a one bit deltas from the original file at offset 0x49E8. OffVis reports this to be the CreateTime field of an OLESSDirectoryEntry structure.
    
    File Versions:
    Excel.exe: 12.0.6718.5000
    MSO.dll: 12.0.6721.5000
    
    Observed Crash:
    
    When run without Application Verifier enabled the following crash occurs:
    eax=30272d58 ebx=03b49330 ecx=03b49144 edx=03a64d44 esi=30f6dca0 edi=03a64d40
    eip=fffffffc esp=00133e80 ebp=00133e84 iopl=0 nv up ei pl nz na pe nc
    cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
    fffffffc ?????
    
    0:000> kb L8
    ChildEBP RetAddrArgs to Child
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00133e7c 3028f4da 00133ec8 3028d2ef 00000005 0xfffffffc
    00133e84 3028d2ef 00000005 00000001 03b49200 Excel!Ordinal40+0x28f4da
    00133ec8 30290e14 03b49330 00000001 00000000 Excel!Ordinal40+0x28d2ef
    00133fa0 3028a2b9 00000000 00000000 00000000 Excel!Ordinal40+0x290e14
    00134130 302912ae 00000000 00000000 00000000 Excel!Ordinal40+0x28a2b9
    0013414c 30286206 00000001 00000000 03b66c00 Excel!Ordinal40+0x2912ae
    001341cc 302860ce 00000000 ffffffff 00000001 Excel!Ordinal40+0x286206
    0013426c 30282360 03b49000 027c6a00 d107955b Excel!Ordinal40+0x2860ce
    
    In this crash case eip was corrupted to 0xfffffffc. Tracing through sub_3028F4B4 we see something along the lines of:
    x = *dword_30F5F9BC + 0x144;// x=0x30272d58 
    fptr = x + x[0x14]; // x[0x14] == 0 
    fptr(); // calling pointer at 0x30272d58 = 0xfffffffc
    
    It looks as though the global variable at 30f5f9bc was used with incorrect type information or otherwise corrupted. Running the same poc file again but with Application Verifier enabled gets us closer to the root of the issue with the following crash observed:
    
    eax=0ff28e50 ebx=07b42420 ecx=0012c91c edx=00000020 esi=0364efe8 edi=00000000
    eip=30299c9e esp=0012c944 ebp=0012c950 iopl=0 nv up ei pl zr na pe nc
    cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246
    *** ERROR: Symbol file could not be found.Defaulted to export symbols for Excel.exe - 
    Excel!Ordinal40+0x299c9e:
    30299c9e 8b80f0030000mov eax,dword ptr [eax+3F0h] ds:0023:0ff29240=????????
    
    0:000> kb L8
    ChildEBP RetAddrArgs to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0012c950 3006b70a 00000005 00000001 07b42420 Excel!Ordinal40+0x299c9e
    0012cc84 3006b556 0012ceb4 0020020a 07b42420 Excel!Ordinal40+0x6b70a
    0012ce8c 3006b3a2 0012ceb4 0ee46ff0 00000009 Excel!Ordinal40+0x6b556
    00133050 3006a11c 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6b3a2
    00133ca0 3006a01b 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a11c
    00133d50 30069ead 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a01b
    00133d70 302972c0 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x69ead
    00133e28 302974c7 0f82ef58 00133ec0 00133eac Excel!Ordinal40+0x2972c0
    
    We can see here that eax is being indexed at an offset of 0x3f0. However, if we look at the actual allocation for the chunk eax is pointed to we see that the allocation size was only 0x1b0.
    
    0:000> !heap -p -a 0xff28e50
    address 0ff28e50 found in
    _DPH_HEAP_ROOT @ 1161000
    in busy allocation (DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
     f7b5400:ff28e501b0 -ff28000 2000
    7c83d6d4 ntdll!RtlAllocateHeap+0x00000e9f
    018b1504 vfbasics!AVrfpRtlAllocateHeap+0x000000c3
    33103a8f mso!Ordinal1743+0x00002e07
    329c7e66 mso!MsoPvAllocCore+0x0000005a
    3000b694 Excel!Ordinal40+0x0000b694
    3000b640 Excel!Ordinal40+0x0000b640
    
    This poc behaves like a type confusion or memory corruption issue in areas not protected by application verifier. The fact the eip was corrupted indicates a high likelihood for exploitation. 
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38216.zip