Microsoft Office 2007 – Malformed Document Stack Buffer Overflow

  • 作者: Google Security Research
    日期: 2015-08-25
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/37967/
  • Source: https://code.google.com/p/google-security-research/issues/detail?id=170&can=1
    
    The following access violation was observed in Microsoft Office 2007
    (Word document):
    
    (e24.e28): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
    eip=7814500a esp=001221e0 ebp=001221e8 iopl=0 nv up ei pl nz ac pe nc
    cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010212
    MSVCR80!memcpy+0x5a:
    7814500a f3a5repmovsd ds:049860bc=???????? es:00122238=3348bcd8
    0:000> k
    ChildEBP RetAddr
    001221e8 31249c0e MSVCR80!memcpy+0x5a
    00122204 3126a371 wwlib!FMain+0x565f
    00122220 3203de3c wwlib!FMain+0x25dc2
    00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
    00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
    0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
    001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
    00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
    001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
    00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
    00123b68 3129e8e5 wwlib!FMain+0x5af3c
    00123bac 32073906 wwlib!FMain+0x5a336
    00126d28 32073627 wwlib!DllGetClassObject+0x35644
    0012b14c 32073294 wwlib!DllGetClassObject+0x35365
    0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
    0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
    0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
    0012f580 320e04b7 wwlib!FMain+0xd00d5
    0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
    0012f648 32812493 wwlib!DllGetClassObject+0xa20bd
    
    Notes:
    
    - Reproduces on Windows Server 2003 and Windows 7
    
    - The crash occurs due to a memcpy with an invalid source buffer.
    
    - The invalid source buffer is actually indicative of an invalid size
    being used in a pointer calculation at 3126A360 (wwlib.dll
    12.0.6707.5000). This invalid size can also be seen in ecx at the time
    of access violation.
    
    - The large size parameter can result in a stack-based buffer overflow.
    
    - Alternatively, if the copy operation succeeds (by using a size value
    large enough to result in an out-of-bounds source buffer, but not so
    large to cause an access violation during copy), then it is also
    possible to get an arbitrary free from later usage of controlled
    pointers in the destination buffer.
    
    - The crashing test case was created using a chunk reordering
    strategy, and does not cleanly minimize (106 bit change from original
    file).
    
    - Attached files: 86ea4a3c_crash.rtf (crashing file),
    86ea4a3c_orig.doc (original file)
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37967.zip