Microsoft Office 2007 – OneTableDocumentStream Invalid Object

• Exploit Database
• 34 阅读

• 作者： Google Security Research
  日期： 2015-08-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37966/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1
  
  The following access violation was observed in Microsoft Office 2007
  (Word document):
  
  (8c0.e68): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
  eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  mso!Ordinal7799+0x2fc:
  32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
  0:000> k
  ChildEBP RetAddr
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0012d038 328a0a4e mso!Ordinal7799+0x2fc
  0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
  0012dde4 320c337c mso!Ordinal4388+0x19a
  0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
  0012de74 312db32b wwlib!DllGetClassObject+0x8504d
  0012df1c 312dadf8 wwlib!FMain+0x96d7c
  0012df84 312da84c wwlib!FMain+0x96849
  0012e074 6be51b27 wwlib!FMain+0x9629d
  0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
  0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
  0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
  0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
  0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
  0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
  0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
  0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
  0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
  0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
  0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
  0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209
  
  Notes:
  
  - Reproduce on Windows Server 2003 and Windows 7.
  
  - The crash occurs due to an invalid read dereference of a bad object
  pointer. If the word value read is controlled and set to a value other
  than 0xFFFF, then a controlled value is used as an indirect call
  target (at 328A1DD4 in MSO.dll 12.0.6683.5000).
  
  - The bad object pointer is passed in to MSO.dll from wwlib.dll
  (second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).
  
  - The test-case reduces to a 50-bit difference from the original
  sample document.
  
  - The affected bits lie in the OneTableDocumentStream's data section,
  as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.
  
  - The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
  source buffer from the OneTableDocumentStream's data section, and
  copies this invalid data into a stack buffer. The bad object pointer
  comes from this stack-based structure.
  
  - Attached files: 037542f7_crash.rtf (crashing file),
  037542f7_orig.doc (original file). A test case with full control of
  the crashing register value (0xAAAAAAAA) is also attached
  (037542f7_full.doc)
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip