Microsoft Office 2007 – ‘mso.dll’ Use-After-Free (MS15-081)

• Exploit Database
• 16 阅读

• 作者： Google Security Research
  日期： 2015-08-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/37913/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1
  
  The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.
  
  The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
  
  Attached files:
  
  Fuzzed minimized PoC: 1567070353_min.doc
  Fuzzed non-minimized PoC: 1567070353_crash.doc
  Original non-fuzzed file: 1567070353_orig.doc
  
  DLL Versions:
  mso.dll: 12.0.6721.5000
  wwlib.dll: 12.0.6720.5000
  
  Observed Crash:
  eax=00000001 ebx=00000004 ecx=0189ff18 edx=00000019 esi=32646a30 edi=0db0eff8
  eip=32fbca76 esp=0012bc98 ebp=0012bcb8 iopl=0 nv up ei pl nz na po nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202
  
  32fbca73 8b7df8mov edi,dword ptr [ebp-8]
  => 32fbca76 f6470201testbyte ptr [edi+2],1 ds:0023:0db0effa=??
  32fbca7a 7419jemso!Ordinal2690+0x476 (32fbca95)
  32fbca7c 833e07cmp dword ptr [esi],7
  32fbca7f 7414jemso!Ordinal2690+0x476 (32fbca95)
  32fbca81 8b4508mov eax,dword ptr [ebp+8]
  32fbca84 6a20push20h
  32fbca86 ff7010pushdword ptr [eax+10h]
  32fbca89 8d4dfclea ecx,[ebp-4]
  32fbca8c 51pushecx
  32fbca8d ff10calldword ptr [eax]
  32fbca8f 8127fffffeffand dword ptr [edi],0FFFEFFFFh
  
  Stack Trace:
  0:000> kb 8
  ChildEBP RetAddrArgs to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0012bcb8 32fbcdc3 0012be28 0d9f4fe8 00000000 mso!Ordinal2690+0x457
  0012bccc 32fbce5b 0012be28 0d9f4fe8 0012be28 mso!Ordinal2690+0x7a4
  0012bd20 32fbc93e 0012be28 0d9f4fe8 0ddceeb8 mso!Ordinal2690+0x83c
  0012bd74 32fbcd73 0012be28 0d9f4fe8 0db2f45a mso!Ordinal2690+0x31f
  0012bd94 316dfe8f 0dbe8e38 0012be28 317e9c10 mso!Ordinal2690+0x754
  0012bdb0 317e9aa4 0012be08 00000000 00000000 wwlib!wdCommandDispatch+0xcd37
  0012bde4 31980e8d 0012be08 000000b4 038b78bc wwlib!wdCommandDispatch+0x11694c
  0012c07c 31980b0f 0db2c9c0 00000000 00000001 wwlib!wdCommandDispatch+0x2add35
  
  In this crash the value being dereferenced in edi is free-ed memory:
  
  0:000> !heap -p -a 0xdb0eff8
  address 0db0eff8 found in
  _DPH_HEAP_ROOT @ 1151000
  in free-ed allocation (DPH_HEAP_BLOCK: VirtAddr VirtSize)
  d9e5240:db0e000 2000
  7c83e330 ntdll!RtlFreeHeap+0x0000011a
  0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8
  331039d5 mso!Ordinal1743+0x00002d4d
  329c91d1 mso!MsoFreePv+0x0000003f
  329c913c mso!Ordinal519+0x00000017
  32a54dcc mso!Ordinal320+0x00000021
  32bb6f2e mso!Ordinal379+0x00000eae
  
  There is a 1-bit clear at the location specified by edi shortly after the faulting eip location as well making this an exploitable condition. 
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37913.zip