Product: Hancom Office Hwp 2014
Vendor: Hancom - www.hancom.com
Versions Affected (32 bits only):
HanWord Viewer 2007 (Korean)
HanWord Viewer 2010 8.5.6.1158 (English)
HwpViewer 2014 VP- 9.1.0.2186 (English)
Hwp 2014 VP - 9.0.0.1405 (English/Korean)
Version Not vulnerable:
Hwp 2014 VP - 9.1.0.2342 (English/Korean)
Credits:
Daniel Regalado, FireEye
Dan Caselden, FireEye
MITRE CVE: 2015-2810
Timeline:
03/03/2015: FireEye contacted Hancom letting them know about the
vulnerability found.
03/05/2015: Hancom replied asking for the technical details.
03/06/2015: FireEye provides technical details and a PoC to Hancom to
replicate the crash.
Description:
Hancom is an office suite developer in South Korea. The HanWord processor
(also called Hangul a.k.a HWP) is vulnerable to an integer overflow when
assigning a long paragraph size value.
The Bug:
HWP accepts a maximum paragraph size of 0x7fffffff, which is used to
allocate memory for the content of a paragraph. Unchecked arithmetic on
this value can overflow the 32bit integer, resulting
in an unexpectedly small allocation. Subsequent accesses to the buffer
disagree on the buffer¹s size, and may access memory outside of the
buffer. These accesses may corrupt the heap, allowing attackers to
influence the program¹s execution flow.
The integer overflow happens inside the HwpApp::CHncSDS_Manager function.
A sequence of arithmetic operations on the paragraph size value ends in a
multiplication by four. In the case of
a paragraph size value of 0x7fffffff, the multiplication results in
0x4000001b*4 = 0x10000006c, which causes the 32-bit register to overflow
to 0x6c bytes:
eax=00000002 ebx=00000019 ecx=00000001
edx=0000006c esi=03d0c0c8 edi=4000001b
eip=048b163c esp=0d39ef88 ebp=40000000 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
HwpApp!CHncSDS_Manager::CHncSDS_Manager+0x4089ec:
048b163c 52
push edx
048b1641 ff15e0059504 call dword
ptr[HwpApp!CHncSDS_Manager::CHncSDS_Manager+0x4a7990
(049505e0)]={MSVCR90!malloc)}
The unexpected paragraph size may cause heap corruption when HWP writes
the contents of the paragraph in memory. In the crash below, the
instruction pointer has been overwritten:
(1b4.d1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00200020 ebx=01b10332 ecx=03cbefec
edx=31f21817 esi=03cbefec edi=00000000
eip=31f21817 esp=0012da74 ebp=0012dad4 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
31f21817 ?? ???
Impact:
Attackers may cause either a Denial of Service or in some circumstances
influence the program¹s execution flow.
Fix:
Hancom released a patch to fix this bug in the following version:
Hancom Hwp 2014 VP - 9.1.0.2342 (English/Korean)
--
Daniel Regalado
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.