Microsoft Office 2007 malformed document stack-based buffer overflow

2015.08.26
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

The following access violation was observed in Microsoft Office 2007 (Word document): (e24.e28): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238 eip=7814500a esp=001221e0 ebp=001221e8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 MSVCR80!memcpy+0x5a: 7814500a f3a5 rep movsd ds:049860bc=???????? es:00122238=3348bcd8 0:000> k ChildEBP RetAddr 001221e8 31249c0e MSVCR80!memcpy+0x5a 00122204 3126a371 wwlib!FMain+0x565f 00122220 3203de3c wwlib!FMain+0x25dc2 00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb 00122280 31fc363f wwlib!DllGetClassObject+0x9c88a 0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe 001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d 00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964 001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141 00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a 00123b68 3129e8e5 wwlib!FMain+0x5af3c 00123bac 32073906 wwlib!FMain+0x5a336 00126d28 32073627 wwlib!DllGetClassObject+0x35644 0012b14c 32073294 wwlib!DllGetClassObject+0x35365 0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2 0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e 0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf 0012f580 320e04b7 wwlib!FMain+0xd00d5 0012f630 320e037f wwlib!DllGetClassObject+0xa21f5 0012f648 32812493 wwlib!DllGetClassObject+0xa20bd Notes: - Reproduces on Windows Server 2003 and Windows 7 - The crash occurs due to a memcpy with an invalid source buffer. - The invalid source buffer is actually indicative of an invalid size being used in a pointer calculation at 3126A360 (wwlib.dll 12.0.6707.5000). This invalid size can also be seen in ecx at the time of access violation. - The large size parameter can result in a stack-based buffer overflow. - Alternatively, if the copy operation succeeds (by using a size value large enough to result in an out-of-bounds source buffer, but not so large to cause an access violation during copy), then it is also possible to get an arbitrary free from later usage of controlled pointers in the destination buffer. - The crashing test case was created using a chunk reordering strategy, and does not cleanly minimize (106 bit change from original file). - Attached files: 86ea4a3c_crash.rtf (crashing file), 86ea4a3c_orig.doc (original file)

References:

https://code.google.com/p/google-security-research/issues/detail?id=170&can=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top