Microsoft Office 2007 OneTableDocumentStream Invalid Object

2015.08.26
Risk: High
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1 The following access violation was observed in Microsoft Office 2007 (Word document): (8c0.e68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400 eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 mso!Ordinal7799+0x2fc: 32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=???? 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012d038 328a0a4e mso!Ordinal7799+0x2fc 0012ddd8 328a0a2c mso!Ordinal4388+0x1bc 0012dde4 320c337c mso!Ordinal4388+0x19a 0012de2c 320c330f wwlib!DllGetClassObject+0x850ba 0012de74 312db32b wwlib!DllGetClassObject+0x8504d 0012df1c 312dadf8 wwlib!FMain+0x96d7c 0012df84 312da84c wwlib!FMain+0x96849 0012e074 6be51b27 wwlib!FMain+0x9629d 0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e 0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982 0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73 0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080 0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae 0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12 0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526 0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689 0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3 0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6 0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc 0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209 Notes: - Reproduce on Windows Server 2003 and Windows 7. - The crash occurs due to an invalid read dereference of a bad object pointer. If the word value read is controlled and set to a value other than 0xFFFF, then a controlled value is used as an indirect call target (at 328A1DD4 in MSO.dll 12.0.6683.5000). - The bad object pointer is passed in to MSO.dll from wwlib.dll (second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000). - The test-case reduces to a 50-bit difference from the original sample document. - The affected bits lie in the OneTableDocumentStream's data section, as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field. - The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a source buffer from the OneTableDocumentStream's data section, and copies this invalid data into a stack buffer. The bad object pointer comes from this stack-based structure. - Attached files: 037542f7_crash.rtf (crashing file), 037542f7_orig.doc (original file). A test case with full control of the crashing register value (0xAAAAAAAA) is also attached (037542f7_full.doc)

References:

https://code.google.com/p/google-security-research/issues/detail?id=171&can=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top