Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Microsoft Office Component FSupportSAEXTChar() Use After Free Remote Code Execution
- References:
- ==========
- CVE: CVE-2016-0140
- MSC: MS16-054
- Summary:
- ========
- A Use-After-Free can be triggered in FSupportSAEXTChar() when opening a specially crafted xls file in Office 2010 or 2007.
- Debugging:
- ==========
- (d00.fc0): Unknown exception - code e0000002 (first chance)
- calling sub_1000408A(0x146c8fe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x146f3fe0, 0x393f2fd0, 0xc, 0x23f9a4, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x1471efe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x1474dfe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x14778fe0, 0x393f2fd0, 0xc, 0x23f99c, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x147a3fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x1476efe0, 0x393f2fe8, 0xc, 0x23f9a4, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x14799fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x147c4fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
- calling sub_1000408A(0x147d0fe0, 0x393f2fe8, 0xc, 0x23f99c, 0xff, 0x0, 0x1);
- (d00.fc0): Unknown exception - code e0000002 (first chance)
- calling sub_1000408A(0x146c2fe0, 0x3a0e8ff8, 0x5, 0x23f9e0, 0xff, 0x0, 0x1);
- (d00.fc0): Access violation - code c0000005 (first chance)
- First chance exceptions are reported before any exception handling.
- This exception may be expected and handled.
- eax=00000002 ebx=0023f9e0 ecx=ffffff02 edx=00000001 esi=3a0e9000 edi=00000003
- eip=6c3643e1 esp=0023f940 ebp=0023f95c iopl=0 nv up ei ng nz ac po cy
- cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
- SAEXT+0x43e1:
- 6c3643e1 0fb706 movzx eax,word ptr [esi] ds:0023:3a0e9000=????
- 1:024> bl
- 0 e 6c365332 0001 (0001) 1:**** SAEXT!FSupportSAEXTChar+0xf4 ".printf \"calling sub_1000408A(0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x);\\n\", poi(@esp), poi(@esp+4), poi(@esp+8), poi(@esp+c), poi(@esp+10), poi(@esp+14), poi(@esp+18);gc"
- 1:024> dd 0x393f2fe8
- 393f2fe8 ???????? ???????? ???????? ????????
- 393f2ff8 ???????? ???????? ???????? ????????
- 393f3008 ???????? ???????? ???????? ????????
- 393f3018 ???????? ???????? ???????? ????????
- 393f3028 ???????? ???????? ???????? ????????
- 393f3038 ???????? ???????? ???????? ????????
- 393f3048 ???????? ???????? ???????? ????????
- 393f3058 ???????? ???????? ???????? ????????
- 1:024> dd 0x147a3fe0
- 147a3fe0 ???????? ???????? ???????? ????????
- 147a3ff0 ???????? ???????? ???????? ????????
- 147a4000 ???????? ???????? ???????? ????????
- 147a4010 ???????? ???????? ???????? ????????
- 147a4020 ???????? ???????? ???????? ????????
- 147a4030 ???????? ???????? ???????? ????????
- 147a4040 ???????? ???????? ???????? ????????
- 147a4050 ???????? ???????? ???????? ????????
- 1:024> kv
- ChildEBP RetAddr Args to Child
- WARNING: Stack unwind information not available. Following frames may be wrong.
- 0023f95c 6c365337 146c2fe0 3a0e8ff8 00000005 SAEXT+0x43e1
- 0023f984 6c365211 146c2fe0 3a0e8ff8 00000005 SAEXT!FSupportSAEXTChar+0xf9
- 0023f9a4 5bb54066 146c2fe0 3a0e8ff8 00000005 SAEXT!FindWB+0x1c
- 0023fae4 5b95241e 378aaf60 146c2fe0 00000000 oart!Ordinal2082+0x294a
- 0023fb2c 5b87a6be 34db6e18 00000000 00000e17 oart!Ordinal317+0xbdde
- 0023fb4c 6aa0a3ab 0023fb70 00000000 00000e17 oart!Ordinal6770+0x63
- 0023fb84 6aa0a360 0023fba4 00000000 00000e17 riched20!IID_ITextHost2+0x7527
- 0023fbac 6a941fd6 047d3c38 139f7f28 00000000 riched20!IID_ITextHost2+0x74dc
- 0023fbe4 6a942755 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x324b3
- 0023fc18 6a942b70 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x32c32
- 0023fc70 6a9435c6 00000002 00000000 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x3304d
- 0023fcf8 6a91316e 00000002 13a01f60 00000002 MSPTLS!LssbFIsSublineEmpty+0x33aa3
- 0023fd64 6a9143df 00000002 00000001 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x364b
- 0023fd94 6a92447b 047dbeec 0023fe2c 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x48bc
- 0023fde0 6a92554b 0023fe2c 00240004 0023feb8 MSPTLS!LssbFIsSublineEmpty+0x14958
- 0023fe60 6a9256ba 139e9fa0 0023feb8 002401d0 MSPTLS!LssbFIsSublineEmpty+0x15a28
- 0023fe88 6a91f247 047dbee8 00240004 139e9fa0 MSPTLS!LssbFIsSublineEmpty+0x15b97
- 00240094 6a904c98 047d5a78 00000000 000007c6 MSPTLS!LssbFIsSublineEmpty+0xf724
- 002400c8 6a9dc803 047d5a78 00000000 000007c6 MSPTLS!LsCreateLine+0x23
- 002401e8 6a9dc659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
- We can see that the first arg is also a freed object in use:
- 1:024> !heap -p -a 0x147d0fe0
- address 147d0fe0 found in
- _DPH_HEAP_ROOT @ 2881000
- in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
- 14722d34: 147d0000 2000
- 6dc990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
- 77ae693c ntdll!RtlDebugFreeHeap+0x0000002f
- 77aa9dbf ntdll!RtlpFreeHeap+0x0000005d
- 77a763e6 ntdll!RtlFreeHeap+0x00000142
- 771fc584 kernel32!HeapFree+0x00000014
- 715a3c1b MSVCR90!free+0x000000cd
- 6c365c72 SAEXT!ConvertVietToCP1258+0x00000458
- 6c364080 SAEXT+0x00004080
- 6c365354 SAEXT!FSupportSAEXTChar+0x00000116
- 5b952425 oart!Ordinal317+0x0000bde5
- 5b87a6be oart!Ordinal6770+0x00000063
- 6aa0a3ab riched20!IID_ITextHost2+0x00007527
- 6aa0a360 riched20!IID_ITextHost2+0x000074dc
- 6a942553 MSPTLS!LssbFIsSublineEmpty+0x00032a30
- 6a942a06 MSPTLS!LssbFIsSublineEmpty+0x00032ee3
- 6a942a6f MSPTLS!LssbFIsSublineEmpty+0x00032f4c
- 6a942c11 MSPTLS!LssbFIsSublineEmpty+0x000330ee
- 6a9435c6 MSPTLS!LssbFIsSublineEmpty+0x00033aa3
- 6a91316e MSPTLS!LssbFIsSublineEmpty+0x0000364b
- 6a9143df MSPTLS!LssbFIsSublineEmpty+0x000048bc
- 6a92447b MSPTLS!LssbFIsSublineEmpty+0x00014958
- 6a92554b MSPTLS!LssbFIsSublineEmpty+0x00015a28
- 6a9256ba MSPTLS!LssbFIsSublineEmpty+0x00015b97
- 6a91f247 MSPTLS!LssbFIsSublineEmpty+0x0000f724
- 6a904c98 MSPTLS!LsCreateLine+0x00000023
- 6a9dc803 riched20!RichListBoxWndProc+0x000018d1
- 6a9dc659 riched20!RichListBoxWndProc+0x00001727
- 6a9cf36a riched20!IID_ITextServices2+0x00003c1e
- 6a9e2f0d riched20!RichListBoxWndProc+0x00007fdb
- 6a9e2b82 riched20!RichListBoxWndProc+0x00007c50
- 6a9e2a09 riched20!RichListBoxWndProc+0x00007ad7
- 6a993a9b MSPTLS!LsLwMultDivR+0x00013786
- Static Analysis:
- ================
- Now, somewhere in the sub_10004070 function, we can see the following code...
- 1.
- .text:1000425B mov ecx, [ebp+arg_0_tainted]
- .text:1000425E mov eax, [ecx]
- .text:10004260 push esi
- .text:10004261 push [ebp+var_8]
- .text:10004264 call dword ptr [eax+0Ch]
- 2.
- .text:10004353 mov ecx, [ebp+arg_0_tainted]
- .text:10004356 mov eax, [ecx]
- .text:10004358 push esi
- .text:10004359 push [ebp+var_8]
- .text:1000435C call dword ptr [eax+0Ch]
- 3.
- .text:10004526 mov ecx, [ebp+arg_0_tainted]
- .text:10004529 mov eax, [ecx]
- .text:1000452B push esi
- .text:1000452C push [ebp+var_8]
- .text:1000452F call dword ptr [eax+0Ch]
- These opportunities of course allow an attacker to redirect execution flow.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement