Microsoft Office Component FSupportSAEXTChar() Use After Free Remote Code Execut

1. Microsoft Office Component FSupportSAEXTChar() Use After Free Remote Code Execution
2.  
3. References:
4. ==========
5.  
6. CVE: CVE-2016-0140
7. MSC: MS16-054
8.  
9. Summary:
10. ========
11. A Use-After-Free can be triggered in FSupportSAEXTChar() when opening a specially crafted xls file in Office 2010 or 2007.
12.  
13. Debugging:
14. ==========
15. (d00.fc0): Unknown exception - code e0000002 (first chance)
16. calling sub_1000408A(0x146c8fe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
17. calling sub_1000408A(0x146f3fe0, 0x393f2fd0, 0xc, 0x23f9a4, 0xff, 0x0, 0x1);
18. calling sub_1000408A(0x1471efe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
19. calling sub_1000408A(0x1474dfe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
20. calling sub_1000408A(0x14778fe0, 0x393f2fd0, 0xc, 0x23f99c, 0xff, 0x0, 0x1);
21. calling sub_1000408A(0x147a3fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
22. calling sub_1000408A(0x1476efe0, 0x393f2fe8, 0xc, 0x23f9a4, 0xff, 0x0, 0x1);
23. calling sub_1000408A(0x14799fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
24. calling sub_1000408A(0x147c4fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1);
25. calling sub_1000408A(0x147d0fe0, 0x393f2fe8, 0xc, 0x23f99c, 0xff, 0x0, 0x1);
26. (d00.fc0): Unknown exception - code e0000002 (first chance)
27. calling sub_1000408A(0x146c2fe0, 0x3a0e8ff8, 0x5, 0x23f9e0, 0xff, 0x0, 0x1);
28. (d00.fc0): Access violation - code c0000005 (first chance)
29. First chance exceptions are reported before any exception handling.
30. This exception may be expected and handled.
31. eax=00000002 ebx=0023f9e0 ecx=ffffff02 edx=00000001 esi=3a0e9000 edi=00000003
32. eip=6c3643e1 esp=0023f940 ebp=0023f95c iopl=0 nv up ei ng nz ac po cy
33. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
34. SAEXT+0x43e1:
35. 6c3643e1 0fb706 movzx eax,word ptr [esi] ds:0023:3a0e9000=????
36. 1:024> bl
37. 0 e 6c365332 0001 (0001) 1:**** SAEXT!FSupportSAEXTChar+0xf4 ".printf \"calling sub_1000408A(0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x);\\n\", poi(@esp), poi(@esp+4), poi(@esp+8), poi(@esp+c), poi(@esp+10), poi(@esp+14), poi(@esp+18);gc"
38. 1:024> dd 0x393f2fe8
39. 393f2fe8 ???????? ???????? ???????? ????????
40. 393f2ff8 ???????? ???????? ???????? ????????
41. 393f3008 ???????? ???????? ???????? ????????
42. 393f3018 ???????? ???????? ???????? ????????
43. 393f3028 ???????? ???????? ???????? ????????
44. 393f3038 ???????? ???????? ???????? ????????
45. 393f3048 ???????? ???????? ???????? ????????
46. 393f3058 ???????? ???????? ???????? ????????
47. 1:024> dd 0x147a3fe0
48. 147a3fe0 ???????? ???????? ???????? ????????
49. 147a3ff0 ???????? ???????? ???????? ????????
50. 147a4000 ???????? ???????? ???????? ????????
51. 147a4010 ???????? ???????? ???????? ????????
52. 147a4020 ???????? ???????? ???????? ????????
53. 147a4030 ???????? ???????? ???????? ????????
54. 147a4040 ???????? ???????? ???????? ????????
55. 147a4050 ???????? ???????? ???????? ????????
56. 1:024> kv
57. ChildEBP RetAddr Args to Child
58. WARNING: Stack unwind information not available. Following frames may be wrong.
59. 0023f95c 6c365337 146c2fe0 3a0e8ff8 00000005 SAEXT+0x43e1
60. 0023f984 6c365211 146c2fe0 3a0e8ff8 00000005 SAEXT!FSupportSAEXTChar+0xf9
61. 0023f9a4 5bb54066 146c2fe0 3a0e8ff8 00000005 SAEXT!FindWB+0x1c
62. 0023fae4 5b95241e 378aaf60 146c2fe0 00000000 oart!Ordinal2082+0x294a
63. 0023fb2c 5b87a6be 34db6e18 00000000 00000e17 oart!Ordinal317+0xbdde
64. 0023fb4c 6aa0a3ab 0023fb70 00000000 00000e17 oart!Ordinal6770+0x63
65. 0023fb84 6aa0a360 0023fba4 00000000 00000e17 riched20!IID_ITextHost2+0x7527
66. 0023fbac 6a941fd6 047d3c38 139f7f28 00000000 riched20!IID_ITextHost2+0x74dc
67. 0023fbe4 6a942755 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x324b3
68. 0023fc18 6a942b70 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x32c32
69. 0023fc70 6a9435c6 00000002 00000000 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x3304d
70. 0023fcf8 6a91316e 00000002 13a01f60 00000002 MSPTLS!LssbFIsSublineEmpty+0x33aa3
71. 0023fd64 6a9143df 00000002 00000001 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x364b
72. 0023fd94 6a92447b 047dbeec 0023fe2c 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x48bc
73. 0023fde0 6a92554b 0023fe2c 00240004 0023feb8 MSPTLS!LssbFIsSublineEmpty+0x14958
74. 0023fe60 6a9256ba 139e9fa0 0023feb8 002401d0 MSPTLS!LssbFIsSublineEmpty+0x15a28
75. 0023fe88 6a91f247 047dbee8 00240004 139e9fa0 MSPTLS!LssbFIsSublineEmpty+0x15b97
76. 00240094 6a904c98 047d5a78 00000000 000007c6 MSPTLS!LssbFIsSublineEmpty+0xf724
77. 002400c8 6a9dc803 047d5a78 00000000 000007c6 MSPTLS!LsCreateLine+0x23
78. 002401e8 6a9dc659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
79.  
80. We can see that the first arg is also a freed object in use:
81.  
82. 1:024> !heap -p -a 0x147d0fe0
83. address 147d0fe0 found in
84. _DPH_HEAP_ROOT @ 2881000
85. in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
86. 14722d34: 147d0000 2000
87. 6dc990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
88. 77ae693c ntdll!RtlDebugFreeHeap+0x0000002f
89. 77aa9dbf ntdll!RtlpFreeHeap+0x0000005d
90. 77a763e6 ntdll!RtlFreeHeap+0x00000142
91. 771fc584 kernel32!HeapFree+0x00000014
92. 715a3c1b MSVCR90!free+0x000000cd
93. 6c365c72 SAEXT!ConvertVietToCP1258+0x00000458
94. 6c364080 SAEXT+0x00004080
95. 6c365354 SAEXT!FSupportSAEXTChar+0x00000116
96. 5b952425 oart!Ordinal317+0x0000bde5
97. 5b87a6be oart!Ordinal6770+0x00000063
98. 6aa0a3ab riched20!IID_ITextHost2+0x00007527
99. 6aa0a360 riched20!IID_ITextHost2+0x000074dc
100. 6a942553 MSPTLS!LssbFIsSublineEmpty+0x00032a30
101. 6a942a06 MSPTLS!LssbFIsSublineEmpty+0x00032ee3
102. 6a942a6f MSPTLS!LssbFIsSublineEmpty+0x00032f4c
103. 6a942c11 MSPTLS!LssbFIsSublineEmpty+0x000330ee
104. 6a9435c6 MSPTLS!LssbFIsSublineEmpty+0x00033aa3
105. 6a91316e MSPTLS!LssbFIsSublineEmpty+0x0000364b
106. 6a9143df MSPTLS!LssbFIsSublineEmpty+0x000048bc
107. 6a92447b MSPTLS!LssbFIsSublineEmpty+0x00014958
108. 6a92554b MSPTLS!LssbFIsSublineEmpty+0x00015a28
109. 6a9256ba MSPTLS!LssbFIsSublineEmpty+0x00015b97
110. 6a91f247 MSPTLS!LssbFIsSublineEmpty+0x0000f724
111. 6a904c98 MSPTLS!LsCreateLine+0x00000023
112. 6a9dc803 riched20!RichListBoxWndProc+0x000018d1
113. 6a9dc659 riched20!RichListBoxWndProc+0x00001727
114. 6a9cf36a riched20!IID_ITextServices2+0x00003c1e
115. 6a9e2f0d riched20!RichListBoxWndProc+0x00007fdb
116. 6a9e2b82 riched20!RichListBoxWndProc+0x00007c50
117. 6a9e2a09 riched20!RichListBoxWndProc+0x00007ad7
118. 6a993a9b MSPTLS!LsLwMultDivR+0x00013786
119.  
120. Static Analysis:
121. ================
122.  
123. Now, somewhere in the sub_10004070 function, we can see the following code...
124.  
125. 1.
126.  
127. .text:1000425B mov ecx, [ebp+arg_0_tainted]
128. .text:1000425E mov eax, [ecx]
129. .text:10004260 push esi
130. .text:10004261 push [ebp+var_8]
131. .text:10004264 call dword ptr [eax+0Ch]
132.  
133. 2.
134.  
135. .text:10004353 mov ecx, [ebp+arg_0_tainted]
136. .text:10004356 mov eax, [ecx]
137. .text:10004358 push esi
138. .text:10004359 push [ebp+var_8]
139. .text:1000435C call dword ptr [eax+0Ch]
140.  
141. 3.
142.  
143. .text:10004526 mov ecx, [ebp+arg_0_tainted]
144. .text:10004529 mov eax, [ecx]
145. .text:1000452B push esi
146. .text:1000452C push [ebp+var_8]
147. .text:1000452F call dword ptr [eax+0Ch]
148.  
149. These opportunities of course allow an attacker to redirect execution flow.