Microsoft Excel Use after free/Memory corruption

Nytro · November 4, 2011

Microsoft Excel Use after free/Memory corruption

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Excel
              http://office.microsoft.com/en-us/excel/
              http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions:     tested Office 2003 11.8335.8333 SP3
Platforms:    Windows
Bug:          use after free
Exploitation: file
Date:         03 Nov 2011 (found 24 Aug 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.


#######################################################################

======
2) Bug
======


Use-after-free probably located in the code that handles the vbscript
macros:

  eax=00492d78 ebx=00000000 ecx=feeefeee edx=00185ff8 esi=004c72b8 edi=00492478
  eip=65058591 esp=00185fd0 ebp=0018601c iopl=0         nv up ei pl nz na pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
  VBE6!DllVbeInit+0x40f6f:
  65058591 ff11            call    dword ptr [ecx]      ds:002b:feeefeee=????????
  0:000:x86> k
  ChildEBP RetAddr  
  0018601c 6501c0dd VBE6!DllVbeInit+0x40f6f
  00186074 6505dee2 VBE6!DllVbeInit+0x4abb
  001860a8 6505e21c VBE6!DllVbeInit+0x468c0
  00186220 767cbc9c VBE6!DllVbeInit+0x46bfa
  00000000 00000000 ole32!StgIsStorageFile+0x764

How to replicate:
- open the proof-of-concept via web or manually
- "An error occurred while loading 'Module1'. Do you want to continue loading the project?"
  select No, if you select Yes then the bug doesn't seem to be
  replicable
- "Unexpected error (32790)"
  select OK
- "Excel found unreadable content in ..."
  Yes or No is the same
- now reopen the proof-of-concept and the bug will happen immediately

The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.

Note that I have tested only the latest version of Office 2003 on
Windows 7.

The proof-of-concept is NOT optimized.

Modified bytes:
excel_1a.xls:
0006FCA4   AA       01

excel_1b.xls:
0006FCB0   AD       40


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/excel_1.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Excel
              http://office.microsoft.com/en-us/excel/
              http://office.microsoft.com/en-us/downloads/CD001022531.aspx
Versions:     tested Office 2003 11.8335.8333 SP3
Platforms:    Windows
Bug:          memory corruption
Exploitation: file
Date:         03 Nov 2011 (found 24 Aug 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Excel 2003 is a spreadsheet program, part of the Office 2003 suite
still supported by Microsoft.


#######################################################################

======
2) Bug
======


Memory corruption:

  eax=00000000 ebx=00690066 ecx=00000de9 edx=00000de8 esi=000202ad edi=00630020
  eip=30039ea2 esp=001896a8 ebp=02000814 iopl=0         nv up ei pl nz na pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
  Excel!Ordinal41+0x39ea2:
  30039ea2 c7450800010000  mov     dword ptr [ebp+8],100h ss:002b:0200081c=00690066
  0:000:x86> k
  ChildEBP RetAddr  
  001896b0 30278c45 Excel!Ordinal41+0x39ea2
  001896c8 30278c45 Excel!Ordinal41+0x278c45
  001896e0 3070c95a Excel!Ordinal41+0x278c45
  00189708 301fd1cb Excel!MdCallBack+0x27fe3e
  001899f8 010300dd Excel!Ordinal41+0x1fd1cb
  001899fc 00000000 0x10300dd

Note that the exception can change and NO additional research has been
performed.

How to replicate:
- open the proof-of-concept via web or manually
- excel_2b.xls requires the clicking of "Open" when requested
- now reopen the proof-of-concept and the bug will happen immediately

The reopening of the same file seems necessary probably because the
Office suite uses only one instance of its programs and performs a
particular reallocation of the resources when a file gets reopened.

Note that I have tested only the latest version of Office 2003 on
Windows 7.

The proof-of-concept is NOT optimized.

Modified bytes:
excel_2a.xls:
00067B5F   06       00

excel_2b.xls:
00067B63   00       7F

excel_2c.xls:
00000D70   00       04


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/excel_2.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Surse:

- http://aluigi.altervista.org/adv/excel_1-adv.txt

- http://aluigi.altervista.org/adv/excel_2-adv.txt

Sign In

Microsoft Excel Use after free/Memory corruption

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages