Nytro Posted May 3, 2014 Report Share Posted May 3, 2014 CVE-2013-1324 Microsoft Office WPD File Remote Memory Corruption VulnerabilityAuthor: Ling Chuan Lee Vulnerable: Microsoft Office Word 2007 (12.0.4518.1014) MSO (12.0.4518.1014) Tested Platform: Windows 7 Professional WordPerfect 5 converter module used by Microsoft Office Word was vulnerable to stack buffer overflow when process a special crafted WordPerfect document with an invalid number of CSTYL border elements. In order to understand what is going on, we need to understand the file format has been used by Word Perfect. You could get a copy of Word Perfect file format from here WP6 File Format SDK In WP5.x documents, the file header is 16 bytes long. Next is the file prefix in blocks of five indexes with their relative data following each index block. F13 Research Labs identified the vulnerable WP records in variable-length multi-byte function 0xDC. The codes for variable length multi byte functions [208 (0xD0) through 239 (0xEF)] appear twice each time the function is invoked. The first occurence is the 'open gate' and the second is the 'closing gate'. Each 'open gate' is followed by a subgroup byte, a value of size short (16 bits) and a function flags byte. If the flags indicates there is prefix data associated with the function, a number of prefix ID bytes come next, followed by the prefix index-ID words. Next is a word (16 bits) showing the size of the non-deleteable information. Following the deletable data are a size word and the 'closing gate' [1]. Here is a picture representation of the generic WordPerfect 5.x File Structure: Figure 1: WordPerfect 5.x File Structure CVE-2013-1324 vulnerability is a classic stack buffer overflow that occurs when WordPerfect 5 converter module 'WPFT532.CNV' processing crafted WordPerfect file with the unusual value '0x00' and '0xAC'. Figure 2: Malformed Multi-byte Function 0xDC Figure 3: Malformed Multi-byte Function 0xDC When we looked into the execution flow, we noticed that the code at address '0x014D9315' (and eax, 7FFFh) is the instruction caused the value of total number of the loop (eax) which is writing bytes into a stack become '0x2C00'. Figure 4: The Invalid Value 0x2C00 .text:014D931A mov [ebp+var_4], eax ;[ebp-4]=0000 2c00 .text:014D931D xor eax, eax ;eax=0 .text:014D931F mov ah, [esi+1] ;ah=00 .text:014D9322 mov al, [esi] ;al=00 ...... ...... .text:014D9315 and eax, 7FFFh ;eax=0000 ac00&7FFFh=0000 2c00As you can see from the figure below, the 'loc_14D9336' is a loop calling the function 'sub_14D89A4' which is writing bytes into a stack-defined variable with a fixed size. For each loop, the total number of the loop ([ebp+var_4]) will increase '0xFFFF' until it is equal to zero and edi represents current index from the process. This code is inside a loop and as the loop goes on, the index value will increase. The result of bounds check doesn't happen, Stack Base Pointer Register (EBP) will be overwritted in function 'sub_14D89A4' after the index of the loop (edi) hit 0x20, which leads to stack buffer overflow. Figure 4: Writing Bytes into a Stack-defined Variable with a Fixed Size Figure 5 shows the code where the overwrite of Stack Base Pointer Register (EBP) happens. As shown below, the value of '0x6a0' is the total size to write. If the user have a larger value, this WordPerfect document file may trigger the stack buffer overflow by overwriting the buffer with a bigger number..text:014D89A4 push ebp.text:014D89A5 mov ebp, esp.text:014D89A7 push ebx.text:014D89A8 push esi.text:014D89A9 mov esi, eax ;esi=eax=0x20 counter 0x20.text:014D89AB imul eax, 14h ;eax=20h*14h=280.text:014D89AE imul esi, 35h ;esi=0x20*0x35=0x6a0 maximum sizeof(CSTYL)*32.text:014D89B1 add esi, [ebp+arg_0] ;esi=6a0+0018 f200=0018 f8a0.text:014D89B4 add eax, offset word_14E4567 ;eax=280+offset WPFT532!AbortRtfToForeign+0x12684=6a52 47e7.text:014D89B9 push edi ;edi=20.text:014D89BA mov [ebp+arg_0], eax ;[ebp+8]=[0018 f1e8]=6a52 47e7.text:014D89BD mov eax, [ebp+arg_4] ;eax=[ebp+0ch]= [0018 f1ec]=00.text:014D89C0 xor ebx, ebx ;ebx=0.text:014D89C2 push ebx.text:014D89C3 and eax, 7 ;eax=0.text:014D89C6 push ebx ;ebx=0.text:014D89C7 push eax ;eax=0.text:014D89C8 lea eax, [esi+0Ch] ;eax=0018 f8ac, [esi+0ch]=[0018 f8ac]=0000 0000.text:014D89CB push eax ;eax=0018 f8ac.text:014D89CC call sub_14D19F6 ;ebp no overwrite.text:014D89D1 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0 .text:014D89D4 push ebx ;ebx=0.text:014D89D5 shr eax, 3 ;eax=0.text:014D89D8 push ebx ;ebx=0.text:014D89D9 and eax, 7 ;eax=0.text:014D89DC push eax .text:014D89DD push esi ;esi=0018 f8a0.text:014D89DE call sub_14D19F6 ;ebp no overwrite.text:014D89E3 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0.text:014D89E6 push ebx ;ebx=0.text:014D89E7 shr eax, 8 ;eax=0.text:014D89EA push ebx ;ebx=0.text:014D89EB and eax, 7 ;eax=0.text:014D89EE push eax .text:014D89EF lea edi, [esi+24h] ;edi=0018 f8a0+24h=0018 f8c4, [esi+24h]=[0018f8a0+24h]=6a5082a7.text:014D89F2 push edi ;edi=20.text:014D89F3 call sub_14D19F6 ;overwrite ebp in this routineFigure below shown the overwrite of Stack Base Pointer Register (EBP 0x0018f8b8) in function 'sub_14D19F6' and caused the memory corruption Figure 6: EBP Before Overwrite Figure 7: EBP After Overwrite The result of the EBP overwrite will caused the Microsoft Office crash when return to the previous block code. Figure 8: Microsoft Office Crash Reference: 1. WP6 File Format SDK [Download]Sursa: F13 Laboratory Quote Link to comment Share on other sites More sharing options...
