Last active
June 26, 2016 10:13
-
-
Save sourceincite/985fd1476b7e1623cdbf7e22f3cc42e8 to your computer and use it in GitHub Desktop.
Microsoft Office Component FSupportSAEXTChar() Use After Free Remote Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Microsoft Office Component FSupportSAEXTChar() Use After Free Remote Code Execution | |
References: | |
========== | |
CVE: CVE-2016-0140 | |
MSC: MS16-054 | |
Summary: | |
======== | |
A Use-After-Free can be triggered in FSupportSAEXTChar() when opening a specially crafted xls file in Office 2010 or 2007. | |
Debugging: | |
========== | |
(d00.fc0): Unknown exception - code e0000002 (first chance) | |
calling sub_1000408A(0x146c8fe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x146f3fe0, 0x393f2fd0, 0xc, 0x23f9a4, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x1471efe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x1474dfe0, 0x393f2fd0, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x14778fe0, 0x393f2fd0, 0xc, 0x23f99c, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x147a3fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x1476efe0, 0x393f2fe8, 0xc, 0x23f9a4, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x14799fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x147c4fe0, 0x393f2fe8, 0xc, 0x23f9e0, 0xff, 0x0, 0x1); | |
calling sub_1000408A(0x147d0fe0, 0x393f2fe8, 0xc, 0x23f99c, 0xff, 0x0, 0x1); | |
(d00.fc0): Unknown exception - code e0000002 (first chance) | |
calling sub_1000408A(0x146c2fe0, 0x3a0e8ff8, 0x5, 0x23f9e0, 0xff, 0x0, 0x1); | |
(d00.fc0): Access violation - code c0000005 (first chance) | |
First chance exceptions are reported before any exception handling. | |
This exception may be expected and handled. | |
eax=00000002 ebx=0023f9e0 ecx=ffffff02 edx=00000001 esi=3a0e9000 edi=00000003 | |
eip=6c3643e1 esp=0023f940 ebp=0023f95c iopl=0 nv up ei ng nz ac po cy | |
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293 | |
SAEXT+0x43e1: | |
6c3643e1 0fb706 movzx eax,word ptr [esi] ds:0023:3a0e9000=???? | |
1:024> bl | |
0 e 6c365332 0001 (0001) 1:**** SAEXT!FSupportSAEXTChar+0xf4 ".printf \"calling sub_1000408A(0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x, 0x%x);\\n\", poi(@esp), poi(@esp+4), poi(@esp+8), poi(@esp+c), poi(@esp+10), poi(@esp+14), poi(@esp+18);gc" | |
1:024> dd 0x393f2fe8 | |
393f2fe8 ???????? ???????? ???????? ???????? | |
393f2ff8 ???????? ???????? ???????? ???????? | |
393f3008 ???????? ???????? ???????? ???????? | |
393f3018 ???????? ???????? ???????? ???????? | |
393f3028 ???????? ???????? ???????? ???????? | |
393f3038 ???????? ???????? ???????? ???????? | |
393f3048 ???????? ???????? ???????? ???????? | |
393f3058 ???????? ???????? ???????? ???????? | |
1:024> dd 0x147a3fe0 | |
147a3fe0 ???????? ???????? ???????? ???????? | |
147a3ff0 ???????? ???????? ???????? ???????? | |
147a4000 ???????? ???????? ???????? ???????? | |
147a4010 ???????? ???????? ???????? ???????? | |
147a4020 ???????? ???????? ???????? ???????? | |
147a4030 ???????? ???????? ???????? ???????? | |
147a4040 ???????? ???????? ???????? ???????? | |
147a4050 ???????? ???????? ???????? ???????? | |
1:024> kv | |
ChildEBP RetAddr Args to Child | |
WARNING: Stack unwind information not available. Following frames may be wrong. | |
0023f95c 6c365337 146c2fe0 3a0e8ff8 00000005 SAEXT+0x43e1 | |
0023f984 6c365211 146c2fe0 3a0e8ff8 00000005 SAEXT!FSupportSAEXTChar+0xf9 | |
0023f9a4 5bb54066 146c2fe0 3a0e8ff8 00000005 SAEXT!FindWB+0x1c | |
0023fae4 5b95241e 378aaf60 146c2fe0 00000000 oart!Ordinal2082+0x294a | |
0023fb2c 5b87a6be 34db6e18 00000000 00000e17 oart!Ordinal317+0xbdde | |
0023fb4c 6aa0a3ab 0023fb70 00000000 00000e17 oart!Ordinal6770+0x63 | |
0023fb84 6aa0a360 0023fba4 00000000 00000e17 riched20!IID_ITextHost2+0x7527 | |
0023fbac 6a941fd6 047d3c38 139f7f28 00000000 riched20!IID_ITextHost2+0x74dc | |
0023fbe4 6a942755 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x324b3 | |
0023fc18 6a942b70 00000002 13a01f60 00000000 MSPTLS!LssbFIsSublineEmpty+0x32c32 | |
0023fc70 6a9435c6 00000002 00000000 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x3304d | |
0023fcf8 6a91316e 00000002 13a01f60 00000002 MSPTLS!LssbFIsSublineEmpty+0x33aa3 | |
0023fd64 6a9143df 00000002 00000001 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x364b | |
0023fd94 6a92447b 047dbeec 0023fe2c 0023fdd8 MSPTLS!LssbFIsSublineEmpty+0x48bc | |
0023fde0 6a92554b 0023fe2c 00240004 0023feb8 MSPTLS!LssbFIsSublineEmpty+0x14958 | |
0023fe60 6a9256ba 139e9fa0 0023feb8 002401d0 MSPTLS!LssbFIsSublineEmpty+0x15a28 | |
0023fe88 6a91f247 047dbee8 00240004 139e9fa0 MSPTLS!LssbFIsSublineEmpty+0x15b97 | |
00240094 6a904c98 047d5a78 00000000 000007c6 MSPTLS!LssbFIsSublineEmpty+0xf724 | |
002400c8 6a9dc803 047d5a78 00000000 000007c6 MSPTLS!LsCreateLine+0x23 | |
002401e8 6a9dc659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1 | |
We can see that the first arg is also a freed object in use: | |
1:024> !heap -p -a 0x147d0fe0 | |
address 147d0fe0 found in | |
_DPH_HEAP_ROOT @ 2881000 | |
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) | |
14722d34: 147d0000 2000 | |
6dc990b2 verifier!AVrfDebugPageHeapFree+0x000000c2 | |
77ae693c ntdll!RtlDebugFreeHeap+0x0000002f | |
77aa9dbf ntdll!RtlpFreeHeap+0x0000005d | |
77a763e6 ntdll!RtlFreeHeap+0x00000142 | |
771fc584 kernel32!HeapFree+0x00000014 | |
715a3c1b MSVCR90!free+0x000000cd | |
6c365c72 SAEXT!ConvertVietToCP1258+0x00000458 | |
6c364080 SAEXT+0x00004080 | |
6c365354 SAEXT!FSupportSAEXTChar+0x00000116 | |
5b952425 oart!Ordinal317+0x0000bde5 | |
5b87a6be oart!Ordinal6770+0x00000063 | |
6aa0a3ab riched20!IID_ITextHost2+0x00007527 | |
6aa0a360 riched20!IID_ITextHost2+0x000074dc | |
6a942553 MSPTLS!LssbFIsSublineEmpty+0x00032a30 | |
6a942a06 MSPTLS!LssbFIsSublineEmpty+0x00032ee3 | |
6a942a6f MSPTLS!LssbFIsSublineEmpty+0x00032f4c | |
6a942c11 MSPTLS!LssbFIsSublineEmpty+0x000330ee | |
6a9435c6 MSPTLS!LssbFIsSublineEmpty+0x00033aa3 | |
6a91316e MSPTLS!LssbFIsSublineEmpty+0x0000364b | |
6a9143df MSPTLS!LssbFIsSublineEmpty+0x000048bc | |
6a92447b MSPTLS!LssbFIsSublineEmpty+0x00014958 | |
6a92554b MSPTLS!LssbFIsSublineEmpty+0x00015a28 | |
6a9256ba MSPTLS!LssbFIsSublineEmpty+0x00015b97 | |
6a91f247 MSPTLS!LssbFIsSublineEmpty+0x0000f724 | |
6a904c98 MSPTLS!LsCreateLine+0x00000023 | |
6a9dc803 riched20!RichListBoxWndProc+0x000018d1 | |
6a9dc659 riched20!RichListBoxWndProc+0x00001727 | |
6a9cf36a riched20!IID_ITextServices2+0x00003c1e | |
6a9e2f0d riched20!RichListBoxWndProc+0x00007fdb | |
6a9e2b82 riched20!RichListBoxWndProc+0x00007c50 | |
6a9e2a09 riched20!RichListBoxWndProc+0x00007ad7 | |
6a993a9b MSPTLS!LsLwMultDivR+0x00013786 | |
Static Analysis: | |
================ | |
Now, somewhere in the sub_1000408A function, we can see the following code... | |
1. | |
.text:1000425B mov ecx, [ebp+arg_0_tainted] | |
.text:1000425E mov eax, [ecx] | |
.text:10004260 push esi | |
.text:10004261 push [ebp+var_8] | |
.text:10004264 call dword ptr [eax+0Ch] | |
2. | |
.text:10004353 mov ecx, [ebp+arg_0_tainted] | |
.text:10004356 mov eax, [ecx] | |
.text:10004358 push esi | |
.text:10004359 push [ebp+var_8] | |
.text:1000435C call dword ptr [eax+0Ch] | |
3. | |
.text:10004526 mov ecx, [ebp+arg_0_tainted] | |
.text:10004529 mov eax, [ecx] | |
.text:1000452B push esi | |
.text:1000452C push [ebp+var_8] | |
.text:1000452F call dword ptr [eax+0Ch] | |
These opportunities of course allow an attacker to redirect execution flow. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment