search

Temptationx / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Microsoft Office 2007 TTDeleteEmbeddedFont handle double delete #107

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The following access violation was observed in Microsoft Office 2007:

(7a4.808): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=feeefeee ecx=7ffdf000 edx=00150608 esi=00150000 edi=feeefee6
eip=7c87c9e1 esp=0012f244 ebp=0012f298 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlDebugFreeHeap+0x82:
7c87c9e1 0fb707           movzx   eax,word ptr [edi]    ds:0023:feeefee6=????
0:000> k
ChildEBP RetAddr
0012f298 7c85567a ntdll!RtlDebugFreeHeap+0x82
0012f370 7c83e448 ntdll!RtlFreeHeapSlowly+0x37
0012f454 73c37fb4 ntdll!RtlFreeHeap+0x11a
0012f468 73c34a77 T2EMBED!T2free+0x1d
0012f86c 31dbbb54 T2EMBED!TTDeleteEmbeddedFont+0x7c
0012f884 31dbbae9 wwlib!DllCanUnloadNow+0x25fbcb
0012f8ec 313406d8 wwlib!DllCanUnloadNow+0x25fb60
0012f92c 3135944d wwlib!FMain+0xfc129
0012f950 3135926c wwlib!FMain+0x114e9e
0012f95c 31359231 wwlib!FMain+0x114cbd
0012f984 31244c5b wwlib!FMain+0x114c82
0012ff10 300015fb wwlib!FMain+0x6ac
0012ff30 3000156d winword+0x15fb
0012ffc0 77e6f32b winword+0x156d
0012fff0 00000000 kernel32!BaseProcessStart+0x23

Notes:

- Reproduces on Windows Server 2003 (as an access violation) and
Windows 7 (as a heap critical error)
- Opening the document causes “Word experienced an error trying to
open the file.” dialog. After closing the dialog, and then closing
Word, the crash occurs.
- The dereference of the “heap free checking constant” suggests 
use-after-free.
- Analysis shows the third argument of RtlpDebugPageHeapFree is
0xfeeefeee - this suggests that a pointer from a previously freed
chunk is itself being freed.
- The callstack may suggest a misuse of the font embedding API. For
example, this could be caused by multiple calls to
TTDeleteEmbeddedFont using the same font reference handle.
- Breakpointing the TTDeleteEmbeddedFont and recording the handle
argument confirms that a font reference handle is deleted twice.
- The test case reduces to a 1-bit difference from the original sample document.
- The affected bit is in the lcbSttbfBkmkArto field of the
FibRgFcLcb2007 (or FIBTable2007) structure.
- Attached samples: 9adcab7c_1_crash.doc (crashing file),
9adcab7c_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 15 Sep 2014 at 11:10

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 16 Sep 2014 at 8:59

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 19 Nov 2014 at 8:01

GoogleCodeExporter commented 9 years ago

Original comment by cev...@google.com on 20 Nov 2014 at 12:52

GoogleCodeExporter commented 9 years ago 
MS bulletin: https://technet.microsoft.com/library/security/MS14-069

Original comment by cev...@google.com on 20 Nov 2014 at 1:16

GoogleCodeExporter commented 9 years ago

Original comment by scvi...@google.com on 13 Jan 2015 at 12:22