Microsoft Office 2007 VBA ExtendedControl use-after-free

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007:

(c08.df0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00150448 ebx=00000003 ecx=0022bd28 edx=00150000 esi=0023ae68 edi=00000000
eip=feeefeee esp=00129350 ebp=001293b8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
feeefeee ??               ???
0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012934c 6520d0b2 0xfeeefeee
00129354 651de772 VBE6!ExtendedControl_Release+0xd
00129364 651de7c6 VBE6!CVBAControlMgr::PreDestructControlRec+0x47
00129378 65176fc0 VBE6!CVBAControlMgr::ReleaseReferences+0x27
001293b8 65177022 VBE6!VBAExtension::UnadviseAndRelease+0x1b3
001293d0 65177325 VBE6!VBAExtension::ZombieMe+0x22
001293dc 65163105 VBE6!TipZombieInstances+0x29
001293f8 65122c41 VBE6!EbCloseProject+0x10d
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program Files\Microsoft Office\Office12\wwlib.dll -
0012940c 31342633 VBE6!CVbeProject::Close+0x85
00129424 313422c9 wwlib!FMain+0xfe084
00129434 313421e3 wwlib!FMain+0xfdd1a
0012944c 31341e81 wwlib!FMain+0xfdc34
00129478 31341ae1 wwlib!FMain+0xfd8d2
00129484 3134076f wwlib!FMain+0xfd532
001294c0 3133f33a wwlib!FMain+0xfc1c0
00129510 3133ed9a wwlib!FMain+0xfad8b
00129530 3133dac1 wwlib!FMain+0xfa7eb
00129598 3133d84f wwlib!FMain+0xf9512
0012a618 320bd72f wwlib!FMain+0xf92a0
0012a6ac 7739b6e3 wwlib!DllCanUnloadNow+0x5617a6

Notes:

- Reproduces on Windows Server 2003 and Windows 7.
- When opening the document, a dialog box with the text “The
dimensions after cropping are too small or too large”
- Upon closing the document, the crash occurs.
- Appears to be a use-after-free in VBA’s ExtendedControl class
(vbe6.dll) triggered by CVBAControlMgr’s PreDestructControlRec method.
- The crash occurs when a vtable is used from an already freed object,
resulting in eip being set to the heap free checking constant.
- The test case reduces to a 5-bit difference from the original sample document.
- Three of these bits seem to have particular relevance in causing the
crashing behavior: a modification to a “Data” field in a
WordDocumentStream structure, and 2 modifications to an embedded
object (DataStream).
- Attached samples: cac47ead_1_crash.doc (crashing file),
cac47ead_1_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 17 Sep 2014 at 11:23

Attachments:

• cac47ead_1_crash.doc
• cac47ead_1_orig.doc

[GoogleCodeExporter]

Original comment by haw...@google.com on 18 Sep 2014 at 5:48

• Added labels: MSRC-20404

[GoogleCodeExporter]

This issue was fixed in MS14-082: 
https://technet.microsoft.com/en-us/library/security/ms14-082.aspx

Original comment by haw...@google.com on 29 Dec 2014 at 8:13

• Changed state: Fixed
• Added labels: CVE-2014-6364, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:23

• Added labels: Reported-2014-Sep-17
• Removed labels: Reported-2014-September-17