Crash with Office 2013

[jmigot-tehtris]

Hi,

I am running Windows 7 x64 with Microsoft Office 2013 x64 and Cuckoo inside Python x86. Whenever I upload a .doc file, I get a crash of WINWORD.EXE. Word is running fine when I launch it by hand on the same machine, and moreover I can start it through Python 32 bit command line, either with subprocess or with the KERNEL32.CreateProcess() method used in Cuckoo, with the same parameters.

I've recompiled Cuckoo with debug mode enabled and got this exception :

2015-09-09 10:05:33,232 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=2400, ppid=2804, name=WINWORD.EXE, path=C:\Program Files\Microsoft Office\Office15\WINWORD.EXE)
2015-09-09 10:05:33,232 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=14757395255531669856)
2015-09-09 10:05:33,232 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 2400
2015-09-09 10:05:33,483 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:34,489 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:35,493 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:36,495 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:37,497 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:38,501 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:39,505 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:40,508 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:41,392 [lib.cuckoo.core.resultserver] DEBUG: New connection from: 192.168.56.102:49165
2015-09-09 10:05:41,398 [lib.cuckoo.core.resultserver] DEBUG: New process (pid=540, ppid=448, name=services.exe, path=C:\Windows\sysnative\services.exe)
2015-09-09 10:05:41,399 [lib.cuckoo.core.resultserver] DEBUG: New thread (tid=0, pid=14757395255531667996)
2015-09-09 10:05:41,399 [lib.cuckoo.core.resultserver] DEBUG: Environ received for pid 540
2015-09-09 10:05:41,511 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:42,513 [lib.cuckoo.core.guest] DEBUG: cuckoo2: analysis not completed yet (status=2)
2015-09-09 10:05:43,079 [lib.cuckoo.common.netlog] INFO: Debug message from monitor: Exception Caught! PID: 2400 EIP: gdiplus.dll+72845 fb712845, Fault Address: 003d3957, Esp: 001e9c20, Exception Code: c0000005,  mso.dll+1e9c720 gdiplus.dll+0 gdiplus.dll+725a8 gdiplus.dll+0 gdiplus.dll+1bdf0 gdiplus.dll+1be08 ntdll.dll+0 ntdll.dll+142de8 cuckoomon.dll+b6d3 cuckoomon.dll+b530 cuckoomon.dll+b6d3 cuckoomon.dll+c3df cuckoomon.dll+eb80 cuckoomon.dll+c2b2 cuckoomon.dll+b7ba gdiplus.dll+729b5 mso.dll+2ece0 mso.dll+2e7df mso.dll+4658 mso.dll+3fb2 mso.dll+2ddc8 mso.dll+2dd31 wwlib.dll+16e80 wwlib.dll+5029 wwlib.dll+4b1a wwlib.dll+1aca WINWORD.EXE+1068 WINWORD.EXE+1397 kernel32.dll+1652d ntdll.dll+2c521 cuckoomon.dll+b7ba cuckoomon.dll+b810 mso.dll+1e9c720 cuckoomon.dll+d3180 cuckoomon.dll+2912b mso.dll+1e9c720 gdiplus.dll+729eb wwlib.dll+15cfa90 mso.dll+2ece0 mso.dll+2e7df mso.dll+4658 mso.dll+3fb2 cuckoomon.dll+e3200 wwlib.dll+23f7 mso.dll+2dd08 mso.dll+2dd08 wwlib.dll+1483bf4 wwlib.dll+15cfa90 mso.dll+1e92420 wwlib.dll+15d6940 mso.dll+2ddc8 mso.dll+0 wwlib.dll+15d6940 wwlib.dll+15cfa90 mso.dll+2dd31 wwlib.dll+15d69e0 wwlib.dll+16e80 WINWORD.EXE+0 wwlib.dll+15d6940 wwlib.dll+15cfa90 wwlib.dll+15d69e0 wwlib.dll+5029 wwlib.dll+12c4470 KERNELBASE.dll+ca80 cuckoomon.dll+b6d3 cuckoomon.dll+1f843 ntdll.dll+4a994 ntdll.dll+b342e ntdll.dll+e0930 kernel32.dll+25273 wwlib.dll+12cab88 wwlib.dll+4b1a ntdll.dll+29b01 kernel32.dll+4b5e7 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 ntdll.dll+0 ntdll.dll+142de8 cuckoomon.dll+b6d3 cuckoomon.dll+b530 ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 cuckoomon.dll+34011 cuckoomon.dll+dcc48 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 cuckoomon.dll+34011 cuckoomon.dll+ddd64 ntdll.dll+55d24 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+115409 kernel32.dll+4b5e7 cuckoomon.dll+ecc5 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+115409 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+115401 kernel32.dll+4b5e7 cuckoomon.dll+ecc5 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+115401 kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 ntdll.dll+0 ntdll.dll+142de8 cuckoomon.dll+b6d3 cuckoomon.dll+b530 ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e ntdll.dll+2c521 ntdll.dll+29b3e kernel32.dll+4b5e7 cuckoomon.dll+ecc5 MSVCR100.dll+84e71 ntdll.dll+0 ntdll.dll+142de8 cuckoomon.dll+b6d3 cuckoomon.dll+b530 cuckoomon.dll+b6d3 cuckoomon.dll+c3df cuckoomon.dll+eb80 cuckoomon.dll+c2b2 cuckoomon.dll+b7ba KERNELBASE.dll+3ac5 wwlib.dll+49ce wwlib.dll+1aa7 WINWORD.EXE+1068 WINWORD.EXE+1397 kernel32.dll+1652d ntdll.dll+2c521 cuckoomon.dll+2df74 KERNELBASE.dll+3ae0 mso.dll+2d46e7 wwlib.dll+4a81 wwlib.dll+1aca WINWORD.EXE+0 wwlib.dll+1852 WINWORD.EXE+0 WINWORD.EXE+1068 WINWORD.EXE+0 WINWORD.EXE+1397 kernel32.dll+1652d ntdll.dll+2c521, Bytes at EIP: 40 88 b4 14 b7 00 00 00 48 8d 05 94 92 f9 ff 41

For the record, everything is fine with Windows XP and Office 2010. All my tests have been done with the latest Cuckoo sources taken from repository yesterday.

Do you have any idea of what's going on ? Is anyone experimenting same issue or am I the only one using Office 2013 inside Windows 7 x64 in Cuckoo ?

There is the same issue with an .xls file or a .docm file, for example. Test sample : https://www.virustotal.com/en/file/1baec98158be31c1fd6dcf2fdc849a41889f4f2a277969f7a0ed8387470a3405/analysis/

Thanks

[jmigot-tehtris]

After using the recompiled cuckoomon.dll with debug mode for x86, it appears that Office 2010 under Windows XP has the same issue now.

[brad-sp]

Cuckoomon currently logs all exceptions, even those that are handled. It's possible that the issue is unrelated to the exceptions reported.

[jmigot-tehtris]

Brad, if you have any idea on how I can debug this situation by modifying cuckoo or cuckoomon code, I can test that and post back the results here in order to help you on this issue.

The crashs of Office 2013 with Windows 7 exist from a long time (several weeks/maybe months) as far as I observed.

What would help is the confirmation of other people reading this confirming they are experiencing the same issue.

I will try doing some tests and post everything I have here (I will try upstream code for example).

[brad-sp]

You could try a binary-search strategy removal of hooks until the problem disappears. Or perhaps begin with setting the DISABLE_HOOK_CONTENT define in ntapi.h to 1 (to see if the issue is unrelated to hooks).

[seanthegeek]

@brad-accuvant This does seem hook related. setting DISABLE_HOOK_CONTENT to 1 stops the crashing. In trying to track down the exception, I also tried setting setting REPORT_EXCEPTIONS and REPORT_ALL_EXCEPTIONS to 1, but I still don''t see any exceptions logged in analysis.log. Are they logged there?

Where would I start removing hooks to debug this? I know next to nothing about the win32 API.

[seanthegeek]

Correction to my old post: It looks like this bug only effects 64-bit office. 32-bit office 2013 on windows7 64-bit works fine.

[brad-sp]

Very odd, as DISABLE_HOOK_CONTENT will still result in the hook being placed and none of the changes made today affected 64-bit hooking ;)

[seanthegeek]

Yeah, I accidentally ran the sample on a 32-bit office box I was testing and thought the bug had been fixed for 64-bit. Seems line this bug only ever effected 64-bit office, so if anyone needs a workaround in the meantim, 32-bit office on 64-bit windows 7 works fine.