Microsoft Office 2007 BoundSheet dt use-after-free

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007:

(78c.b20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03188a00 ebx=00000101 ecx=00133542 edx=001332d0 esi=006f006f edi=031eb800
eip=30555623 esp=001332f0 ebp=00133300 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
Excel!Ordinal40+0x555623:
30555623 ff7618           push dword ptr [esi+0x18] ds:0023:006f0087=????????
0:000> k
ChildEBP RetAddr  
00133300 3095f766 Excel!Ordinal40+0x555623
00133948 3056762d Excel!Ordinal40+0x95f766
00133978 30133c2b Excel!Ordinal40+0x56762d
00133994 30116e7d Excel!Ordinal40+0x133c2b
00135c84 301168f9 Excel!Ordinal40+0x116e7d
00135d38 30129384 Excel!Ordinal40+0x1168f9
0013bc4c 301284cb Excel!Ordinal40+0x129384
0013e244 30127d70 Excel!Ordinal40+0x1284cb
0013e518 30128830 Excel!Ordinal40+0x127d70
0013e7d4 301aa633 Excel!Ordinal40+0x128830
0013faa4 301aa8a3 Excel!Ordinal40+0x1aa633
0013fab8 30030ae1 Excel!Ordinal40+0x1aa8a3
0013fd08 303da450 Excel!Ordinal40+0x30ae1
0013fd9c 301f7153 Excel!Ordinal40+0x3da450
0013fdd0 301f743f Excel!Ordinal40+0x1f7153
0013fec0 30003b60 Excel!Ordinal40+0x1f743f
0013ff30 30003874 Excel!Ordinal40+0x3b60
0013ffc0 77e6f32b Excel!Ordinal40+0x3874
0013fff0 00000000 kernel32!BaseProcessStart+0x23

Notes:

- Reproduce on Windows Server 2003 and Windows 7
- Arbitrary code execution in the parent function is possible (as follows).
- The crash occurs on a read AV when pushing a function argument from an 
invalid pointer. If this function is made to return 0 due to a string 
comparison succeeding, then the invalid pointer is returned to the caller of 
the crashing function (3095f766 and then immediately to 3056762d).
- The return value is non-zero, so the invalid value is dereferenced at an 
offset of 8, and then this attacker controlled value is passed to another 
function. Then an offset of 4 is dereferenced and passed to yet another 
function. This value is eventually used as a pointer to the target of a 
relative call, provided that several conditions intermediate conditions are met.
- Specifically, on EXCEL.EXE 12.0.6683.5002:

  crashing instruction 30555623
  call to 3000F953 must return 0
  ret to 3095f766
  ret to 3056762d
  call to 30567651 with invalid argument
  call to 3055F3F2 with invalid argument
  calls to 30035DCF succeed
  call to 3055F4B2 with invalid argument
  ebx set to invalid value provided that MsoCchWzLen call is non-negative
  call to 30303282 with invalid ebx
  dereference invalid ebx and call result, provided that call to 300059BB succeeds

- Its important to note that depending on memory layout, the crash can also 
occur in 3000F953, specifically at 3001db15, and could exhibit as a NULL 
pointer dereference. In particular this is commonly observed on Windows 7.
- The specific invalid value observed (006f006f) is part of a unicode string, 
and is seen on the first iteration of the crashing function's main loop. The 
invalid structure is set at 3095F6ED with a scalar multiplier of zero. This 
suggests an underlying use-after-free condition, or a dangling pointer issue 
such as an uninitialized member value. 
- The test-case reduces to a 2-bit difference from the original sample document.
- The affected bits are in the “dt” field of the “BoundSheet” structure 
and the “Length” field of a “BIFFRecord_General” structure.
- Attached samples: 4b3e128e_crash.xls (crashing file), 4b3e128e_orig.xls 
(original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 1 Oct 2014 at 2:11

Attachments:

• 4b3e128e_crash.xls
• 4b3e128e_orig.xls

[GoogleCodeExporter]

Original comment by haw...@google.com on 1 Oct 2014 at 6:42

• Added labels: MSRC-20555

[GoogleCodeExporter]

Fixed in https://technet.microsoft.com/library/security/ms14-083

Original comment by fors...@google.com on 29 Dec 2014 at 12:55

• Changed state: Fixed
• Added labels: CVE-2014-6361, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:24

• Added labels: Reported-2014-Sep-30
• Removed labels: Reported-2014-September-30