Microsoft Office 2007 WordPerfect Memory Corruption

[GoogleCodeExporter]

Microsoft Office supports the WordPerfect (WPD) file format, and will
load WPD files with a ".doc" filename extension. The following access
violation was observed in Microsoft Office 2007 (WordPerfect
conversion):

(9d0.a54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001522fc ebx=04ab022c ecx=00000007 edx=56ec8b55 esi=04cc5f5a edi=00000001
eip=04cbc981 esp=0011f778 ebp=0011f780 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
WPFT632!ForeignToRtf32+0x4197:
04cbc981 668b02           mov     ax,[edx]              ds:0023:56ec8b55=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0011f780 04cbcf84 WPFT632!ForeignToRtf32+0x4197
0011f798 04cbd0c7 WPFT632!ForeignToRtf32+0x479a
0011f7b0 04cbd119 WPFT632!ForeignToRtf32+0x48dd
0011f7d0 04ccccbb WPFT632!ForeignToRtf32+0x492f
0011f890 04cd6f8a WPFT632!ConvertForeignToRtf+0x4669
0011f8b8 04cd7470 WPFT632!ConvertForeignToRtf+0xe938
0011fc04 04cccf5e WPFT632!ConvertForeignToRtf+0xee1e
0011fc78 04cdd586 WPFT632!ConvertForeignToRtf+0x490c
0011fe24 04cc8801 WPFT632!AbortRtfToForeign+0x310d
0011fe80 04d06864 WPFT632!ConvertForeignToRtf+0x1af
0012010c 04cb8840 msconv97!FceForeignToRtf+0x264
00120138 31eab8bd WPFT632!ForeignToRtf32+0x56
00120164 31a3eb0c wwlib!DllCanUnloadNow+0x2d339c
00120198 31eabdf8 wwlib!wdCommandDispatch+0x365b15
00120cc4 31a3f549 wwlib!DllCanUnloadNow+0x2d38d7
00122398 31271d47 wwlib!wdCommandDispatch+0x366552
00122a68 3129f0ee wwlib!FMain+0x2d790
00123b68 3129e506 wwlib!FMain+0x5ab37
00123bac 3148d880 wwlib!FMain+0x59f4f
00126d28 3148d5a1 wwlib!DllGetLCID+0xf43a

Notes:

- Reproduces on Window Server 2003 (Office 2007). Does not reproduce
on Office 2010 or Office 2013.

- In the WPFT632 module (version 2006.1200.6659.5000), the first
argument to sub_14CC96D is a structure or object. An invalid pointer
within this structure/object is used at 014CC981 to dereference a word
value, which causes the crash above.

- The calling function, sub_14CCF72 (at 014CCF7F), uses the invalid
pointer and the specified word value to calculate the destination
buffer and size of a memmove (at 014CCFF3).

- The invalid pointer value (56ec8b55) is taken from the WPFT632
module itself, i.e. the value is the first 4 bytes of the sub_14D5F5A
function. Different builds of WPFT632 are likely to have different
crashing values.

- If an attacker can force memory to be allocated at this location,
and can specify an exact word value (0x1032 in our testing), then
memory corruption can occur, which could lead to attacker-controlled
code execution.

- The test case reduces to a 12-bit difference from the original
document. Attached files: 1160326182_min.doc (crashing file),
1160326182_min.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 31 Mar 2015 at 1:53

Attachments:

• 1160326182_min.doc
• 1160326182_orig.doc

[GoogleCodeExporter]

Resolved in MS15-059.

Original comment by haw...@google.com on 19 Jun 2015 at 8:00

• Added labels: CVE-2015-1759, MSRC-21826
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by haw...@google.com on 19 Jun 2015 at 8:01

• Changed state: Fixed