Microsoft Office 2007 dispatch table out-of-bounds function call

[GoogleCodeExporter]

The following access violation was observed in Microsoft Office 2007 (Word):

(818.a8c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012e0dc ebx=00000000 ecx=03df3800 edx=00000000 esi=32124af8 edi=00fd004d
eip=00fd004d esp=0012e0c4 ebp=0012ea84 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00fd004d ffff             ???
0:000> k
ChildEBP RetAddr
0012e0c0 31311ee5 0xfd004d
0012ea84 312a75ba wwlib!FMain+0xcd936
0012f3b4 312a74dc wwlib!FMain+0x6300b
0012f3d4 312a749b wwlib!FMain+0x62f2d
0012f3f4 312a7465 wwlib!FMain+0x62eec
0012f404 32687638 wwlib!FMain+0x62eb6
0012f41c 326edfb2 mso!Ordinal2503+0x1461
0012f434 326edb7a mso!Ordinal4676+0x2b6
0012f454 326d2157 mso!Ordinal1680+0x244
0012f474 326d1f88 mso!Ordinal7114+0x45
0012f49c 326e36e0 mso!Ordinal4515+0x88
0012f4b0 326e369b mso!Ordinal7156+0x475
0012f4c0 326e3657 mso!Ordinal7156+0x430
0012f4d0 326ebe32 mso!Ordinal7156+0x3ec
0012f4e8 326ebdd4 mso!Ordinal112+0x43e
0012f50c 326eb8fe mso!Ordinal112+0x3e0
0012f540 326f14b2 mso!Ordinal7348+0x8d
0012f560 326f0ffc mso!Ordinal2178+0x82
0012f584 326f14b2 mso!Ordinal2096+0x2b
0012f5a4 326ea7fd mso!Ordinal2178+0x82

Notes:

- Reproduces on Windows Server 2003 and Windows 7

- The crash manifests as an attempt to execute an invalid page. This
is because of an out-of-bounds dereference of structured data (each
entry being 0x30 bytes, including a function pointer) in the wwlib.dll
image.

- Breaking conditionally on the invalid structure entry in the parent
function shows that the invalid structure entry comes from a
calculation on the first argument added to a base address of
0x31365DD0 (in wwlib.dll version 12.0.6705.5000). This suggests that
the invalid pointer comes from a deterministic offset from the wwlib
image.

- The invalid index argument value equals 0x7014b, resulting in a
calculated offset of 0x18DE0. Typically, the index is bounded to be at
most (0x1FFF * 0x30 at instruction 312A751A in wwlib.dll version
12.0.6705.5000). However, when the the index argument value is not
8-byte aligned, there is a code path that can bypass the upper bound
enforcement.

- The crashing test case was created using a chunk rearrangement
strategy, and as such the differential from the original does not
cleanly minimize (390 bit deltas).

- Attached samples: b0ce839d_crash.doc (crashing file),
b0ce839d_orig.doc (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 17 Oct 2014 at 9:58

Attachments:

• b0ce839d_crash.doc
• b0ce839d_orig.doc

[GoogleCodeExporter]

Original comment by haw...@google.com on 17 Oct 2014 at 10:33

• Added labels: MSRC-20719

[GoogleCodeExporter]

This issue was fixed in MS14-081: 
https://technet.microsoft.com/en-us/library/security/ms14-081.aspx

Original comment by haw...@google.com on 29 Dec 2014 at 8:13

• Changed state: Fixed
• Added labels: CVE-2014-6356, Fixed-2014-Dec-9
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Original comment by scvi...@google.com on 13 Jan 2015 at 12:25

• Added labels: Reported-2014-Oct-17
• Removed labels: Reported-2014-October-17