Exploit Microsoft Office PowerPoint 2010 - 'MSO!Ordinal5429' Missing Length Check Heap Corruption

[Exploiter]

EDB-ID

41417

Проверка EDB

1. Пройдено

Автор

GOOGLE SECURITY RESEARCH

Тип уязвимости

DOS

Платформа

WINDOWS

CVE

null

Дата публикации

2017-02-21

Microsoft Office PowerPoint 2010 - 'MSO!Ordinal5429' Missing Length Check Heap Corruption

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949

Platform: Microsoft Office 2010 on Windows 7 x86
Class: heap memory corruption

The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability. 

Attached files:
2581805226.ppt: fuzzed crashing file

File versions:
mso.dll: 14.0.7173.5000
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
riched20.dll: 14.0.7155.5000
msptls.dll: 14.0.7164.5000

((7ac.a64): Access violation - code c0000005 (first chance)
eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
eip=66a19941 esp=0027008c ebp=002700d8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
mso!Ordinal5429+0x376:
66a19941 0fb708          movzx   ecx,word ptr [eax]       ds:0023:200bcf3a=????


66a1993c 8b4104          mov     eax,dword ptr [ecx+4] ; Length 0x00200122
66a1993f 03c7            add     eax,edi
=> 66a19941 0fb708          movzx   ecx,word ptr [eax]       ds:0023:200bcf3a=????
66a19944 894dfc          mov     dword ptr [ebp-4],ecx
66a19947 8a55fd          mov     dl,byte ptr [ebp-3]
66a1994a 8855fc          mov     byte ptr [ebp-4],dl
66a1994d 884dfd          mov     byte ptr [ebp-3],cl
66a19950 66837dfc04      cmp     word ptr [ebp-4],4
66a19955 0f85e0010000    jne     mso!Ordinal5429+0x570 (66a19b3b)
66a1995b 8a08            mov     cl,byte ptr [eax]
66a1995d 8a5001          mov     dl,byte ptr [eax+1]
66a19960 8810            mov     byte ptr [eax],dl
66a19962 884801          mov     byte ptr [eax+1],cl

0:000>  kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727

In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:

0:000> !heap -p -a 0x1febce18
    address 1febce18 found in
    _DPH_HEAP_ROOT @ 71000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                1feb171c:         1febce18              1e2 -         1febc000             2000
    6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
    77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
    77d05920 ntdll!RtlAllocateHeap+0x0000023a
    6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
    6fc816ac vfbasics+0x000116ac
    67080c59 mso!Ordinal9770+0x000078e2
    66a19527 mso!Ordinal10199+0x00002138


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41417.zip