Talos Vulnerability Report

TALOS-2020-1153

Microsoft Office ElementType code execution vulnerability

December 8, 2020
CVE Number

CVE-2020-17123

Summary

An exploitable use-after-free vulnerability exists in Excel as part of Microsoft Office 365 ProPlus x86, version 2002, build 12527.20988. A specially crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Tested Versions

Microsoft Office 365 ProPlus x86 - version 2002 build 12527.20988

Product URLs

https://products.office.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Details

This vulnerability is present in Microsoft Office Excel, which is part of the Microsoft Office collection of software applications. This vulnerability is related to the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.

Tracking an object life cycle we can notice that there is a allocation made :

0045389e 6a00         push    0
004538a0 51           push    ecx
004538a1 ff1564566b02 call    dword ptr [Excel!DllGetLCID+0x1b500 (026b5664)]

0:000> !heap -p -a 08672fe0
	address 08672fe0 found in
	_DPH_HEAP_ROOT @ 421000
	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
								 fea2924:          8672fe0               1c -          8672000             2000
	6238ae30 verifier!AVrfDebugPageHeapAllocate+0x00000240
	779e29a2 ntdll!RtlDebugAllocateHeap+0x00000039
	779a1bea ntdll!RtlpAllocateHeap+0x00072eca
	7792d9fc ntdll!RtlpAllocateHeapInternal+0x0000071c
	7792d2a6 ntdll!RtlAllocateHeap+0x00000036
	79cee588 mso20win32client!Ordinal951+0x00000034
	00ef517a Excel!Ordinal43+0x0001517a
	014cbf35 Excel!Ordinal43+0x005ebf35
	02428b62 Excel!MdCallBack+0x0082dd92
	014cbdee Excel!Ordinal43+0x005ebdee
	0e6985bf mso!Ordinal4847+0x00000c1e
	0e652487 mso!Ordinal874+0x00000866
	0e64baf1 mso!Ordinal8579+0x00000e9c
	0e64a949 mso!MsoHrSetupHTMLImport+0x00000c54
	0e64a6f9 mso!MsoHrSetupHTMLImport+0x00000a04
	014bb623 Excel!Ordinal43+0x005db623
	014baf5a Excel!Ordinal43+0x005daf5a
	02424db3 Excel!MdCallBack+0x00829fe3
	010c84e7 Excel!Ordinal43+0x001e84e7
	010b49e1 Excel!Ordinal43+0x001d49e1
	01e71956 Excel!MdCallBack+0x00276b86
	01aaf3ba Excel!MdCallBack12+0x00568cd2
	01aaf602 Excel!MdCallBack12+0x00568f1a
	00f1afac Excel!Ordinal43+0x0003afac
	00f19d91 Excel!Ordinal43+0x00039d91
	02662d5c Excel!LinkASPPModelTable+0x001bdabd
	00f6454e Excel!Ordinal43+0x0008454e
	00f5688b Excel!Ordinal43+0x0007688b
	00f54dab Excel!Ordinal43+0x00074dab
	00f4fec4 Excel!Ordinal43+0x0006fec4
	00ef40cd Excel!Ordinal43+0x000140cd
	00ee11fd Excel!Ordinal43+0x000011fd

Further, because of the malformed form of the HTML/XML in the XLS file content, the object gets deallocated:

01cc4551 ff36                 push    dword ptr [esi]
01cc4553 ff1560c61803         call    dword ptr [Excel!DllGetLCID+0x1b75c (0318c660)]

0:000> !heap -p -a 5fb26fe0
	address 5fb26fe0 found in
	_DPH_HEAP_ROOT @ 4171000
	in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
								   5d6d3034:         5fb26000             2000
	601fadc2 verifier!AVrfDebugPageHeapFree+0x000000c2
	779e99e3 ntdll!RtlDebugFreeHeap+0x0000003e
	7792fabe ntdll!RtlpFreeHeap+0x000000ce
	7792f986 ntdll!RtlpFreeHeapInternal+0x00000146
	7792f3de ntdll!RtlFreeHeap+0x0000003e
	7aeec26a mso20win32client!Ordinal456+0x00000050
	01207a7f Excel!MdCallBack+0x000c8da7
	01201f58 Excel!MdCallBack+0x000c3280
	00a05279 Excel!Ordinal43+0x005c5279
	01960be4 Excel!MdCallBack+0x00821f0c
	006188cf Excel!Ordinal43+0x001d88cf
	005fe21d Excel!Ordinal43+0x001be21d
	013abffa Excel!MdCallBack+0x0026d322
	00ff668a Excel!MdCallBack12+0x00564cc5
	00ff68ce Excel!MdCallBack12+0x00564f09
	00478905 Excel!Ordinal43+0x00038905
	0047769d Excel!Ordinal43+0x0003769d
	01b9aa00 Excel!LinkASPPModelTable+0x001b963d
	004c0e63 Excel!Ordinal43+0x00080e63
	004b3343 Excel!Ordinal43+0x00073343
	004b1863 Excel!Ordinal43+0x00071863
	004acbe1 Excel!Ordinal43+0x0006cbe1
	00452b39 Excel!Ordinal43+0x00012b39
	004411fd Excel!Ordinal43+0x000011fd
	77652369 KERNEL32!BaseThreadInitThunk+0x00000019
	7794e5bb ntdll!__RtlUserThreadStart+0x0000002b
	7794e58f ntdll!_RtlUserThreadStart+0x0000001b	

Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets re-used inside the following function:

(3e20.4e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fbcbfe0 ebx=79cfb00e ecx=00000000 edx=04c40000 esi=52ec2fc8 edi=5e09afe0
eip=01cc3c63 esp=039c0cf0 ebp=039c0d14 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
Excel!MdCallBack+0xc8e93:
01cc3c63 83780800        cmp     dword ptr [eax+8],0  ds:0023:5fbcbfe8=????????
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039c0d14 01cbe089     52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
01 039c0e10 014bb748     039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
02 039c0f48 014baf5a     00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
03 039cba60 02424db3     00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
04 039cbaa8 010c84e7     039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
05 039daa00 010b49e1     00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
06 039daa84 01e71956     00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
07 039daad0 01aaf3ba     00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
08 039daba8 01aaf602     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
09 039dac38 00f1afac     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
0a 039dee00 00f19d91     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
0b 039deea0 02662d5c     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
0c 039def54 00f6454e     00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
0d 039df000 00f5688b     04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
0e 039df4e0 00f54dab     00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
0f 039df558 00f4fec4     04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
10 039df6c0 00ef40cd     00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
11 039df8e4 00ee11fd     00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
12 039df930 75f65529     03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
13 039df940 7795b27b     03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
14 039df99c 7795b249     ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
15 039df9ac 00000000     00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

Crash Information

(3e20.4e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fbcbfe0 ebx=79cfb00e ecx=00000000 edx=04c40000 esi=52ec2fc8 edi=5e09afe0
eip=01cc3c63 esp=039c0cf0 ebp=039c0d14 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
Excel!MdCallBack+0xc8e93:
01cc3c63 83780800        cmp     dword ptr [eax+8],0  ds:0023:5fbcbfe8=????????
0:000> kb
 # ChildEBP RetAddr      Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039c0d14 01cbe089     52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
01 039c0e10 014bb748     039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
02 039c0f48 014baf5a     00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
03 039cba60 02424db3     00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
04 039cbaa8 010c84e7     039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
05 039daa00 010b49e1     00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
06 039daa84 01e71956     00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
07 039daad0 01aaf3ba     00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
08 039daba8 01aaf602     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
09 039dac38 00f1afac     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
0a 039dee00 00f19d91     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
0b 039deea0 02662d5c     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
0c 039def54 00f6454e     00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
0d 039df000 00f5688b     04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
0e 039df4e0 00f54dab     00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
0f 039df558 00f4fec4     04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
10 039df6c0 00ef40cd     00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
11 039df8e4 00ee11fd     00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
12 039df930 75f65529     03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
13 039df940 7795b27b     03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
14 039df99c 7795b249     ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
15 039df9ac 00000000     00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

NTGLOBALFLAG:  2000000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 01cc3c63 (Excel!MdCallBack+0x000c8e93)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 5fbcbfe8
Attempt to read from address 5fbcbfe8

FAULTING_THREAD:  000004e0

PROCESS_NAME:  Excel.exe

READ_ADDRESS:  5fbcbfe8 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  5fbcbfe8

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
039c0d14 01cbe089     52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
039c0e10 014bb748     039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
039c0f48 014baf5a     00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
039cba60 02424db3     00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
039cbaa8 010c84e7     039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
039daa00 010b49e1     00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
039daa84 01e71956     00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
039daad0 01aaf3ba     00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
039daba8 01aaf602     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
039dac38 00f1afac     00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
039dee00 00f19d91     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
039deea0 02662d5c     0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
039def54 00f6454e     00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
039df000 00f5688b     04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
039df4e0 00f54dab     00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
039df558 00f4fec4     04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
039df6c0 00ef40cd     00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
039df8e4 00ee11fd     00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
039df930 75f65529     03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
039df940 7795b27b     03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
039df99c 7795b249     ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
039df9ac 00000000     00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  Excel!MdCallBack+c8e93

MODULE_NAME: Excel

IMAGE_NAME:  Excel.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!MdCallBack

OS_VERSION:  10.0.20201.1000

BUILDLAB_STR:  rs_prerelease

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

IMAGE_VERSION:  16.0.12527.20988

FAILURE_ID_HASH:  {33071d76-7bec-d578-777e-e20f28c1cf92}

Followup:     MachineOwner
---------

0:000> lmv m EXCEL
Browse full module list
start    end        module name
00ee0000 038d3000   Excel      (export symbols)       c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
	Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
	Image path: Excel.exe
	Image name: Excel.exe
	Browse all global symbols  functions  data
	Timestamp:        Fri Aug  7 01:51:22 2020 (5F2C977A)
	CheckSum:         029F1351
	ImageSize:        029F3000
	File version:     16.0.12527.20988
	Product version:  16.0.12527.20988
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        1.0 App
	File date:        00000000.00000000
	Translations:     0000.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     Excel
		OriginalFilename: Excel.exe
		ProductVersion:   16.0.12527.20988
		FileVersion:      16.0.12527.20988
		FileDescription:  Microsoft Excel

	
0:000> lmv m mso
Browse full module list
start    end        module name
0f3c0000 10b76000   mso        (deferred)             
	Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
	Image name: mso.dll
	Browse all global symbols  functions  data
	Timestamp:        Fri Aug  7 01:46:51 2020 (5F2C966B)
	CheckSum:         017ADCBB
	ImageSize:        017B6000
	File version:     16.0.12527.20988
	Product version:  16.0.12527.20988
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        2.0 Dll
	File date:        00000000.00000000
	Translations:     0409.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     MSO
		OriginalFilename: MSO.dll
		ProductVersion:   16.0.12527.20988
		FileVersion:      16.0.12527.20988
		FileDescription:  Microsoft Office component

Timeline

2020-09-11 - Vendor Disclosure
2020-12-08 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.