Talos Vulnerability Report

TALOS-2019-0794

Aspose Aspose.Cells for C++ LabelSst Code Execution Vulnerability

August 20, 2019
CVE Number

CVE-2019-5032

Summary

An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells for C++ 19.1.0. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Tested Versions

Aspose Aspose.Cells for C++ 19.1.0

Product URLs

https://products.aspose.com/cells

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-125: Out-of-bounds Read

Details

This vulnerability is present in the Aspose.Cells for C++ which is used for all kinds of operations related with XLS(X) files. Aspose.Cells library is used by many companies, banks, government organizations as a part of different software products responsible for data processing/conversion. There is a vulnerability in the function responsible for handling the LabelSst record. A specially crafted XLS file can lead to an out-of-bounds read and remote code execution. Letís investigate this vulnerability. After we attempt to e.g convert the malicious XLS using the Aspose.Cells library to PDF we see the following state:

0fb34c50 55              push    ebp
0fb34c51 8bec            mov     ebp,esp
0fb34c53 51              push    ecx
0fb34c54 8b4920          mov     ecx,dword ptr [ecx+20h]
0fb34c57 8b450c          mov     eax,dword ptr [ebp+0Ch]
0fb34c5a 56              push    esi
0fb34c5b 8b7508          mov     esi,dword ptr [ebp+8]
0fb34c5e c745fc00000000  mov     dword ptr [ebp-4],0
0fb34c65 8b0c81          mov     ecx,dword ptr [ecx+eax*4]
0fb34c68 890e            mov     dword ptr [esi],ecx
0fb34c6a 85c9            test    ecx,ecx
0fb34c6c 7405            je      Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x9303 (0fb34c73)
0fb34c6e 8b11            mov     edx,dword ptr [ecx]  ds:002b:8d1075ff=????????
0fb34c70 ff5204          call    dword ptr [edx+4]
0fb34c73 8bc6            mov     eax,esi
0fb34c75 5e              pop     esi
0fb34c76 8be5            mov     esp,ebp
0fb34c78 5d              pop     ebp
0fb34c79 c20800          ret     8

0:000> r
eax=c0febabe ebx=0a6f3810 ecx=8d1075ff edx=11334598 esi=00aff808 edi=0a6f3810
eip=0fb34c6e esp=00aff7c8 ebp=00aff7d0 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x92fe:
0fb34c6e 8b11            mov     edx,dword ptr [ecx]  ds:002b:8d1075ff=????????

As we can see at the address 0fb34c6e, there is an attempt to obtain a vftable pointer but the ecx register points to an unallocated memory region. Tracking where the value of the ecx is coming from we can notice that its value is coming from an array 0fb34c65. Index for this array is based on the eax register and its value is equal c0febabe. It’s clear that this value has been corrupted and element coming from an array is read outside of the bounds of this array. Further investigation proved that the c0febabe value comes directly from the file and is located at offset : 0x415A. In the context of the XLS file format, the c0febabe value is a part of the LabelSst record which looks in the following way :

4154h: 03 00 02 00 0F 00 BE BA FE C0 ……æ∫˛¿

According of the MS-XLS documentation the c0febabe value represents isst field. As we can read :

isst (4 bytes):  An unsigned integer that specifies the zero-based index of an element in the array of XLUnicodeRichExtendedString structure in the rgb field of the SST record 
in this Workbook Stream ABNF that specifies the string contained in the cell. 
MUST be greater than or equal to zero and less than the number of elements in the rgb field of the SST record.

Which in our case is not respected at all which causes an out-of-bounds read and can lead to remote code execution.

Crash Information

0:000> lmv m Aspose*
Browse full module list
start    end        module name
0f960000 119b3000   Aspose_Cells C (export symbols)       d:\projects\apose\cells\bin\Aspose.Cells.dll
	Loaded symbol image file: d:\projects\apose\cells\bin\Aspose.Cells.dll
	Image path: d:\projects\apose\cells\bin\Aspose.Cells.dll
	Image name: Aspose.Cells.dll
	Browse all global symbols  functions  data
	Timestamp:        Wed Jan 23 06:30:58 2019 (5C47FC12)
	CheckSum:         00000000
	ImageSize:        02053000
	Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
0fb34c6e 8b11            mov     edx,dword ptr [ecx]

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0fb34c6e (Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x000092fe)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 8d1075ff
Attempt to read from address 8d1075ff

FAULTING_THREAD:  00005aec

PROCESS_NAME:  Demo.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  8d1075ff

FOLLOWUP_IP: 
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
0fb34c6e 8b11            mov     edx,dword ptr [ecx]

READ_ADDRESS:  8d1075ff 

WATSON_BKT_PROCSTAMP:  5c927c6d

WATSON_BKT_MODULE:  Aspose.Cells.dll

WATSON_BKT_MODSTAMP:  5c47fc12

WATSON_BKT_MODOFFSET:  1d4c6e

BUILD_VERSION_STRING:  10.0.17763.292 (WinBuild.160101.0800)

MODLIST_WITH_TSCHKSUM_HASH:  341d6c640f2e2e64408b322307909e8c31a617ca

MODLIST_SHA1_HASH:  625cbb62edbdcfcc13b6376946fce104490067cd

NTGLOBALFLAG:  2100000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

APPLICATION_VERIFIER_LOADED: 1

ANALYSIS_SESSION_HOST:  DESKTOP-E4N8506

ANALYSIS_SESSION_TIME:  03-21-2019 19:01:21.0596

ANALYSIS_VERSION: 10.0.15063.468 x86fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

	ID:     [0n292]
	Type:   [@ACCESS_VIOLATION]
	Class:  Addendum
	Scope:  BUCKET_ID
	Name:   Omit
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x5aec]
	Frame:  [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency

	ID:     [0n264]
	Type:   [INVALID_POINTER_READ]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [Unspecified]
	TID:    [0x5aec]
	Frame:  [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency

	ID:     [0n92]
	Type:   [AVRF]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0x40c8]
	TID:    [0x5aec]
	Frame:  [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_AVRF

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 10213949 to 0fb34c6e

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
00aff7d0 10213949 00aff808 c0febabe 00000000 Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x92fe
00aff7e4 10dea1af 00aff808 c0febabe 74cd04d0 Aspose_Cells!Aspose::Cells::Top10Filter::IsVisibleRow+0x2af9
00aff818 10dda501 0d4d64c0 74cd0590 0d39ac30 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x2038f
00aff958 10ddbc73 0d4d64c0 74cd0500 0d4d64c0 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x106e1
00aff9c8 10de9d61 0d4d64c0 74cd06dc 0a6f3810 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x11e53
00affa14 10df829c 0d784570 74cd063c 0a6f3810 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x1ff41
00affaf4 10dd6448 0d7843f0 74cd07f0 0d7843f0 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x2e47c
00affb38 10c2b886 0d7843f0 74cd0008 0ab10700 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0xc628
00affcc0 10c0f4e4 0ab106a0 0aa51720 74cd0034 Aspose_Cells!Aspose::Cells::Rendering::WorkbookRender::operator=+0xa3b6
00affcfc 101690a8 0ab106a0 74cd01f0 0c7eaf30 Aspose_Cells!Aspose::Cells::Workbook::Workbook+0x144
00affd38 001713ac 00affdd8 0ab106a0 00000000 Aspose_Cells!Aspose::Cells::Factory::CreateIWorkbook+0xe8
00affdf0 00171e7d 00000003 0c7eaf30 05ecbf30 Demo!main+0x25c
00affe38 77130179 00851000 77130160 00affea4 Demo!__scrt_common_main_seh+0xfa
00affe48 7749662d 00851000 698c56b5 00000000 KERNEL32!BaseThreadInitThunk+0x19
00affea4 774965fd ffffffff 774b51bd 00000000 ntdll!__RtlUserThreadStart+0x2f
00affeb4 00000000 00171f05 00851000 00000000 ntdll!_RtlUserThreadStart+0x1b


THREAD_SHA1_HASH_MOD_FUNC:  47330429cc406a298ba1a1f05c059a281789dba6

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  a4ebf591730dc4f6a4dcf80522e2c2e03b19e250

THREAD_SHA1_HASH_MOD:  b6a7bf6a73edd091a5aa51fae2b575e76ce18e9c

FAULT_INSTR_CODE:  52ff118b

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Aspose_Cells

IMAGE_NAME:  Aspose.Cells.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5c47fc12

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_Aspose.Cells.dll!Aspose::Cells::Drawing::Area::SetTransparency

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  Aspose.Cells.dll

BUCKET_ID_IMAGE_STR:  Aspose.Cells.dll

FAILURE_MODULE_NAME:  Aspose_Cells

BUCKET_ID_MODULE_STR:  Aspose_Cells

FAILURE_FUNCTION_NAME:  Aspose::Cells::Drawing::Area::SetTransparency

BUCKET_ID_FUNCTION_STR:  Aspose::Cells::Drawing::Area::SetTransparency

BUCKET_ID_OFFSET:  92fe

BUCKET_ID_MODTIMEDATESTAMP:  5c47fc12

BUCKET_ID_MODCHECKSUM:  0

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_

FAILURE_PROBLEM_CLASS:  APPLICATION_FAULT

FAILURE_SYMBOL_NAME:  Aspose.Cells.dll!Aspose::Cells::Drawing::Area::SetTransparency

TARGET_TIME:  2019-03-21T18:02:03.000Z

OSBUILD:  17763

OSSERVICEPACK:  292

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.17763.292

ANALYSIS_SESSION_ELAPSED_TIME:  a358

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_avrf_c0000005_aspose.cells.dll!aspose::cells::drawing::area::settransparency

FAILURE_ID_HASH:  {e2b90e26-593c-ec08-6baf-cfe3fd28339c}

Followup:     MachineOwner
---------

Timeline

2019-04-17 - Vendor Disclosure
2019-08-20 - Public Disclosure
2019-08-24 - Vendor acknowledged & advised issues under review
2019-08-30 - Vendor patched

Credit

Discovered by Marcin Noga of Cisco Talos.