Talos Vulnerability Report

TALOS-2019-0968

Microsoft Office Excel Ordinal43 code execution vulnerability

February 11, 2020
CVE Number

CVE-2020-0759

Summary

An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Tested Versions

Microsoft Office Professional Plus 2016 x86 - version 1909 build 12026.20334
Microsoft Office 365 ProPlus x86 - version 1902 build 11328.20480

Product URLs

https://products.office.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment. Being precise, the vulnerability is related with the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.

Tracking an object life cycle we can notice that there is a constant size space allocation made :

00711123 68e0050000   push    5E0h
00711128 e86e15f7ff   call    Excel!Ordinal43+0x1269b (0068269b)

eax=024fecfc ebx=00000000 ecx=52704a20 edx=00000000 esi=52704a20 edi=00000000
eip=0095aa74 esp=0331fd4c ebp=0331fd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
0:000> !heap -p -a 52704a20
    address 52704a20 found in
    _DPH_HEAP_ROOT @ 4361000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                52700f70:         52704a20              5e0 -         52704000             2000
          ? Excel!LinkASPPModelTable+7f9efe
    77f3ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
    77bc915b ntdll!RtlDebugAllocateHeap+0x00000039
    77b133cd ntdll!RtlpAllocateHeap+0x000000ed
    77b1207b ntdll!RtlpAllocateHeapInternal+0x000006db
    77b11976 ntdll!RtlAllocateHeap+0x00000036
    0c804256 mso20win32client!Ordinal951+0x000000a9
    0c804211 mso20win32client!Ordinal951+0x00000064
    00682827 Excel!Ordinal43+0x00012827
    00682713 Excel!Ordinal43+0x00012713
    006826ba Excel!Ordinal43+0x000126ba
    0071112d Excel!Ordinal43+0x000a112d
    00710d7f Excel!Ordinal43+0x000a0d7f
    00730ea9 Excel!Ordinal43+0x000c0ea9
    00c4a767 Excel!Ordinal43+0x005da767
    00c4a335 Excel!Ordinal43+0x005da335
    01c7a0c2 Excel!MdCallBack+0x008835c8
    008385b7 Excel!Ordinal43+0x001c85b7
    008320eb Excel!Ordinal43+0x001c20eb
    01695625 Excel!MdCallBack+0x0029eb2b
    012970c6 Excel!MdCallBack12+0x005aff8d
    0129727a Excel!MdCallBack12+0x005b0141
    006a6bff Excel!Ordinal43+0x00036bff
    006a59e0 Excel!Ordinal43+0x000359e0
    01479076 Excel!MdCallBack+0x0008257c
    006eec1e Excel!Ordinal43+0x0007ec1e
    006df6b7 Excel!Ordinal43+0x0006f6b7
    006dd7c3 Excel!Ordinal43+0x0006d7c3
    006d776a Excel!Ordinal43+0x0006776a
    006816f6 Excel!Ordinal43+0x000116f6
    0067124f Excel!Ordinal43+0x0000124f
    77642369 KERNEL32!BaseThreadInitThunk+0x00000019
    77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b

Further, because of malformed form in the HTML/XML in the XLS file contentm the object gets deallocated:

0095aa6e 8b06         mov     eax, dword ptr [esi]
0095aa70 8bce         mov     ecx, esi
0095aa72 6a01         push    1
0095aa74 ff10         call    dword ptr [eax]

0:000> p
eax=52704a20 ebx=00000000 ecx=52704a20 edx=04360000 esi=52704a20 edi=00000000
eip=0095aa76 esp=0331fd50 ebp=0331fd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Excel!Ordinal43+0x2eaa76:
0095aa76 5f              pop     edi
0:000> !heap -p -a 52704a20
    address 52704a20 found in
    _DPH_HEAP_ROOT @ 4361000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   52700f70:         52704000             2000
    77f3adc2 verifier!AVrfDebugPageHeapFree+0x000000c2
    77bc99b3 ntdll!RtlDebugFreeHeap+0x0000003e
    77b0fabe ntdll!RtlpFreeHeap+0x000000ce
    77b0f986 ntdll!RtlpFreeHeapInternal+0x00000146
    77b0f3de ntdll!RtlFreeHeap+0x0000003e
    0c81dc9e mso20win32client!Ordinal456+0x0000008c
    00688491 Excel!Ordinal43+0x00018491
    0095aa76 Excel!Ordinal43+0x002eaa76
    00b85a23 Excel!Ordinal43+0x00515a23
    00b7e517 Excel!Ordinal43+0x0050e517
    01ca5cf6 Excel!MdCallBack+0x008af1fc
    01ca5788 Excel!MdCallBack+0x008aec8e
    00c4ad64 Excel!Ordinal43+0x005dad64
    00c4a335 Excel!Ordinal43+0x005da335
    01c7a0c2 Excel!MdCallBack+0x008835c8
    008385b7 Excel!Ordinal43+0x001c85b7
    008320eb Excel!Ordinal43+0x001c20eb
    01695625 Excel!MdCallBack+0x0029eb2b
    012970c6 Excel!MdCallBack12+0x005aff8d
    0129727a Excel!MdCallBack12+0x005b0141
    006a6bff Excel!Ordinal43+0x00036bff
    006a59e0 Excel!Ordinal43+0x000359e0
    01479076 Excel!MdCallBack+0x0008257c
    006eec1e Excel!Ordinal43+0x0007ec1e
    006df6b7 Excel!Ordinal43+0x0006f6b7
    006dd7c3 Excel!Ordinal43+0x0006d7c3
    006d776a Excel!Ordinal43+0x0006776a
    006816f6 Excel!Ordinal43+0x000116f6
    0067124f Excel!Ordinal43+0x0000124f
    77642369 KERNEL32!BaseThreadInitThunk+0x00000019
    77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
    77b2e58f ntdll!_RtlUserThreadStart+0x0000001b

Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed:

.text:0094CCD7 sub_94CCD7      proc near               ; DATA XREF: .rdata:024BD0D8?o
.text:0094CCD7                 mov     ecx, [ecx+14h]
.text:0094CCDA                 test    ecx, ecx
.text:0094CCDC                 jnz     sub_731B64
.text:0094CCE2                 xor     eax, eax
.text:0094CCE4                 retn
.text:0094CCE4 sub_94CCD7      endp

and the object gets re-used inside the following function:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52704a20 edx=00000000 esi=00000000 edi=36126fa4
eip=00731b66 esp=0331fa3c ebp=0331fa68 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
Excel!Ordinal43+0xc1b66:
00731b66 f6410604        test    byte ptr [ecx+6],4         ds:0023:52704a26=??

0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
01 0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
02 0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
03 0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
04 0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
05 0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
06 0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
07 0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
08 0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
09 0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0a 0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0b 0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0c 0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0d 0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0e 0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0f 0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
10 0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
11 0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
12 0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
13 0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
14 0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
15 0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
16 0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
17 0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
18 0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
19 0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
1a 0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
1b 0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
1c 0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
1d 0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
1e 0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
1f 0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
20 0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: String

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.Sec
    Value: 3

    Key  : Analysis.DebugAnalysisProvider.CPP
    Value: Create: 8007007e on DESKTOP-FIEQB1A

    Key  : Analysis.DebugData
    Value: CreateObject

    Key  : Analysis.DebugModel
    Value: CreateObject

    Key  : Analysis.Elapsed.Sec
    Value: 15

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 67

    Key  : Analysis.System
    Value: CreateObject

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 24524

    Key  : Timeline.Process.Start.DeltaSec
    Value: 1501


NTGLOBALFLAG:  2000000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00731b66 (Excel!Ordinal43+0x000c1b66)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 52704a26
Attempt to read from address 52704a26

FAULTING_THREAD:  00001b18

PROCESS_NAME:  Excel.exe

READ_ADDRESS:  52704a26 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  52704a26

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  Excel!Ordinal43+c1b66

MODULE_NAME: Excel

IMAGE_NAME:  Excel.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

FAILURE_ID_HASH:  {40392c8d-c128-d7d7-ec8e-63113b975295}

Followup:     MachineOwner
---------




0:000> lm a eip
Browse full module list
start    end        module name
00670000 02fe1000   Excel      (export symbols)       c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
0:000> lmv a eip
Browse full module list
start    end        module name
00670000 02fe1000   Excel      (export symbols)       c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
    Image path: Excel.exe
    Image name: Excel.exe
    Browse all global symbols  functions  data
    Timestamp:        Tue Nov 19 09:26:08 2019 (5DD3A720)
    CheckSum:         029756CD
    ImageSize:        02971000
    File version:     16.0.11328.20480
    Product version:  16.0.11328.20480
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04e4
    Information from resource tables:
        CompanyName:      Microsoft Corporation
        ProductName:      Microsoft Office
        InternalName:     Excel
        OriginalFilename: Excel.exe
        ProductVersion:   16.0.11328.20480
        FileVersion:      16.0.11328.20480
    FileDescription:  Microsoft Excel

Timeline

2019-12-02 - Vendor Disclosure
2020-02-11 - Vendor patch and Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.