CVE-2021-40474
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes, such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations and more.
Tracking an object life cycle we can notice that there is an allocation made :
eax=7130ef40 ebx=2ce549d8 ecx=00500fdb edx=05bc0000 esi=2ce549d8 edi=05bf6fe0
eip=004eeb00 esp=032dcd24 ebp=032dcd2c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200206
Excel!Ordinal43+0x30eb00:
004eeb00 ff15106a7f02 call dword ptr [Excel!DllGetLCID+0x1c654 (027f6a10)] ds:002b:027f6a10={mso20win32client!Ordinal456 (6901765e)}
0:000> !heap -p -a 2ce549d8
address 2ce549d8 found in
_DPH_HEAP_ROOT @ 5bc1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
2cb93d34: 2ce549d8 628 - 2ce54000 2000
6987a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
7770ef8e ntdll!RtlDebugAllocateHeap+0x00000039
77676150 ntdll!RtlpAllocateHeap+0x000000f0
776757fe ntdll!RtlpAllocateHeapInternal+0x000003ee
776753fe ntdll!RtlAllocateHeap+0x0000003e
6900b361 mso20win32client!Ordinal951+0x0000003f
001f7fac Excel!Ordinal43+0x00017fac
001f7f67 Excel!Ordinal43+0x00017f67
001f7f13 Excel!Ordinal43+0x00017f13
0029cc1c Excel!Ordinal43+0x000bcc1c
0029c792 Excel!Ordinal43+0x000bc792
002c8c2a Excel!Ordinal43+0x000e8c2a
01795675 Excel!MdCallBack+0x008e4ad0
00f68e73 Excel!MdCallBack+0x000b82ce
0179548b Excel!MdCallBack+0x008e48e6
004037fc Excel!Ordinal43+0x002237fc
003f8f0f Excel!Ordinal43+0x00218f0f
011e27e9 Excel!MdCallBack+0x00331c44
00cd807a Excel!Ordinal43+0x00af807a
00cd7e5d Excel!Ordinal43+0x00af7e5d
00220c51 Excel!Ordinal43+0x00040c51
0021f647 Excel!Ordinal43+0x0003f647
01a6f8de Excel!UpgradeASPPModel+0x0022fd13
002747b1 Excel!Ordinal43+0x000947b1
002678d8 Excel!Ordinal43+0x000878d8
002654ee Excel!Ordinal43+0x000854ee
0025dbcb Excel!Ordinal43+0x0007dbcb
001f7201 Excel!Ordinal43+0x00017201
001e11c3 Excel!Ordinal43+0x000011c3
7747fa29 KERNEL32!BaseThreadInitThunk+0x00000019
776975f4 ntdll!__RtlUserThreadStart+0x0000002f
776975c4 ntdll!_RtlUserThreadStart+0x0000001b
Further, because of the malformed form of the HTML/XML in the XLS file content, the object gets deallocated:
call mso20win32client!Ordinal456+0x00000050
0:000> !heap -p -a 2ce549d8
address 2ce549d8 found in
_DPH_HEAP_ROOT @ 5bc1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
2cb93d34: 2ce54000 2000
6987ab02 verifier!AVrfDebugPageHeapFree+0x000000c2
7770f7e6 ntdll!RtlDebugFreeHeap+0x0000003e
776c67e0 ntdll!RtlpFreeHeap+0x0004e000
776b621d ntdll!RtlpFreeHeapInternal+0x00000783
77678786 ntdll!RtlFreeHeap+0x00000046
690176ae mso20win32client!Ordinal456+0x00000050
004eeb06 Excel!Ordinal43+0x0030eb06
00500f8d Excel!Ordinal43+0x00320f8d
004fcd39 Excel!Ordinal43+0x0031cd39
004f34c6 Excel!Ordinal43+0x003134c6
017cc452 Excel!MdCallBack+0x0091b8ad
017cb787 Excel!MdCallBack+0x0091abe2
01795e75 Excel!MdCallBack+0x008e52d0
00f68e73 Excel!MdCallBack+0x000b82ce
0179548b Excel!MdCallBack+0x008e48e6
004037fc Excel!Ordinal43+0x002237fc
003f8f0f Excel!Ordinal43+0x00218f0f
011e27e9 Excel!MdCallBack+0x00331c44
00cd807a Excel!Ordinal43+0x00af807a
00cd7e5d Excel!Ordinal43+0x00af7e5d
00220c51 Excel!Ordinal43+0x00040c51
0021f647 Excel!Ordinal43+0x0003f647
01a6f8de Excel!UpgradeASPPModel+0x0022fd13
002747b1 Excel!Ordinal43+0x000947b1
002678d8 Excel!Ordinal43+0x000878d8
002654ee Excel!Ordinal43+0x000854ee
0025dbcb Excel!Ordinal43+0x0007dbcb
001f7201 Excel!Ordinal43+0x00017201
001e11c3 Excel!Ordinal43+0x000011c3
7747fa29 KERNEL32!BaseThreadInitThunk+0x00000019
776975f4 ntdll!__RtlUserThreadStart+0x0000002f
776975c4 ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets re-used inside the following function:
(1178.304): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=023b4984 ebx=6e624f84 ecx=2ce549d8 edx=00000000 esi=6fc5cfa4 edi=00000000
eip=002c9b02 esp=032dca5c ebp=032dca8c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
Excel!Ordinal43+0xe9b02:
002c9b02 f6410604 test byte ptr [ecx+6],4 ds:002b:2ce549de=??
0:000> kb
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
032dca8c 01cebb14 6e624f80 00000010 6fc5cfa4 Excel!Ordinal43+0xe9b02
032dcaac 00fdefa4 71eeefdc 00000001 6fc5cfa4 Excel!UpgradeASPPModel+0x4abf49
032dcac8 00fd6197 71eeefdc 032dd0f0 032dcbb0 Excel!MdCallBack+0x12e3ff
032dcae4 0178dcc9 032dd0f0 0000039e ffffffff Excel!MdCallBack+0x1255f2
032dcb68 00f64a5b 71582998 05bf6fe0 032dd0f0 Excel!MdCallBack+0x8dd124
032dcb84 017930c8 71582998 00000001 02882ee0 Excel!MdCallBack+0xb3eb6
032dcc4c 0179310e 00000000 032dccb0 651aa6ef Excel!MdCallBack+0x8e2523
032dcc58 651aa6ef 02882ee0 032dd09c 71582998 Excel!MdCallBack+0x8e2569
032dccb0 65144ca4 00000000 8381a313 0000000a mso!Ordinal10758+0x21f
032dcd24 6513f8ce 71582998 032dcd94 8381a07f mso!MsoVBADigSigRemoveSignedDataMsg+0x40f2
032dce48 6513c6d0 00000001 71582998 6513c6d0 mso!Ordinal8579+0x2bfb
032dce80 6513c4df 48900ff0 00000000 032dcfa4 mso!Ordinal2012+0x295
032dce90 0179596c 71582918 05bf6fe0 00000000 mso!Ordinal2012+0xa4
032dcfa4 00f68e73 00000100 5092efa8 00000003 Excel!MdCallBack+0x8e4dc7
032e78e8 0179548b 00000000 00000000 00000000 Excel!MdCallBack+0xb82ce
032e7930 004037fc 032f7360 00000000 00000002 Excel!MdCallBack+0x8e48e6
032f77a0 003f8f0f 00000000 00000000 00000002 Excel!Ordinal43+0x2237fc
032f7828 011e27e9 00000000 00000000 00000002 Excel!Ordinal43+0x218f0f
032f7874 00cd807a 00000000 02823042 032f7898 Excel!MdCallBack+0x331c44
032f7944 00cd7e5d 00000001 00001008 00000001 Excel!Ordinal43+0xaf807a
032f79dc 00220c51 00000001 00001008 00000001 Excel!Ordinal43+0xaf7e5d
032fcbac 0021f647 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x40c51
032fcc4c 01a6f8de 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x3f647
032fdcc4 002747b1 00000825 00000000 00000001 Excel!UpgradeASPPModel+0x22fd13
032fdd74 002678d8 05bf6fe0 05bf6fe0 00000000 Excel!Ordinal43+0x947b1
032ff1e4 002654ee 05bf6fe0 0284e138 032ff680 Excel!Ordinal43+0x878d8
032ff25c 0025dbcb 7a6f30ff 05bf6fec 00000000 Excel!Ordinal43+0x854ee
032ff678 001f7201 05bf6fe8 001f7201 00000000 Excel!Ordinal43+0x7dbcb
032ff8b4 001e11c3 001e0000 00000000 05c14fca Excel!Ordinal43+0x17201
032ff900 7747fa29 030fb000 7747fa10 032ff96c Excel!Ordinal43+0x11c3
032ff910 776975f4 030fb000 49867263 00000000 KERNEL32!BaseThreadInitThunk+0x19
032ff96c 776975c4 ffffffff 776b733e 00000000 ntdll!__RtlUserThreadStart+0x2f
032ff97c 00000000 001e1079 030fb000 00000000 ntdll!_RtlUserThreadStart+0x1b
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 6
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-CML224D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 232
Key : Analysis.Memory.CommitPeak.Mb
Value: 111
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 32507
Key : Timeline.Process.Start.DeltaSec
Value: 94
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 002c9b02 (Excel!Ordinal43+0x000e9b02)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 2ce549de
Attempt to read from address 2ce549de
FAULTING_THREAD: 00000304
PROCESS_NAME: Excel.exe
READ_ADDRESS: 2ce549de
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 2ce549de
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
032dca8c 01cebb14 6e624f80 00000010 6fc5cfa4 Excel!Ordinal43+0xe9b02
032dcaac 00fdefa4 71eeefdc 00000001 6fc5cfa4 Excel!UpgradeASPPModel+0x4abf49
032dcac8 00fd6197 71eeefdc 032dd0f0 032dcbb0 Excel!MdCallBack+0x12e3ff
032dcae4 0178dcc9 032dd0f0 0000039e ffffffff Excel!MdCallBack+0x1255f2
032dcb68 00f64a5b 71582998 05bf6fe0 032dd0f0 Excel!MdCallBack+0x8dd124
032dcb84 017930c8 71582998 00000001 02882ee0 Excel!MdCallBack+0xb3eb6
032dcc4c 0179310e 00000000 032dccb0 651aa6ef Excel!MdCallBack+0x8e2523
032dcc58 651aa6ef 02882ee0 032dd09c 71582998 Excel!MdCallBack+0x8e2569
032dccb0 65144ca4 00000000 8381a313 0000000a mso!Ordinal10758+0x21f
032dcd24 6513f8ce 71582998 032dcd94 8381a07f mso!MsoVBADigSigRemoveSignedDataMsg+0x40f2
032dce48 6513c6d0 00000001 71582998 6513c6d0 mso!Ordinal8579+0x2bfb
032dce80 6513c4df 48900ff0 00000000 032dcfa4 mso!Ordinal2012+0x295
032dce90 0179596c 71582918 05bf6fe0 00000000 mso!Ordinal2012+0xa4
032dcfa4 00f68e73 00000100 5092efa8 00000003 Excel!MdCallBack+0x8e4dc7
032e78e8 0179548b 00000000 00000000 00000000 Excel!MdCallBack+0xb82ce
032e7930 004037fc 032f7360 00000000 00000002 Excel!MdCallBack+0x8e48e6
032f77a0 003f8f0f 00000000 00000000 00000002 Excel!Ordinal43+0x2237fc
032f7828 011e27e9 00000000 00000000 00000002 Excel!Ordinal43+0x218f0f
032f7874 00cd807a 00000000 02823042 032f7898 Excel!MdCallBack+0x331c44
032f7944 00cd7e5d 00000001 00001008 00000001 Excel!Ordinal43+0xaf807a
032f79dc 00220c51 00000001 00001008 00000001 Excel!Ordinal43+0xaf7e5d
032fcbac 0021f647 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x40c51
032fcc4c 01a6f8de 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x3f647
032fdcc4 002747b1 00000825 00000000 00000001 Excel!UpgradeASPPModel+0x22fd13
032fdd74 002678d8 05bf6fe0 05bf6fe0 00000000 Excel!Ordinal43+0x947b1
032ff1e4 002654ee 05bf6fe0 0284e138 032ff680 Excel!Ordinal43+0x878d8
032ff25c 0025dbcb 7a6f30ff 05bf6fec 00000000 Excel!Ordinal43+0x854ee
032ff678 001f7201 05bf6fe8 001f7201 00000000 Excel!Ordinal43+0x7dbcb
032ff8b4 001e11c3 001e0000 00000000 05c14fca Excel!Ordinal43+0x17201
032ff900 7747fa29 030fb000 7747fa10 032ff96c Excel!Ordinal43+0x11c3
032ff910 776975f4 030fb000 49867263 00000000 KERNEL32!BaseThreadInitThunk+0x19
032ff96c 776975c4 ffffffff 776b733e 00000000 ntdll!__RtlUserThreadStart+0x2f
032ff97c 00000000 001e1079 030fb000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!Ordinal43+e9b02
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {40392c8d-c128-d7d7-ec8e-63113b975295}
Followup: MachineOwner
---------
0:000> lmv m EXCEL
Browse full module list
start end module name
001e0000 02f63000 Excel (export symbols) c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Mon Feb 15 20:34:11 2021 (602ACCB3)
CheckSum: 02D8532D
ImageSize: 02D83000
File version: 16.0.13628.20448
Product version: 16.0.13628.20448
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.13628.20448
FileVersion: 16.0.13628.20448
FileDescription: Microsoft Excel
0:000> lmv m mso
Browse full module list
start end module name
650e0000 66804000 mso (export symbols) C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
Loaded symbol image file: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Sat Jan 30 08:44:58 2021 (60150E7A)
CheckSum: 017206E1
ImageSize: 01724000
File version: 16.0.13628.20318
Product version: 16.0.13628.20318
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.13628.20318
FileVersion: 16.0.13628.20318
FileDescription: Microsoft Office component
2021-07-22 - Vendor Disclosure
2021-10-12 - Vendor Patch
2021-10-12 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.