CVE-2023-32541
A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Hancom Office 2020 HWord 11.0.0.7520
Hancom Office 2020 - https://office.hancom.com/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Hancom Office is considered one of the more popular Office suites used within South Korea.
After opening our malformed .doc file in HWord.exe under a debugger, we stop in the following place:
(37d8.524c): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 50FD1E:0
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=60d7f2a0 esp=00afd4ac ebp=00afd4c0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000 add byte ptr [eax],al ds:002b:60b8874c=d4
0:000> u
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000 add byte ptr [eax],al
60d7f2a2 0000 add byte ptr [eax],al
60d7f2a4 0000 add byte ptr [eax],al
60d7f2a6 0000 add byte ptr [eax],al
60d7f2a8 0000 add byte ptr [eax],al
60d7f2aa 0000 add byte ptr [eax],al
60d7f2ac 44 inc esp
60d7f2ad f0ed lock in eax,dx
0:000> !address 60d7f2a0
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Image
Base Address: 603b4000
End Address: 606e2000
Region Size: 0032e000 ( 3.180 MB)
State: 00001000 MEM_COMMIT
Protect: 00000002 PAGE_READONLY
Type: 01000000 MEM_IMAGE
Allocation Base: 60360000
Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Image Path: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
Module Name: HwordApp
Loaded Image Name: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
It looks like we have landed in an executable region of code, but at the wrong address, taking into account appearance of the instructions. Stepping back, we can see the instruction that brought us to the above code was a virtual function call:
0:000> p-
Time Travel Position: 50FD1D:65
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=605ef1ff esp=00afd4b0 ebp=00afd4c0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
HwordApp!SetInitFontCallbackFunc+0xa67b8f:
605ef1ff ff5068 call dword ptr [eax+68h] ds:002b:60b887b4=60d7f2a0
605ef1e0 55 push ebp
605ef1e1 8bec mov ebp, esp
605ef1e3 56 push esi
605ef1e4 57 push edi
605ef1e5 8b7d08 mov edi, dword ptr [ebp+8]
605ef1e8 8bf1 mov esi, ecx
605ef1ea 85ff test edi, edi
605ef1ec 741c je 605EF20A
605ef1ee 8b06 mov eax, dword ptr [esi]
605ef1f0 57 push edi
605ef1f1 8b4014 mov eax, dword ptr [eax+14h]
605ef1f4 ffd0 call eax
605ef1f6 84c0 test al, al
605ef1f8 7410 je 605EF20A
605ef1fa 8b06 mov eax, dword ptr [esi]
605ef1fc 8bce mov ecx, esi
605ef1fe 57 push edi
605ef1ff ff5068 call dword ptr [eax+68h]
605ef202 5f pop edi
605ef203 b001 mov al, 1
605ef205 5e pop esi
605ef206 5d pop ebp
605ef207 c20800 ret 8
605ef20a 5f pop edi
605ef20b 32c0 xor al, al
605ef20d 5e pop esi
605ef20e 5d pop ebp
605ef20f c20800 ret 8
Further investigation reveals that object pointed to by (esi)this
pointer was de-allocated previously, and we can talk here about a typical use-after-free scenario.
We are currently in TTP equal : Time Travel Position: 50FD1D:65
and looking for allocation and deallocation operations related to the 1bf9b880
pointer. We obtain the following results:
One allocation event at TTP: 50E857:1A70
0:000> dx -g @$cursession.TTD.Calls("MSVCR120!malloc").Where( c => c.ReturnValue == 0x1bf9b880)
========================================================================================================================================================================================================================================================================================
= = (+) EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart = (+) TimeEnd = (+) Function = (+) FunctionAddress = (+) ReturnAddress = (+) ReturnValue = (+) Parameters = (+) SystemTimeStart = (+) SystemTimeEnd =
========================================================================================================================================================================================================================================================================================
= [0x3b3ca] - 0x0 - 0x524c - 0x2 - 50E857:1A70 - 50E85F:3B - MSVCR120!malloc - 0x6164ed10 - 0x6164ee1c - 0x1bf9b880 - {...} - Thursday, June 1, 2023 10:45:21.956 - Thursday, June 1, 2023 10:45:21.956 =
========================================================================================================================================================================================================================================================================================
0:000> kb
# ChildEBP RetAddr Args to Child
00 00afd534 6164ee1c 00000040 00afd540 5fb7d733 MSVCR120!malloc [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 84]
01 00afd534 616e6274 00000040 00afd580 600e0f43 MSVCR120!operator new+0x1d [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 59]
02 00afd540 600e0f43 00000040 00000001 60b95a10 MSVCR120!operator new+0xb [f:\dd\vctools\crt\crtw32\misc\dbgnew.cpp @ 127]
WARNING: Stack unwind information not available. Following frames may be wrong.
03 00afd580 600dcd51 1c269740 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x5598d3
04 00afd608 606f6960 00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
05 00afd658 600eb9db 1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
06 00afdfa0 60372c99 1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
07 00afdfd4 5fcde640 111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
08 00afdffc 5fcdc028 11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
09 00afe0d0 5fb93ee3 00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
0a 00afe454 1ce9b974 1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
0b 00afe4bc 1ce99a16 00000000 00000000 06231228 0x1ce9b974
0c 00afe584 1ce98ba8 062b97c8 00000000 00000000 0x1ce99a16
0d 00afe5e0 19792fd5 00000000 00000000 00000001 0x1ce98ba8
0e 00afe64c 03cef6a9 00000001 062d63ec 062d63fc 0x19792fd5
0f 00afe664 03cec59e 00000001 062d63ec 062d5d0c 0x3cef6a9
10 00afe67c 6433e68b 062d63ec 00000000 062b9470 0x3cec59e
11 00afe694 642d9742 062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
12 00afe6a4 6616ef52 00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
13 00afe6bc 6616ee95 00000001 00000000 00000000 WindowsBase_ni+0xdef52
14 00afe6f8 661711cd 00000000 00000001 00000000 WindowsBase_ni+0xdee95
15 00afe740 6616f67f 062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
16 00afe7ac 73538537 00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
17 00afe7c0 735384f4 00000000 062b913c 00000000 mscorlib_ni+0x3f8537
18 00afe7dc 66171093 062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
19 00afe80c 66170e90 062b913c 00000000 00000000 WindowsBase_ni+0xe1093
1a 00afe844 6616d456 00000000 06244548 00000000 WindowsBase_ni+0xe0e90
1b 00afe884 6616c57c 00000000 00000000 062441d8 WindowsBase_ni+0xdd456
1c 00afe8c0 6616e771 0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
1d 00afe8fc 6616ea5c 06244da4 00000000 00000000 WindowsBase_ni+0xde771
1e 00afe91c 6616ef52 00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
1f 00afe934 6616ee95 00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
20 00afe970 6616d072 00000000 00000001 06244d8c WindowsBase_ni+0xdee95
21 00afe9c8 6616e5c4 00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
22 00afea10 00dcd16e 00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
23 00afea44 75f6139b 005f12ba 0000c2b7 00000000 0xdcd16e
24 00afea70 75f5836a 098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
25 00afeb54 75f560da 098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
26 00afebc8 75f55ea0 00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
27 00afebd4 661875f1 00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
28 00afec10 6616b3d7 062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
29 00afec58 6616b319 062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
2a 00afec64 642d970c 062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
2b 00afec74 642d92ca 64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
2c 00afec94 642d90be 062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
2d 00afeca4 03cec37a 00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
2e 00afecdc 03cec03a 06231fbc 062369c4 06231fd4 0x3cec37a
2f 00afecf0 03ce0ede 062367c8 00afedb0 00000000 0x3cec03a
30 00afed08 74660556 037e9148 00afed68 7466373a 0x3ce0ede
31 00afed14 7466373a 00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
32 00afed68 74669adb 00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
33 00afeddc 747dff6b 00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
34 00afef00 747e064a 00afef44 00000000 140aef3e clr!RunMain+0x1b3
35 00aff16c 747e0577 00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
36 00aff650 747e06f8 140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
37 00aff6a8 747e081e 140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
38 00aff6e8 747dc225 140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
39 00aff724 74ecfa84 54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
3a 00aff75c 74f5e81e 74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
3b 00aff76c 74f64338 74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
3c 00aff784 770100c9 0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
3d 00aff784 77177b4e 0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
3e 00aff7e0 77177b1e ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
3f 00aff7f0 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
And one event related to the de-allocation, TTP: 50F8C5:54
0:000> dx -g @$cursession.TTD.Calls("MSVCR120!free").Where(c => c.Parameters.pBlock == 0x1bf9b880)
===================================================================================================================================================================================================================================================================
= = (+) EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart = (+) TimeEnd = (+) Function = (+) FunctionAddress = (+) ReturnAddress = (+) Parameters = (+) SystemTimeStart = (+) SystemTimeEnd =
===================================================================================================================================================================================================================================================================
= [0x2f170] - 0x0 - 0x524c - 0x2 - 50F8C5:54 - 50F8CF:3F - MSVCR120!free - 0x6164ece0 - 0x606a583d - {...} - Thursday, June 1, 2023 10:45:22.112 - Thursday, June 1, 2023 10:45:22.112 =
===================================================================================================================================================================================================================================================================
0:000> kb
# ChildEBP RetAddr Args to Child
00 00afd518 606a583d 1bf9b880 00000001 00afd540 MSVCR120!free [f:\dd\vctools\crt\crtw32\heap\free.c @ 40]
WARNING: Stack unwind information not available. Following frames may be wrong.
01 00afd518 600edb34 00000001 00afd76c 111a0b10 HwordApp!SetInitFontCallbackFunc+0xb1e1cd
02 00afd540 600e103b 11661488 111a0b10 0000009e HwordApp!SetInitFontCallbackFunc+0x5664c4
03 00afd580 600dcd51 1bf9be58 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x5599cb
04 00afd608 606f6960 00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
05 00afd658 600eb9db 1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
06 00afdfa0 60372c99 1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
07 00afdfd4 5fcde640 111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
08 00afdffc 5fcdc028 11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
09 00afe0d0 5fb93ee3 00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
0a 00afe454 1ce9b974 1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
0b 00afe4bc 1ce99a16 00000000 00000000 06231228 0x1ce9b974
0c 00afe584 1ce98ba8 062b97c8 00000000 00000000 0x1ce99a16
0d 00afe5e0 19792fd5 00000000 00000000 00000001 0x1ce98ba8
0e 00afe64c 03cef6a9 00000001 062d63ec 062d63fc 0x19792fd5
0f 00afe664 03cec59e 00000001 062d63ec 062d5d0c 0x3cef6a9
10 00afe67c 6433e68b 062d63ec 00000000 062b9470 0x3cec59e
11 00afe694 642d9742 062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
12 00afe6a4 6616ef52 00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
13 00afe6bc 6616ee95 00000001 00000000 00000000 WindowsBase_ni+0xdef52
14 00afe6f8 661711cd 00000000 00000001 00000000 WindowsBase_ni+0xdee95
15 00afe740 6616f67f 062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
16 00afe7ac 73538537 00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
17 00afe7c0 735384f4 00000000 062b913c 00000000 mscorlib_ni+0x3f8537
18 00afe7dc 66171093 062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
19 00afe80c 66170e90 062b913c 00000000 00000000 WindowsBase_ni+0xe1093
1a 00afe844 6616d456 00000000 06244548 00000000 WindowsBase_ni+0xe0e90
1b 00afe884 6616c57c 00000000 00000000 062441d8 WindowsBase_ni+0xdd456
1c 00afe8c0 6616e771 0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
1d 00afe8fc 6616ea5c 06244da4 00000000 00000000 WindowsBase_ni+0xde771
1e 00afe91c 6616ef52 00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
1f 00afe934 6616ee95 00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
20 00afe970 6616d072 00000000 00000001 06244d8c WindowsBase_ni+0xdee95
21 00afe9c8 6616e5c4 00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
22 00afea10 00dcd16e 00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
23 00afea44 75f6139b 005f12ba 0000c2b7 00000000 0xdcd16e
24 00afea70 75f5836a 098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
25 00afeb54 75f560da 098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
26 00afebc8 75f55ea0 00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
27 00afebd4 661875f1 00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
28 00afec10 6616b3d7 062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
29 00afec58 6616b319 062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
2a 00afec64 642d970c 062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
2b 00afec74 642d92ca 64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
2c 00afec94 642d90be 062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
2d 00afeca4 03cec37a 00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
2e 00afecdc 03cec03a 06231fbc 062369c4 06231fd4 0x3cec37a
2f 00afecf0 03ce0ede 062367c8 00afedb0 00000000 0x3cec03a
30 00afed08 74660556 037e9148 00afed68 7466373a 0x3ce0ede
31 00afed14 7466373a 00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
32 00afed68 74669adb 00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
33 00afeddc 747dff6b 00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
34 00afef00 747e064a 00afef44 00000000 140aef3e clr!RunMain+0x1b3
35 00aff16c 747e0577 00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
36 00aff650 747e06f8 140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
37 00aff6a8 747e081e 140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
38 00aff6e8 747dc225 140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
39 00aff724 74ecfa84 54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
3a 00aff75c 74f5e81e 74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
3b 00aff76c 74f64338 74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
3c 00aff784 770100c9 0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
3d 00aff784 77177b4e 0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
3e 00aff7e0 77177b1e ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
3f 00aff7f0 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
If we track the object’s life cycle more closely, it turns out that the following situation happens when we use at least two footerr
elements inside RTF file. This situation leads to the proper allocation of the proper object, but also to its deallocation and its re-use.
Proper heap grooming can give an attacker full control of this use-after-free vulnerability, and as a result could allow it to be turned into arbitrary code execution.
0:000> g
(37d8.524c): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 50FD1E:0
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=60d7f2a0 esp=00afd4ac ebp=00afd4c0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000 add byte ptr [eax],al ds:002b:60b8874c=d4
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Failed to request MethodData, not in JIT code range
MethodDesc: 197a15c8
Method Name: HwordAppModule.HwordDocProxy.Open(HwordAppModule.HwordFrameProxy, System.String, System.String, Int32, Int32)
Class: 1975a730
MethodTable: 197a1778
mdToken: 060002d7
Module: 04172eb0
IsJitted: yes
CodeAddr: 1ce9b8d8
Transparency: Safe critical
MethodDesc: 1103756c
Method Name: Hword.HwordFrame._OpenDocument(System.String, HwordDefine.OpenAttr, Boolean, Boolean, Boolean, System.String)
Class: 147c886c
MethodTable: 11037ad0
mdToken: 06001244
Module: 00dc4044
IsJitted: yes
CodeAddr: 1ce99738
Transparency: Critical
MethodDesc: 11037560
Method Name: Hword.HwordFrame.OpenDocument(System.String, HwordDefine.OpenType, HwordDefine.OpenAttr, Boolean)
Class: 147c886c
MethodTable: 11037ad0
mdToken: 06001243
Module: 00dc4044
IsJitted: yes
CodeAddr: 1ce98780
Transparency: Critical
MethodDesc: 0417d4b0
Method Name: Hword.HwordApp.ProcessShellCommand(Hnc.Static.CommandParser, Boolean)
Class: 08933210
MethodTable: 0417d640
mdToken: 06001157
Module: 00dc4044
IsJitted: yes
CodeAddr: 19792c20
Transparency: Critical
MethodDesc: 00dcb210
Method Name: Hword.HwordAppMain.StartApp(Hnc.Static.CommandParser, Boolean)
Class: 04337ac4
MethodTable: 00dcb294
mdToken: 0600073b
Module: 00dc4044
IsJitted: yes
CodeAddr: 03cef4b0
Transparency: Critical
MethodDesc: 00dcb1a8
Method Name: Hword.HwordAppMain.OnApplicationStartup(System.Object, System.Windows.StartupEventArgs)
Class: 04337ac4
MethodTable: 00dcb294
mdToken: 06000735
Module: 00dc4044
IsJitted: yes
CodeAddr: 03cec540
Transparency: Critical
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 9937
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 35447
Key : Analysis.IO.Other.Mb
Value: 113
Key : Analysis.IO.Read.Mb
Value: 15
Key : Analysis.IO.Write.Mb
Value: 304
Key : Analysis.Init.CPU.mSec
Value: 2467078
Key : Analysis.Init.Elapsed.mSec
Value: 34267867
Key : Analysis.Memory.CommitPeak.Mb
Value: 2048
Key : CLR.BuiltBy
Value: NET48REL1LAST_B
Key : CLR.Engine
Value: CLR
Key : CLR.Version
Value: 4.8.4614.0
Key : Timeline.OS.Boot.DeltaSec
Value: 59515
Key : WER.Process.Version
Value: 11.0.0.7520
NTGLOBALFLAG: 1000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 60d7f2a0 (HwordApp!CHncAABase::`vftable'+0x000220c4)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 60b8874c
Attempt to write to address 60b8874c
FAULTING_THREAD: 0000524c
PROCESS_NAME: HWord.exe
WRITE_ADDRESS: 60b8874c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 60b8874c
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00afd4c0 600cad49 1165d7b8 00000000 2bd61b5c HwordApp!CHncAABase::`vftable'+0x220c4
00afd508 600d408e 00000000 2bd61b18 00afd76c HwordApp!SetInitFontCallbackFunc+0x5436d9
00afd54c 600e1132 1c270ac8 2bd61bd4 00afd76c HwordApp!SetInitFontCallbackFunc+0x54ca1e
00afd580 600dcd51 1c270ac8 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x559ac2
00afd608 606f6960 00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
00afd658 600eb9db 1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
00afdfa0 60372c99 1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
00afdfd4 5fcde640 111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
00afdffc 5fcdc028 11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
00afe0d0 5fb93ee3 00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
00afe454 1ce9b974 1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
00afe4bc 1ce99a16 00000000 00000000 06231228 0x1ce9b974
00afe584 1ce98ba8 062b97c8 00000000 00000000 0x1ce99a16
00afe5e0 19792fd5 00000000 00000000 00000001 0x1ce98ba8
00afe64c 03cef6a9 00000001 062d63ec 062d63fc 0x19792fd5
00afe664 03cec59e 00000001 062d63ec 062d5d0c 0x3cef6a9
00afe67c 6433e68b 062d63ec 00000000 062b9470 0x3cec59e
00afe694 642d9742 062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
00afe6a4 6616ef52 00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
00afe6bc 6616ee95 00000001 00000000 00000000 WindowsBase_ni+0xdef52
00afe6f8 661711cd 00000000 00000001 00000000 WindowsBase_ni+0xdee95
00afe740 6616f67f 062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
00afe7ac 73538537 00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
00afe7c0 735384f4 00000000 062b913c 00000000 mscorlib_ni+0x3f8537
00afe7dc 66171093 062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
00afe80c 66170e90 062b913c 00000000 00000000 WindowsBase_ni+0xe1093
00afe844 6616d456 00000000 06244548 00000000 WindowsBase_ni+0xe0e90
00afe884 6616c57c 00000000 00000000 062441d8 WindowsBase_ni+0xdd456
00afe8c0 6616e771 0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
00afe8fc 6616ea5c 06244da4 00000000 00000000 WindowsBase_ni+0xde771
00afe91c 6616ef52 00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
00afe934 6616ee95 00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
00afe970 6616d072 00000000 00000001 06244d8c WindowsBase_ni+0xdee95
00afe9c8 6616e5c4 00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
00afea10 00dcd16e 00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
00afea44 75f6139b 005f12ba 0000c2b7 00000000 0xdcd16e
00afea70 75f5836a 098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
00afeb54 75f560da 098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
00afebc8 75f55ea0 00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
00afebd4 661875f1 00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
00afec10 6616b3d7 062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
00afec58 6616b319 062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
00afec64 642d970c 062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
00afec74 642d92ca 64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
00afec94 642d90be 062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
00afeca4 03cec37a 00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
00afecdc 03cec03a 06231fbc 062369c4 06231fd4 0x3cec37a
00afecf0 03ce0ede 062367c8 00afedb0 00000000 0x3cec03a
00afed08 74660556 037e9148 00afed68 7466373a 0x3ce0ede
00afed14 7466373a 00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
00afed68 74669adb 00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
00afeddc 747dff6b 00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
00afef00 747e064a 00afef44 00000000 140aef3e clr!RunMain+0x1b3
00aff16c 747e0577 00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
00aff650 747e06f8 140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
00aff6a8 747e081e 140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
00aff6e8 747dc225 140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
00aff724 74ecfa84 54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
00aff75c 74f5e81e 74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
00aff76c 74f64338 74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
00aff784 770100c9 0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
00aff784 77177b4e 0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
00aff7e0 77177b1e ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
00aff7f0 00000000 00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: HwordApp+220c4
MODULE_NAME: HwordApp
IMAGE_NAME: HwordApp.dll
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_HwordApp.dll!Unknown
OSPLATFORM_TYPE: x86
OSNAME: Windows 8
FAILURE_ID_HASH: {fc445afd-6168-8ca4-9347-8426f7991b4d}
Followup: MachineOwner
---------
0:000> lmvm HwordApp
Browse full module list
start end module name
5fb30000 61010000 HwordApp (export symbols) HwordApp.dll
Loaded symbol image file: HwordApp.dll
Mapped memory image file: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
Image path: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
Image name: HwordApp.dll
Browse all global symbols functions data
Timestamp: Tue Apr 18 08:04:58 2023 (643E330A)
CheckSum: 014BF78C
ImageSize: 014E0000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
2023-06-21 - Vendor Disclosure
2023-09-21 - Vendor Patch Release
2023-09-26 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.