Talos Vulnerability Report

TALOS-2023-1759

Hancom Office 2020 HWord footerr use-after-free vulnerability

September 26, 2023
CVE Number

CVE-2023-32541

SUMMARY

A use-after-free vulnerability exists in the footerr functionality of Hancom Office 2020 HWord 11.0.0.7520. A specially crafted .doc file can lead to a use-after-free. An attacker can trick a user into opening a malformed file to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Hancom Office 2020 HWord 11.0.0.7520

PRODUCT URLS

Hancom Office 2020 - https://office.hancom.com/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

DETAILS

Hancom Office is considered one of the more popular Office suites used within South Korea.

After opening our malformed .doc file in HWord.exe under a debugger, we stop in the following place:

(37d8.524c): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 50FD1E:0
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=60d7f2a0 esp=00afd4ac ebp=00afd4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000            add     byte ptr [eax],al          ds:002b:60b8874c=d4
0:000> u
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000            add     byte ptr [eax],al
60d7f2a2 0000            add     byte ptr [eax],al
60d7f2a4 0000            add     byte ptr [eax],al
60d7f2a6 0000            add     byte ptr [eax],al
60d7f2a8 0000            add     byte ptr [eax],al
60d7f2aa 0000            add     byte ptr [eax],al
60d7f2ac 44              inc     esp
60d7f2ad f0ed            lock in eax,dx

0:000> !address 60d7f2a0 


Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...

Usage:                  Image
Base Address:           603b4000
End Address:            606e2000
Region Size:            0032e000 (   3.180 MB)
State:                  00001000          MEM_COMMIT
Protect:                00000002          PAGE_READONLY
Type:                   01000000          MEM_IMAGE
Allocation Base:        60360000
Allocation Protect:     00000080          PAGE_EXECUTE_WRITECOPY
Image Path:             c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
Module Name:            HwordApp
Loaded Image Name:      c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll

It looks like we have landed in an executable region of code, but at the wrong address, taking into account appearance of the instructions. Stepping back, we can see the instruction that brought us to the above code was a virtual function call:

0:000> p-
Time Travel Position: 50FD1D:65
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=605ef1ff esp=00afd4b0 ebp=00afd4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
HwordApp!SetInitFontCallbackFunc+0xa67b8f:
605ef1ff ff5068          call    dword ptr [eax+68h]  ds:002b:60b887b4=60d7f2a0

605ef1e0 55         push    ebp
605ef1e1 8bec       mov     ebp, esp
605ef1e3 56         push    esi
605ef1e4 57         push    edi
605ef1e5 8b7d08     mov     edi, dword ptr [ebp+8]
605ef1e8 8bf1       mov     esi, ecx
605ef1ea 85ff       test    edi, edi
605ef1ec 741c       je      605EF20A
605ef1ee 8b06       mov     eax, dword ptr [esi]
605ef1f0 57         push    edi
605ef1f1 8b4014     mov     eax, dword ptr [eax+14h]
605ef1f4 ffd0       call    eax
605ef1f6 84c0       test    al, al
605ef1f8 7410       je      605EF20A
605ef1fa 8b06       mov     eax, dword ptr [esi]
605ef1fc 8bce       mov     ecx, esi
605ef1fe 57         push    edi
605ef1ff ff5068     call    dword ptr [eax+68h]
605ef202 5f         pop     edi
605ef203 b001       mov     al, 1
605ef205 5e         pop     esi
605ef206 5d         pop     ebp
605ef207 c20800     ret     8
605ef20a 5f         pop     edi
605ef20b 32c0       xor     al, al
605ef20d 5e         pop     esi
605ef20e 5d         pop     ebp
605ef20f c20800     ret     8    

Further investigation reveals that object pointed to by (esi)this pointer was de-allocated previously, and we can talk here about a typical use-after-free scenario. We are currently in TTP equal : Time Travel Position: 50FD1D:65 and looking for allocation and deallocation operations related to the 1bf9b880 pointer. We obtain the following results:

One allocation event at TTP: 50E857:1A70

0:000> dx -g @$cursession.TTD.Calls("MSVCR120!malloc").Where( c => c.ReturnValue == 0x1bf9b880)
========================================================================================================================================================================================================================================================================================
=              = (+) EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart  = (+) TimeEnd  = (+) Function       = (+) FunctionAddress = (+) ReturnAddress = (+) ReturnValue = (+) Parameters = (+) SystemTimeStart                    = (+) SystemTimeEnd                      =
========================================================================================================================================================================================================================================================================================
= [0x3b3ca]    - 0x0           - 0x524c       - 0x2                - 50E857:1A70    - 50E85F:3B    - MSVCR120!malloc    - 0x6164ed10          - 0x6164ee1c        - 0x1bf9b880      - {...}          - Thursday, June 1, 2023 10:45:21.956    - Thursday, June 1, 2023 10:45:21.956    =
========================================================================================================================================================================================================================================================================================

0:000> kb
 # ChildEBP RetAddr      Args to Child              
00 00afd534 6164ee1c     00000040 00afd540 5fb7d733 MSVCR120!malloc [f:\dd\vctools\crt\crtw32\heap\malloc.c @ 84] 
01 00afd534 616e6274     00000040 00afd580 600e0f43 MSVCR120!operator new+0x1d [f:\dd\vctools\crt\crtw32\heap\new.cpp @ 59] 
02 00afd540 600e0f43     00000040 00000001 60b95a10 MSVCR120!operator new+0xb [f:\dd\vctools\crt\crtw32\misc\dbgnew.cpp @ 127] 
WARNING: Stack unwind information not available. Following frames may be wrong.
03 00afd580 600dcd51     1c269740 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x5598d3
04 00afd608 606f6960     00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
05 00afd658 600eb9db     1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
06 00afdfa0 60372c99     1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
07 00afdfd4 5fcde640     111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
08 00afdffc 5fcdc028     11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
09 00afe0d0 5fb93ee3     00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
0a 00afe454 1ce9b974     1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
0b 00afe4bc 1ce99a16     00000000 00000000 06231228 0x1ce9b974
0c 00afe584 1ce98ba8     062b97c8 00000000 00000000 0x1ce99a16
0d 00afe5e0 19792fd5     00000000 00000000 00000001 0x1ce98ba8
0e 00afe64c 03cef6a9     00000001 062d63ec 062d63fc 0x19792fd5
0f 00afe664 03cec59e     00000001 062d63ec 062d5d0c 0x3cef6a9
10 00afe67c 6433e68b     062d63ec 00000000 062b9470 0x3cec59e
11 00afe694 642d9742     062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
12 00afe6a4 6616ef52     00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
13 00afe6bc 6616ee95     00000001 00000000 00000000 WindowsBase_ni+0xdef52
14 00afe6f8 661711cd     00000000 00000001 00000000 WindowsBase_ni+0xdee95
15 00afe740 6616f67f     062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
16 00afe7ac 73538537     00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
17 00afe7c0 735384f4     00000000 062b913c 00000000 mscorlib_ni+0x3f8537
18 00afe7dc 66171093     062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
19 00afe80c 66170e90     062b913c 00000000 00000000 WindowsBase_ni+0xe1093
1a 00afe844 6616d456     00000000 06244548 00000000 WindowsBase_ni+0xe0e90
1b 00afe884 6616c57c     00000000 00000000 062441d8 WindowsBase_ni+0xdd456
1c 00afe8c0 6616e771     0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
1d 00afe8fc 6616ea5c     06244da4 00000000 00000000 WindowsBase_ni+0xde771
1e 00afe91c 6616ef52     00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
1f 00afe934 6616ee95     00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
20 00afe970 6616d072     00000000 00000001 06244d8c WindowsBase_ni+0xdee95
21 00afe9c8 6616e5c4     00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
22 00afea10 00dcd16e     00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
23 00afea44 75f6139b     005f12ba 0000c2b7 00000000 0xdcd16e
24 00afea70 75f5836a     098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
25 00afeb54 75f560da     098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
26 00afebc8 75f55ea0     00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
27 00afebd4 661875f1     00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
28 00afec10 6616b3d7     062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
29 00afec58 6616b319     062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
2a 00afec64 642d970c     062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
2b 00afec74 642d92ca     64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
2c 00afec94 642d90be     062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
2d 00afeca4 03cec37a     00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
2e 00afecdc 03cec03a     06231fbc 062369c4 06231fd4 0x3cec37a
2f 00afecf0 03ce0ede     062367c8 00afedb0 00000000 0x3cec03a
30 00afed08 74660556     037e9148 00afed68 7466373a 0x3ce0ede
31 00afed14 7466373a     00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
32 00afed68 74669adb     00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
33 00afeddc 747dff6b     00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
34 00afef00 747e064a     00afef44 00000000 140aef3e clr!RunMain+0x1b3
35 00aff16c 747e0577     00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
36 00aff650 747e06f8     140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
37 00aff6a8 747e081e     140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
38 00aff6e8 747dc225     140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
39 00aff724 74ecfa84     54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
3a 00aff75c 74f5e81e     74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
3b 00aff76c 74f64338     74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
3c 00aff784 770100c9     0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
3d 00aff784 77177b4e     0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
3e 00aff7e0 77177b1e     ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
3f 00aff7f0 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b

And one event related to the de-allocation, TTP: 50F8C5:54

0:000> dx -g @$cursession.TTD.Calls("MSVCR120!free").Where(c => c.Parameters.pBlock == 0x1bf9b880)
===================================================================================================================================================================================================================================================================
=              = (+) EventType = (+) ThreadId = (+) UniqueThreadId = (+) TimeStart = (+) TimeEnd  = (+) Function     = (+) FunctionAddress = (+) ReturnAddress = (+) Parameters = (+) SystemTimeStart                    = (+) SystemTimeEnd                      =
===================================================================================================================================================================================================================================================================
= [0x2f170]    - 0x0           - 0x524c       - 0x2                - 50F8C5:54     - 50F8CF:3F    - MSVCR120!free    - 0x6164ece0          - 0x606a583d        - {...}          - Thursday, June 1, 2023 10:45:22.112    - Thursday, June 1, 2023 10:45:22.112    =
===================================================================================================================================================================================================================================================================

0:000> kb
 # ChildEBP RetAddr      Args to Child              
00 00afd518 606a583d     1bf9b880 00000001 00afd540 MSVCR120!free [f:\dd\vctools\crt\crtw32\heap\free.c @ 40] 
WARNING: Stack unwind information not available. Following frames may be wrong.
01 00afd518 600edb34     00000001 00afd76c 111a0b10 HwordApp!SetInitFontCallbackFunc+0xb1e1cd
02 00afd540 600e103b     11661488 111a0b10 0000009e HwordApp!SetInitFontCallbackFunc+0x5664c4
03 00afd580 600dcd51     1bf9be58 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x5599cb
04 00afd608 606f6960     00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
05 00afd658 600eb9db     1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
06 00afdfa0 60372c99     1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
07 00afdfd4 5fcde640     111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
08 00afdffc 5fcdc028     11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
09 00afe0d0 5fb93ee3     00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
0a 00afe454 1ce9b974     1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
0b 00afe4bc 1ce99a16     00000000 00000000 06231228 0x1ce9b974
0c 00afe584 1ce98ba8     062b97c8 00000000 00000000 0x1ce99a16
0d 00afe5e0 19792fd5     00000000 00000000 00000001 0x1ce98ba8
0e 00afe64c 03cef6a9     00000001 062d63ec 062d63fc 0x19792fd5
0f 00afe664 03cec59e     00000001 062d63ec 062d5d0c 0x3cef6a9
10 00afe67c 6433e68b     062d63ec 00000000 062b9470 0x3cec59e
11 00afe694 642d9742     062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
12 00afe6a4 6616ef52     00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
13 00afe6bc 6616ee95     00000001 00000000 00000000 WindowsBase_ni+0xdef52
14 00afe6f8 661711cd     00000000 00000001 00000000 WindowsBase_ni+0xdee95
15 00afe740 6616f67f     062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
16 00afe7ac 73538537     00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
17 00afe7c0 735384f4     00000000 062b913c 00000000 mscorlib_ni+0x3f8537
18 00afe7dc 66171093     062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
19 00afe80c 66170e90     062b913c 00000000 00000000 WindowsBase_ni+0xe1093
1a 00afe844 6616d456     00000000 06244548 00000000 WindowsBase_ni+0xe0e90
1b 00afe884 6616c57c     00000000 00000000 062441d8 WindowsBase_ni+0xdd456
1c 00afe8c0 6616e771     0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
1d 00afe8fc 6616ea5c     06244da4 00000000 00000000 WindowsBase_ni+0xde771
1e 00afe91c 6616ef52     00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
1f 00afe934 6616ee95     00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
20 00afe970 6616d072     00000000 00000001 06244d8c WindowsBase_ni+0xdee95
21 00afe9c8 6616e5c4     00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
22 00afea10 00dcd16e     00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
23 00afea44 75f6139b     005f12ba 0000c2b7 00000000 0xdcd16e
24 00afea70 75f5836a     098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
25 00afeb54 75f560da     098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
26 00afebc8 75f55ea0     00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
27 00afebd4 661875f1     00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
28 00afec10 6616b3d7     062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
29 00afec58 6616b319     062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
2a 00afec64 642d970c     062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
2b 00afec74 642d92ca     64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
2c 00afec94 642d90be     062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
2d 00afeca4 03cec37a     00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
2e 00afecdc 03cec03a     06231fbc 062369c4 06231fd4 0x3cec37a
2f 00afecf0 03ce0ede     062367c8 00afedb0 00000000 0x3cec03a
30 00afed08 74660556     037e9148 00afed68 7466373a 0x3ce0ede
31 00afed14 7466373a     00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
32 00afed68 74669adb     00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
33 00afeddc 747dff6b     00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
34 00afef00 747e064a     00afef44 00000000 140aef3e clr!RunMain+0x1b3
35 00aff16c 747e0577     00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
36 00aff650 747e06f8     140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
37 00aff6a8 747e081e     140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
38 00aff6e8 747dc225     140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
39 00aff724 74ecfa84     54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
3a 00aff75c 74f5e81e     74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
3b 00aff76c 74f64338     74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
3c 00aff784 770100c9     0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
3d 00aff784 77177b4e     0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
3e 00aff7e0 77177b1e     ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
3f 00aff7f0 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b    

If we track the object’s life cycle more closely, it turns out that the following situation happens when we use at least two footerr elements inside RTF file. This situation leads to the proper allocation of the proper object, but also to its deallocation and its re-use. Proper heap grooming can give an attacker full control of this use-after-free vulnerability, and as a result could allow it to be turned into arbitrary code execution.

Crash Information

0:000> g
(37d8.524c): Access violation - code c0000005 (first/second chance not available)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Time Travel Position: 50FD1E:0
eax=60b8874c ebx=1bf9b880 ecx=1bf9b880 edx=1c242b58 esi=1bf9b880 edi=1165d7b8
eip=60d7f2a0 esp=00afd4ac ebp=00afd4c0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
HwordApp!CHncAABase::`vftable'+0x220c4:
60d7f2a0 0000            add     byte ptr [eax],al          ds:002b:60b8874c=d4
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Failed to request MethodData, not in JIT code range
MethodDesc:   197a15c8
Method Name:  HwordAppModule.HwordDocProxy.Open(HwordAppModule.HwordFrameProxy, System.String, System.String, Int32, Int32)
Class:        1975a730
MethodTable:  197a1778
mdToken:      060002d7
Module:       04172eb0
IsJitted:     yes
CodeAddr:     1ce9b8d8
Transparency: Safe critical
MethodDesc:   1103756c
Method Name:  Hword.HwordFrame._OpenDocument(System.String, HwordDefine.OpenAttr, Boolean, Boolean, Boolean, System.String)
Class:        147c886c
MethodTable:  11037ad0
mdToken:      06001244
Module:       00dc4044
IsJitted:     yes
CodeAddr:     1ce99738
Transparency: Critical
MethodDesc:   11037560
Method Name:  Hword.HwordFrame.OpenDocument(System.String, HwordDefine.OpenType, HwordDefine.OpenAttr, Boolean)
Class:        147c886c
MethodTable:  11037ad0
mdToken:      06001243
Module:       00dc4044
IsJitted:     yes
CodeAddr:     1ce98780
Transparency: Critical
MethodDesc:   0417d4b0
Method Name:  Hword.HwordApp.ProcessShellCommand(Hnc.Static.CommandParser, Boolean)
Class:        08933210
MethodTable:  0417d640
mdToken:      06001157
Module:       00dc4044
IsJitted:     yes
CodeAddr:     19792c20
Transparency: Critical
MethodDesc:   00dcb210
Method Name:  Hword.HwordAppMain.StartApp(Hnc.Static.CommandParser, Boolean)
Class:        04337ac4
MethodTable:  00dcb294
mdToken:      0600073b
Module:       00dc4044
IsJitted:     yes
CodeAddr:     03cef4b0
Transparency: Critical
MethodDesc:   00dcb1a8
Method Name:  Hword.HwordAppMain.OnApplicationStartup(System.Object, System.Windows.StartupEventArgs)
Class:        04337ac4
MethodTable:  00dcb294
mdToken:      06000735
Module:       00dc4044
IsJitted:     yes
CodeAddr:     03cec540
Transparency: Critical

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 9937

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 35447

    Key  : Analysis.IO.Other.Mb
    Value: 113

    Key  : Analysis.IO.Read.Mb
    Value: 15

    Key  : Analysis.IO.Write.Mb
    Value: 304

    Key  : Analysis.Init.CPU.mSec
    Value: 2467078

    Key  : Analysis.Init.Elapsed.mSec
    Value: 34267867

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 2048

    Key  : CLR.BuiltBy
    Value: NET48REL1LAST_B

    Key  : CLR.Engine
    Value: CLR

    Key  : CLR.Version
    Value: 4.8.4614.0

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 59515

    Key  : WER.Process.Version
    Value: 11.0.0.7520


NTGLOBALFLAG:  1000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 60d7f2a0 (HwordApp!CHncAABase::`vftable'+0x000220c4)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 60b8874c
Attempt to write to address 60b8874c

FAULTING_THREAD:  0000524c

PROCESS_NAME:  HWord.exe

WRITE_ADDRESS:  60b8874c 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  60b8874c

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
00afd4c0 600cad49     1165d7b8 00000000 2bd61b5c HwordApp!CHncAABase::`vftable'+0x220c4
00afd508 600d408e     00000000 2bd61b18 00afd76c HwordApp!SetInitFontCallbackFunc+0x5436d9
00afd54c 600e1132     1c270ac8 2bd61bd4 00afd76c HwordApp!SetInitFontCallbackFunc+0x54ca1e
00afd580 600dcd51     1c270ac8 2bd6185c 00afd76c HwordApp!SetInitFontCallbackFunc+0x559ac2
00afd608 606f6960     00afd778 114d1b58 606f6478 HwordApp!SetInitFontCallbackFunc+0x5556e1
00afd658 600eb9db     1113aa80 11661378 6004c8cf HwordApp!SetInitFontCallbackFunc+0xb6f2f0
00afdfa0 60372c99     1c1895b0 00000000 1c1895b0 HwordApp!SetInitFontCallbackFunc+0x56436b
00afdfd4 5fcde640     111c2e88 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x7eb629
00afdffc 5fcdc028     11544078 00afe034 11266c3c HwordApp!SetInitFontCallbackFunc+0x156fd0
00afe0d0 5fb93ee3     00000000 1bf967a8 00afe200 HwordApp!SetInitFontCallbackFunc+0x1549b8
00afe454 1ce9b974     1143df68 1c127754 618a9094 HwordApp!SetInitFontCallbackFunc+0xc873
00afe4bc 1ce99a16     00000000 00000000 06231228 0x1ce9b974
00afe584 1ce98ba8     062b97c8 00000000 00000000 0x1ce99a16
00afe5e0 19792fd5     00000000 00000000 00000001 0x1ce98ba8
00afe64c 03cef6a9     00000001 062d63ec 062d63fc 0x19792fd5
00afe664 03cec59e     00000001 062d63ec 062d5d0c 0x3cef6a9
00afe67c 6433e68b     062d63ec 00000000 062b9470 0x3cec59e
00afe694 642d9742     062d5ea8 00000000 00afe6bc PresentationFramework_ni+0x2fe68b
00afe6a4 6616ef52     00000001 062d5ea8 06244474 PresentationFramework_ni+0x299742
00afe6bc 6616ee95     00000001 00000000 00000000 WindowsBase_ni+0xdef52
00afe6f8 661711cd     00000000 00000001 00000000 WindowsBase_ni+0xdee95
00afe740 6616f67f     062d5f34 73538604 06233b44 WindowsBase_ni+0xe11cd
00afe7ac 73538537     00000000 062b913c 00000000 WindowsBase_ni+0xdf67f
00afe7c0 735384f4     00000000 062b913c 00000000 mscorlib_ni+0x3f8537
00afe7dc 66171093     062b913c 062d5f14 00000000 mscorlib_ni+0x3f84f4
00afe80c 66170e90     062b913c 00000000 00000000 WindowsBase_ni+0xe1093
00afe844 6616d456     00000000 06244548 00000000 WindowsBase_ni+0xe0e90
00afe884 6616c57c     00000000 00000000 062441d8 WindowsBase_ni+0xdd456
00afe8c0 6616e771     0624513c 00000000 00000000 WindowsBase_ni+0xdc57c
00afe8fc 6616ea5c     06244da4 00000000 00000000 WindowsBase_ni+0xde771
00afe91c 6616ef52     00000001 06233b44 06244474 WindowsBase_ni+0xdea5c
00afe934 6616ee95     00000001 06244d8c 00000000 WindowsBase_ni+0xdef52
00afe970 6616d072     00000000 00000001 06244d8c WindowsBase_ni+0xdee95
00afe9c8 6616e5c4     00000001 06244d8c 06244d6c WindowsBase_ni+0xdd072
00afea10 00dcd16e     00000000 00000000 0000c2b7 WindowsBase_ni+0xde5c4
00afea44 75f6139b     005f12ba 0000c2b7 00000000 0xdcd16e
00afea70 75f5836a     098b080e 005f12ba 0000c2b7 USER32!_InternalCallWinProc+0x2b
00afeb54 75f560da     098b080e 00000000 0000c2b7 USER32!UserCallWinProcCheckWow+0x33a
00afebc8 75f55ea0     00afec20 00afec10 661875f1 USER32!DispatchMessageWorker+0x22a
00afebd4 661875f1     00afec20 172c6a01 746610fc USER32!DispatchMessageW+0x10
00afec10 6616b3d7     062b6bb0 062441d8 005f12ba WindowsBase_ni+0xf75f1
00afec58 6616b319     062d63c8 00afec74 642d970c WindowsBase_ni+0xdb3d7
00afec64 642d970c     062b90a8 00000000 00afec94 WindowsBase_ni+0xdb319
00afec74 642d92ca     64049068 00000000 062d5d0c PresentationFramework_ni+0x29970c
00afec94 642d90be     062b9064 062d5d0c 00afecdc PresentationFramework_ni+0x2992ca
00afeca4 03cec37a     00afed20 062d335c ffffffff PresentationFramework_ni+0x2990be
00afecdc 03cec03a     06231fbc 062369c4 06231fd4 0x3cec37a
00afecf0 03ce0ede     062367c8 00afedb0 00000000 0x3cec03a
00afed08 74660556     037e9148 00afed68 7466373a 0x3ce0ede
00afed14 7466373a     00afedb0 00afed58 747fd410 clr!CallDescrWorkerInternal+0x34
00afed68 74669adb     00000000 06232310 00afedc4 clr!CallDescrWorkerWithHandler+0x6b
00afeddc 747dff6b     00afeeb8 140af152 00dcb178 clr!MethodDescCallSite::CallTargetWorker+0x16a
00afef00 747e064a     00afef44 00000000 140aef3e clr!RunMain+0x1b3
00aff16c 747e0577     00000000 140ae802 00410000 clr!Assembly::ExecuteMainMethod+0xf7
00aff650 747e06f8     140ae8fa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
00aff6a8 747e081e     140ae8ba 00000000 747dc200 clr!ExecuteEXE+0x4c
00aff6e8 747dc225     140ae976 00000000 747dc200 clr!_CorExeMainInternal+0xdc
00aff724 74ecfa84     54d02650 74f64330 74ecfa20 clr!_CorExeMain+0x4d
00aff75c 74f5e81e     74f64330 74ec0000 00aff784 mscoreei!_CorExeMain+0xd6
00aff76c 74f64338     74f64330 770100c9 0089a000 MSCOREE!ShellShim__CorExeMain+0x9e
00aff784 770100c9     0089a000 770100b0 00aff7e0 MSCOREE!_CorExeMain_Exported+0x8
00aff784 77177b4e     0089a000 0c0e7b56 00000000 KERNEL32!BaseThreadInitThunk+0x19
00aff7e0 77177b1e     ffffffff 77198c6d 00000000 ntdll!__RtlUserThreadStart+0x2f
00aff7f0 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  HwordApp+220c4

MODULE_NAME: HwordApp

IMAGE_NAME:  HwordApp.dll

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_HwordApp.dll!Unknown

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 8

FAILURE_ID_HASH:  {fc445afd-6168-8ca4-9347-8426f7991b4d}

Followup:     MachineOwner
---------

0:000> lmvm HwordApp
Browse full module list
start    end        module name
5fb30000 61010000   HwordApp   (export symbols)       HwordApp.dll
    Loaded symbol image file: HwordApp.dll
    Mapped memory image file: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
    Image path: c:\Program Files (x86)\Hnc\Office\HOffice110\Bin\HwordApp.dll
    Image name: HwordApp.dll
    Browse all global symbols  functions  data
    Timestamp:        Tue Apr 18 08:04:58 2023 (643E330A)
    CheckSum:         014BF78C
    ImageSize:        014E0000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
TIMELINE

2023-06-21 - Vendor Disclosure
2023-09-21 - Vendor Patch Release
2023-09-26 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.