Analysis of CVE-2016-0035, A Remote Code Execution in Microsoft Office Excel

15 Dec Analysis of CVE-2016-0035, A Remote Code Execution in Microsoft Office Excel

Recently I discovered a Use-After-Free vulnerability in Microsoft’s Excel application (affecting all versions) when processing specially crafted binary excel files. This vulnerability can allow Remote Code Execution yet Microsoft refuses to patch it due to a ‘popup’ being a ‘defense in depth’ approach. Lets take a look at what this popup looks like:


Ask yourself, if you were opening a trusted file, from say an email, would you click ‘yes’ to this popup? The likely answer is yes because after all, its a trusted file and it came from a trusted (at least you think) source. Despite the popup being fired, the vulnerability triggers anyway after a few seconds if the user selects ‘yes’, closes the popup or totally ignores it. So what is the impact?

Well, if the user does anything other than select ‘no’ within 1 second, and we enable page heap and user-mode stack trace on the EXCEL.EXE binary, you will likely see this:

(868.15c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=221beff0 ebx=001c2602 ecx=08a1dff0 edx=00000001 esi=00000000 edi=00000001
eip=2fed37f1 esp=001c2264 ebp=001c2294 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
2fed37f1 663b5004        cmp     dx,word ptr [eax+4]      ds:0023:221beff4=????
0:000> !heap -p -a @eax
    address 221beff0 found in
    _DPH_HEAP_ROOT @ 11d1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   22d31a5c:         221be000             2000
    716690b2 verifier!AVrfDebugPageHeapFree+0x000000c2
    773a6dbc ntdll!RtlDebugFreeHeap+0x0000002f
    7736a4c7 ntdll!RtlpFreeHeap+0x0000005d
    77336896 ntdll!RtlFreeHeap+0x00000142
    75b6c4d4 kernel32!HeapFree+0x00000014
    62296f1b mso!Ordinal9770+0x00007bef
    2f98cde3 EXCEL!Ordinal40+0x0022cde3
    2f9e2e82 EXCEL!Ordinal40+0x00282e82
    2f9e2b35 EXCEL!Ordinal40+0x00282b35
    2fa26427 EXCEL!Ordinal40+0x002c6427
    2fa260b6 EXCEL!Ordinal40+0x002c60b6
    2fa24e39 EXCEL!Ordinal40+0x002c4e39
    2fa21994 EXCEL!Ordinal40+0x002c1994
    2fa24a26 EXCEL!Ordinal40+0x002c4a26
    2fa1f82c EXCEL!Ordinal40+0x002bf82c
    2fa1e336 EXCEL!Ordinal40+0x002be336
    2fa1d992 EXCEL!Ordinal40+0x002bd992
    2fa1ced6 EXCEL!Ordinal40+0x002bced6
    2fff23cd EXCEL!Ordinal40+0x008923cd
    3002c86e EXCEL!Ordinal40+0x008cc86e
    300316f1 EXCEL!Ordinal40+0x008d16f1
    30032050 EXCEL!Ordinal40+0x008d2050
    30042046 EXCEL!Ordinal40+0x008e2046
    62076292 mso!Ordinal9994+0x000024c7
    620766cb mso!Ordinal4158+0x000001d8
    6205992d mso!Ordinal9839+0x00000ff0
    6205a0df mso!Ordinal143+0x00000415
    61b50593 mso!Ordinal6326+0x00003b30
    6207621f mso!Ordinal9994+0x00002454
    6175882e mso!Ordinal53+0x0000083b
    617585bc mso!Ordinal53+0x000005c9
    6175744a mso!Ordinal7509+0x00000060

Well, clearly this is a Use-After-Free, but just in case you don’t think this is a serious enough issue, here is an example code path that can be taken: without user-mode stack trace or page heap. If an attacker can force memory to be allocated within a specific location (hint, they can) then an attacker can redirect the execution of code.

(1614.1a24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5ca5f546 ebx=00000000 ecx=5c991ed8 edx=00266794 esi=5c991ed8 edi=00000000
eip=8bec8b55 esp=002667a8 ebp=002667e0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
8bec8b55 ??              ???
0:000> k
ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
002667a4 5cdec71b 0x8bec8b55
002667e0 5ca40b78 mso!Ordinal8883+0xa15
00266810 5ca40b20 mso!Ordinal9662+0xdb2
00266838 5ca40a84 mso!Ordinal9662+0xd5a
00266844 5ca5f015 mso!Ordinal9662+0xcbe
00266858 5d67e54f mso!Ordinal10511+0x3de
002668cc 5d67e614 mso!Ordinal2804+0x45a
002668f0 5d3a5c3c mso!Ordinal2804+0x51f
00266b3c 2fafdf1c mso!Ordinal7674+0x265
00267230 2fafd9e1 EXCEL!Ordinal40+0x23df1c
00267280 3018c1da EXCEL!Ordinal40+0x23d9e1
0026d184 301916f1 EXCEL!Ordinal40+0x8cc1da
0026f798 30192050 EXCEL!Ordinal40+0x8d16f1
0026fa74 301a2046 EXCEL!Ordinal40+0x8d2050
0026fa94 5d166292 EXCEL!Ordinal40+0x8e2046
0026fab4 5d1666cb mso!Ordinal9994+0x24c7
0026facc 5d14992d mso!Ordinal4158+0x1d8
0026faf4 5d14a0df mso!Ordinal9839+0xff0
0026fb0c 5cc40593 mso!Ordinal143+0x415
0026fb30 5d16621f mso!Ordinal6326+0x3b30
0:000> u 5ca40b78 
5ca40b78 8bce            mov     ecx,esi
5ca40b7a e84f000000      call    mso!Ordinal9662+0xe08 (5ca40bce)
5ca40b7f 8b4e2c          mov     ecx,dword ptr [esi+2Ch]
5ca40b82 3bcf            cmp     ecx,edi
5ca40b84 7409            je      mso!Ordinal9662+0xdc9 (5ca40b8f)
5ca40b86 8b01            mov     eax,dword ptr [ecx]
5ca40b88 6a01            push    1
5ca40b8a ff10            call    dword ptr [eax]

Here is the location in IDA within sub_39270b26()


I’m not going to go through the process for an attacker to reach this code location, or other critical code paths, I’ll save that as an exercise for the reader. The vulnerability has been patched by Microsoft in MS16-004 as CVE-2016-0035 since this vulnerability is not patched and the Proof of Concept is already available here. Additionally, with the recent generic ALSR bypasses in Microsoft Office, this vulnerabilities impact is magnified.

So which versions are affected? All versions of Office 2007 and 2010, and it is likely affecting newer versions as well (untested). At the time of testing, it is a fully patched version of Microsoft Office 2010 professional.



We hope Microsoft addresses the seriousness of this issue and updates Excel asap. This is a critical vulnerability and there are many more like it. We would like to thank Microsoft’s MSRC team for re-evaluating the vulnerabilities impact and addressing it in the following months patch Tuesday. We would also like to thank the ZDI for their continued commitment in helping vendors address issues like this.

No Comments

Post A Comment