15 Dec Analysis of CVE-2016-0035, A Remote Code Execution in Microsoft Office Excel
Recently I discovered a Use-After-Free vulnerability in Microsoft’s Excel application (affecting all versions) when processing specially crafted binary excel files. This vulnerability can allow Remote Code Execution
yet Microsoft refuses to patch it due to a ‘popup’ being a ‘defense in depth’ approach. Lets take a look at what this popup looks like:
Ask yourself, if you were opening a trusted file, from say an email, would you click ‘yes’ to this popup? The likely answer is yes because after all, its a trusted file and it came from a trusted (at least you think) source. Despite the popup being fired, the vulnerability triggers anyway after a few seconds if the user selects ‘yes’, closes the popup or totally ignores it. So what is the impact?
Well, if the user does anything other than select ‘no’ within 1 second, and we enable page heap and user-mode stack trace on the EXCEL.EXE binary, you will likely see this:
(868.15c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=221beff0 ebx=001c2602 ecx=08a1dff0 edx=00000001 esi=00000000 edi=00000001 eip=2fed37f1 esp=001c2264 ebp=001c2294 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 EXCEL!Ordinal40+0x7737f1: 2fed37f1 663b5004 cmp dx,word ptr [eax+4] ds:0023:221beff4=???? 0:000> !heap -p -a @eax address 221beff0 found in _DPH_HEAP_ROOT @ 11d1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 22d31a5c: 221be000 2000 716690b2 verifier!AVrfDebugPageHeapFree+0x000000c2 773a6dbc ntdll!RtlDebugFreeHeap+0x0000002f 7736a4c7 ntdll!RtlpFreeHeap+0x0000005d 77336896 ntdll!RtlFreeHeap+0x00000142 75b6c4d4 kernel32!HeapFree+0x00000014 62296f1b mso!Ordinal9770+0x00007bef 2f98cde3 EXCEL!Ordinal40+0x0022cde3 2f9e2e82 EXCEL!Ordinal40+0x00282e82 2f9e2b35 EXCEL!Ordinal40+0x00282b35 2fa26427 EXCEL!Ordinal40+0x002c6427 2fa260b6 EXCEL!Ordinal40+0x002c60b6 2fa24e39 EXCEL!Ordinal40+0x002c4e39 2fa21994 EXCEL!Ordinal40+0x002c1994 2fa24a26 EXCEL!Ordinal40+0x002c4a26 2fa1f82c EXCEL!Ordinal40+0x002bf82c 2fa1e336 EXCEL!Ordinal40+0x002be336 2fa1d992 EXCEL!Ordinal40+0x002bd992 2fa1ced6 EXCEL!Ordinal40+0x002bced6 2fff23cd EXCEL!Ordinal40+0x008923cd 3002c86e EXCEL!Ordinal40+0x008cc86e 300316f1 EXCEL!Ordinal40+0x008d16f1 30032050 EXCEL!Ordinal40+0x008d2050 30042046 EXCEL!Ordinal40+0x008e2046 62076292 mso!Ordinal9994+0x000024c7 620766cb mso!Ordinal4158+0x000001d8 6205992d mso!Ordinal9839+0x00000ff0 6205a0df mso!Ordinal143+0x00000415 61b50593 mso!Ordinal6326+0x00003b30 6207621f mso!Ordinal9994+0x00002454 6175882e mso!Ordinal53+0x0000083b 617585bc mso!Ordinal53+0x000005c9 6175744a mso!Ordinal7509+0x00000060
Well, clearly this is a Use-After-Free, but just in case you don’t think this is a serious enough issue, here is an example code path that can be taken: without user-mode stack trace or page heap. If an attacker can force memory to be allocated within a specific location (hint, they can) then an attacker can redirect the execution of code.
(1614.1a24): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=5ca5f546 ebx=00000000 ecx=5c991ed8 edx=00266794 esi=5c991ed8 edi=00000000 eip=8bec8b55 esp=002667a8 ebp=002667e0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 8bec8b55 ?? ??? 0:000> k ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 002667a4 5cdec71b 0x8bec8b55 002667e0 5ca40b78 mso!Ordinal8883+0xa15 00266810 5ca40b20 mso!Ordinal9662+0xdb2 00266838 5ca40a84 mso!Ordinal9662+0xd5a 00266844 5ca5f015 mso!Ordinal9662+0xcbe 00266858 5d67e54f mso!Ordinal10511+0x3de 002668cc 5d67e614 mso!Ordinal2804+0x45a 002668f0 5d3a5c3c mso!Ordinal2804+0x51f 00266b3c 2fafdf1c mso!Ordinal7674+0x265 00267230 2fafd9e1 EXCEL!Ordinal40+0x23df1c 00267280 3018c1da EXCEL!Ordinal40+0x23d9e1 0026d184 301916f1 EXCEL!Ordinal40+0x8cc1da 0026f798 30192050 EXCEL!Ordinal40+0x8d16f1 0026fa74 301a2046 EXCEL!Ordinal40+0x8d2050 0026fa94 5d166292 EXCEL!Ordinal40+0x8e2046 0026fab4 5d1666cb mso!Ordinal9994+0x24c7 0026facc 5d14992d mso!Ordinal4158+0x1d8 0026faf4 5d14a0df mso!Ordinal9839+0xff0 0026fb0c 5cc40593 mso!Ordinal143+0x415 0026fb30 5d16621f mso!Ordinal6326+0x3b30 0:000> u 5ca40b78 mso!Ordinal9662+0xdb2: 5ca40b78 8bce mov ecx,esi 5ca40b7a e84f000000 call mso!Ordinal9662+0xe08 (5ca40bce) 5ca40b7f 8b4e2c mov ecx,dword ptr [esi+2Ch] 5ca40b82 3bcf cmp ecx,edi 5ca40b84 7409 je mso!Ordinal9662+0xdc9 (5ca40b8f) 5ca40b86 8b01 mov eax,dword ptr [ecx] 5ca40b88 6a01 push 1 5ca40b8a ff10 call dword ptr [eax]
Here is the location in IDA within sub_39270b26()
I’m not going to go through the process for an attacker to reach this code location, or other critical code paths, I’ll save that as an exercise for the reader. The vulnerability has been patched by Microsoft in MS16-004 as CVE-2016-0035
since this vulnerability is not patched and the Proof of Concept is already available here. Additionally, with the recent generic ALSR bypasses in Microsoft Office, this vulnerabilities impact is magnified.
So which versions are affected? All versions of Office 2007 and 2010, and it is likely affecting newer versions as well (untested). At the time of testing, it is a fully patched version of Microsoft Office 2010 professional.
We hope Microsoft addresses the seriousness of this issue and updates Excel asap. This is a critical vulnerability and there are many more like it. We would like to thank Microsoft’s MSRC team for re-evaluating the vulnerabilities impact and addressing it in the following months patch Tuesday. We would also like to thank the ZDI for their continued commitment in helping vendors address issues like this.