Saturday, May 11, 2013

MS12-076 Excel SerAuxErrBar Heap Overflow Vulnerability

There was a Heap Overflow vulnerability (CVE-2012-1885) in Excel while parsing SerAuxErrBar structure from xls (Excel's old binary format) files. So I decided to took on it (a little bit analysis). But I faced with reality that there is no public debugging symbols for Excel :( When I read advisory [1] I don't understand anything as always 'cause Microsoft only says "A remote code execution vulnerability exists in the way that Microsoft Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take..". That's shit description :( Then I look for SerAuxErrBar structure and found something on MSDN that describes this structure [2]. But there was another question. "How one could create SerAuxErrBar structure?".



Specification says "The SerAuxErrBar record specifies properties of an error bar". So it should be related with error bar. But WTF is Error Bar [3]? Specification help us again; "An error bar is a set of lines displayed on a chart (section 2.2.3.3) that indicates a range of uncertainty in the measurement of each data points (section 2.2.3.10) in a series (section 2.2.3.9).". So I start with creating a bar chart, set a Error Bar and search for SerAuxErrBar structure in binary format.

I was set my error bars as vertical so started search with 0x03, my ebsrc choice was Custom Values (that means 0x04 should follow 0x03) etc..


After half an hour, I found SerAuxErrBar structure (see below picture).

Another interesting thing in this structure is numValue field. It's 8 byte length and contains an Xnum (WTF is Xnum? Thanks god there are references and converters about Xnum on Internet [4][5]) Xnum is a "64-bit binary floating-point number as specified in [IEEE754]." (from MSDN). 

I got following crash after changed some value in SerAuxErrBar structure.


(2514.f0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe - 
Excel!Ordinal40+0x20b3b2:
00000001`3fd7b3b2 66394808        cmp     word ptr [rax+8],cx ds:00000000`00000008=????
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000089e
rdx=0000000000000002 rsi=0000000000000000 rdi=00000000036fba20
rip=000000013fd7b3b2 rsp=000000000017f690 rbp=0000000000000000
 r8=00000000ffffffff  r9=0000000000000003 r10=00000000004e3570
r11=0000000003656c00 r12=00000000036543c0 r13=000000000443bc80
r14=0000000000000339 r15=00000000ffffffff
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
Excel!Ordinal40+0x20b3b2:
00000001`3fd7b3b2 66394808        cmp     word ptr [rax+8],cx ds:00000000`00000008=????
0:000> kpL 10
Child-SP          RetAddr           Call Site
00000000`0017f690 00000001`3fd51e24 Excel!Ordinal40+0x20b3b2
00000000`0017f6e0 00000001`3fd54d33 Excel!Ordinal40+0x1e1e24
00000000`0017f740 00000001`3fd5c034 Excel!Ordinal40+0x1e4d33
00000000`0017f8b0 00000001`3fd5bca5 Excel!Ordinal40+0x1ec034
00000000`0017fa30 00000001`3fd5b91d Excel!Ordinal40+0x1ebca5
00000000`0017fb00 00000001`3fd5b834 Excel!Ordinal40+0x1eb91d
00000000`0017fbd0 00000001`3fd5ac97 Excel!Ordinal40+0x1eb834
00000000`00181db0 00000001`3fd5aa5f Excel!Ordinal40+0x1eac97
00000000`00181ee0 00000001`3fd5b2d4 Excel!Ordinal40+0x1eaa5f
00000000`00181ff0 00000001`3fd5cddc Excel!Ordinal40+0x1eb2d4
00000000`00183630 00000001`3fd71d1c Excel!Ordinal40+0x1ecddc
00000000`001836b0 00000001`3fd721ee Excel!Ordinal40+0x201d1c
00000000`00183710 00000001`3fd09027 Excel!Ordinal40+0x2021ee
00000000`00183750 00000001`3fcdadba Excel!Ordinal40+0x199027
00000000`00183c00 00000001`3fcf1abb Excel!Ordinal40+0x16adba
00000000`00185e40 00000001`4021805c Excel!Ordinal40+0x181abb

and hours later my journey finished at memmove crash.

0:014> g
(2af8.171c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSVCR90!memmove+0xd6:
00000000`721ae306 4c8951f8        mov     qword ptr [rcx-8],r10 ds:00000000`1db3c000=????????????????
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\EXCEL.EXE - 
0:000> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`0024f4d8 00000001`3f82517c : 00000000`1dd95a60 00000000`00000000 00000000`00000004 00000000`00000003 : MSVCR90!memmove+0xd6
00000000`0024f4e0 00000001`3f827d1a : 00000000`00000002 00000000`0000000a 00000000`00000002 00000000`00000001 : EXCEL!Ordinal40+0x1a517c
00000000`00251bc0 00000001`3f82878a : 00000000`0000000a 00000000`0000000a 00000000`00000000 00000000`00000000 : EXCEL!Ordinal40+0x1a7d1a
00000000`002523e0 00000001`3f82d798 : 00000000`00000000 00000000`00000000 00000000`1e40df80 00000000`01a60000 : EXCEL!Ordinal40+0x1a878a
00000000`002526c0 00000001`3f832f89 : 00000000`01a60000 00000001`3f85f4a3 00000000`00253240 00000000`00000000 : EXCEL!Ordinal40+0x1ad798
00000000`00252ff0 00000001`3f8266c0 : 00000000`00253240 00000000`00000080 00000000`00000001 00000000`00000000 : EXCEL!Ordinal40+0x1b2f89
00000000`00253020 00000001`3f8264cd : 00000000`002563c0 000007fe`0000001a 00000000`00253240 00000000`1e417f50 : EXCEL!Ordinal40+0x1a66c0
00000000`00253210 00000001`3f825f0f : 00000000`1e417f50 000007fe`e231600c 00000000`00000008 00000000`00253960 : EXCEL!Ordinal40+0x1a64cd
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll - 
00000000`002533b0 000007fe`e241a48f : 00000000`00000008 00000000`1e417f50 00000000`00253960 00000000`1e417f00 : EXCEL!Ordinal40+0x1a5f0f
00000000`002533f0 000007fe`e2419c01 : 00000000`00000001 00000001`00000001 00000000`1e417f50 00000000`00000001 : mso!Ordinal450+0x28f3
00000000`00253500 000007fe`e2419ed7 : 00000000`000000c6 00000000`00000000 00000000`00000000 00000000`1e41df00 : mso!Ordinal450+0x2065
00000000`002535a0 000007fe`e2419c01 : 00000000`1e41df00 00000000`00000000 00000000`1e427d20 00000000`00275270 : mso!Ordinal450+0x233b
00000000`00253660 000007fe`e241968c : 00000000`000000c6 00000000`0000f002 00000000`0000f002 00000000`1e427d20 : mso!Ordinal450+0x2065
00000000`00253700 000007fe`e2418511 : 00000000`00000008 00000000`00002020 00000000`1e427d20 00000000`00253960 : mso!Ordinal450+0x1af0
00000000`00253870 00000001`3f826056 : 00000000`1e427d20 00000000`1deddd10 00000000`1e427d20 00000000`00002020 : mso!Ordinal450+0x975
00000000`002538e0 00000001`3f80e2e7 : 00000000`00000000 00000000`00002020 00000000`1de9fdb8 00000000`00000000 : EXCEL!Ordinal40+0x1a6056
00000000`002539e0 00000001`3f7e96cd : 00000000`1e003fc0 00000000`1e278fd0 00000000`00000010 00000000`00000000 : EXCEL!Ordinal40+0x18e2e7
00000000`00254cb0 00000001`3f818c14 : 00000000`18efe470 00000000`00255f00 00000000`0025a240 00000000`00000000 : EXCEL!Ordinal40+0x1696cd
00000000`00255e90 00000001`3f7eadba : 00000000`00000001 00000000`00000001 00000000`00000000 00000000`00000000 : EXCEL!Ordinal40+0x198c14
00000000`00256340 00000001`3f801abb : 00000000`00258650 00000000`0025a450 00000000`0025a240 00000000`0025a240 : EXCEL!Ordinal40+0x16adba
00000000`00258580 00000001`3fd2805c : 00000000`00001008 000007fe`00000026 00000000`00000000 00000000`0025ef78 : EXCEL!Ordinal40+0x181abb
00000000`0025ede0 00000001`3fd27ebf : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0025f260 : EXCEL!Ordinal40+0x6a805c
00000000`0025f090 00000001`4006f88f : 00000000`0025f260 00000000`00000000 00000000`00000001 00000000`00001008 : EXCEL!Ordinal40+0x6a7ebf
00000000`0025f240 00000001`3f79249f : 00000000`000003f8 00000000`00000800 00000000`00000800 00000000`0000bfff : EXCEL!Ordinal40+0x9ef88f
00000000`0025f440 00000001`3f7d3041 : 00000000`00000000 00000000`0000ffff 00000000`00000000 00000001`40cdde30 : EXCEL!Ordinal40+0x11249f
00000000`0025f610 00000001`3f73a32c : 00000000`00000000 00000000`ffffffff 00000000`01af3ff7 00000000`00000800 : EXCEL!Ordinal40+0x153041
00000000`0025f820 00000001`3f7e1b46 : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00000001 : EXCEL!Ordinal40+0xba32c
00000000`0025f910 00000000`772a652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : EXCEL!Ordinal40+0x161b46
00000000`0025f9c0 00000000`7789c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`0025f9f0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d

Exploitable? Yes it's exploitable but needs some kung-foo. PoC? Meh, prepare it yourself and e-mail me if you're not exploit kit developer and failed to trigger it :p

References

  1. http://technet.microsoft.com/en-us/security/bulletin/ms12-076
  2. http://msdn.microsoft.com/en-us/library/dd920699(v=office.12).aspx
  3. http://msdn.microsoft.com/en-us/library/dd908530(v=office.12).aspx
  4. http://msdn.microsoft.com/en-us/library/dd953512(v=office.12).aspx
  5. http://babbage.cs.qc.cuny.edu/IEEE-754.old/Decimal.html

2 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Could you please explain the the basics reagrding the following in detail - "I was set my error bars as vertical so started search with 0x03, my ebsrc choice was Custom Values (that means 0x04 should follow 0x03) etc."

    ReplyDelete