Threat Research

FortiGuard Labs Discovers Use-After-Free Vulnerability In Microsoft Office

By Aamir Lakhani | October 15, 2015

UPDATE: Microsoft has updated the list of Office products affected by this vulnerability: 

Although Microsoft recently released Office 2016, legacy versions of the popular productivity suite are still common in both business and home settings. Extended support for Office 2007, for example, does not end for almost two more years. FortiGuard Labs recently disclosed a “use-after-free” vulnerability in Microsoft Office 2007. Other versions may be affected, but researchers completed a proof of concept demonstrating the vulnerability in Word 2007 SP3 that may allow remote code execution.

The vulnerability can be exploited if users of affected systems attempt to open a specially crafted .doc file. A closer look at the proof of concept below is instructive in both the details of this vulnerability and in use-after-free vulnerabilities more generally.

When we open our specially crafted PoC file, you can see winword.exe crashes; the crash info is as follows:

(cfc8.dc64): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=73f17680 ebx=2e408ce0 ecx=16cc2ef0 edx=02000000 esi=16cecfc8 edi=00000000
eip=73f02f4b esp=0112ffbc ebp=0112ffd8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
73f02f4b 833918          cmp     dword ptr [ecx],18h  ds:002b:16cc2ef0=????????

0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0112ffb8 73f06f34 00000000 16cecfc8 2e408ce0 bcrypt!InitializePseudoHandleEntry+0x1df
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Common Files\Microsoft Shared\office12\mso.dll - 
01 0112ffd8 32c0c304 16cc2ef0 16cecfc8 32c0c6ff bcrypt!BCryptDestroyHash+0x44
WARNING: Stack unwind information not available. Following frames may be wrong.
02 0112fff0 31fc77fe 00000001 01130014 32876aa5 mso!Ordinal8431+0xf69
03 0112fffc 32876aa5 16cecfd0 011300ac 00000000 mso!Ordinal1058+0x639
04 01130014 32876ea1 2379cff0 0113003c 011304c0 mso!Ordinal1963+0x681
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office12\wwlib.dll - 
05 01130034 68d5a5ff 00000014 00000000 32055d69 mso!Ordinal8867+0x9e
06 01130064 687b2877 011300ac 011304c0 00000000 wwlib!DllGetClassObject+0x7a1be
07 01130078 68962aa8 011300ac 011304c0 01131080 wwlib!DllGetLCID+0x1a6f51
08 01130ec8 68614cc1 00000008 00000001 00000000 wwlib!wdCommandDispatch+0xfec07
09 01130efc 68613d29 00000008 01131080 00000001 wwlib!DllGetLCID+0x939b
0a 0113104c 6861438e 00000008 01131080 00000000 wwlib!DllGetLCID+0x8403
0b 01131da8 6842f38b 01132644 15116ff8 02800000 wwlib!DllGetLCID+0x8a68
0c 01132e8c 6842e7dc 011360c8 1a4a2ff8 04032000 wwlib!FMain+0x5add4
0d 01132ed0 6861acdc 011360c8 1a4a2ff8 04032000 wwlib!FMain+0x5a225
0e 0113604c 6861a9fd 011360c8 1a4a2ff8 0113e8c4 wwlib!DllGetLCID+0xf3b6
0f 0113a470 6861a66a 0113e8c4 0113a518 80900001 wwlib!DllGetLCID+0xf0d7
10 0113a4c0 6861b9e1 0113e8c4 0113a518 80900001 wwlib!DllGetLCID+0xed44
11 0113d61c 6861ba26 0113e8c4 80900001 00000000 wwlib!DllGetLCID+0x100bb
12 0113d640 684a65c6 0113e8c4 20d0f480 00000000 wwlib!DllGetLCID+0x10100
13 0113e8a4 684ca051 0113e8c4 00000001 00000001 wwlib!FMain+0xd200f
14 0113e954 684c9f19 00000278 0113e994 00000000 wwlib!FMain+0xf5a9a
15 0113e96c 320246d2 692c8218 1a4c8fd8 1a4c8fe4 wwlib!FMain+0xf5962
16 0113e98c 320245bc 00000001 00000000 00000035 mso!Ordinal4856+0xfb
17 0113e9c4 31f51833 08fd2b98 00000035 31fa6374 mso!Ordinal8141+0x134b
18 0113e9ec 31ecdb00 08fd2b98 00000035 31fa6374 mso!Ordinal9353+0x1024
19 0113ea14 31ee1c2d 08fd2b98 00000035 31fa6374 mso!Ordinal4808+0x14c
1a 0113ea48 31ef5191 00000000 17aa6fa0 32d12900 mso!Ordinal4442+0x11d
1b 0113ea5c 31ec33ca 08fd2b98 0d3feb00 00000035 mso!Ordinal7936+0xb7
1c 0113ea80 31ec31e7 31fa6374 00000035 0e8b8fb8 mso!Ordinal5474+0x243
1d 0113eaa8 31ec315e 1b04ef00 31fa6374 00000000 mso!Ordinal5474+0x60
1e 0113eac8 31e55c1d 1b04ef00 32d129a4 31fa6374 mso!Ordinal1556+0x1de
1f 0113eaf4 31e8496e 32d129a4 00000002 31fa6374 mso!Ordinal5169+0x98
20 0113eb18 31fd856f 32d129a4 00000002 31fa6374 mso!Ordinal3743+0x39e
21 0113eb50 32042fe5 1b04efb8 32d129a4 0113ebb8 mso!Ordinal442+0x8e
22 0113eb6c 31fc47da 181e0ff0 0113ebb8 091c6f78 mso!Ordinal1578+0x16a
23 0113eb9c 32042fa6 091c6f78 32d0421c 0113ebb8 mso!Ordinal1575+0xdc
24 0113ebec 32041d0c 0113edd8 0113edd8 0113eda8 mso!Ordinal1578+0x12b
25 0113ec00 31ea287f 0113edd8 0113eda8 17d74fb0 mso!Ordinal6570+0x328
26 0113ec88 31e82616 17d74fb0 091c6f78 0113eda8 mso!Ordinal4960+0x6b
27 0113ecdc 31ea26f6 17d74fb0 0113eda8 00000000 mso!Ordinal8626+0xb2
28 0113ed78 31ea257d 17d74fb0 0113eda8 00000000 mso!Ordinal3910+0x362
29 0113ed94 31ea23db 00000007 00000001 0113ee00 mso!Ordinal3910+0x1e9
2a 0113edc0 320414ce 0113edd8 00000001 00000001 mso!Ordinal3910+0x47
2b 0113ee04 3204137e 091c6f78 0113ee18 0113ee78 mso!Ordinal8792+0x10f
2c 0113ee30 3237c1e0 00000000 00000002 11be80e0 mso!Ordinal3804+0x3f
2d 0113ee60 31fe74b6 0113ee78 11be80e0 17d74fb0 mso!Ordinal8165+0x213c5
2e 0113eee8 31e82616 17d74fb0 091c6f78 11be80e0 mso!Ordinal2312+0xe2
2f 0113ef3c 31ea26f6 17d74fb0 11be80e0 00000000 mso!Ordinal8626+0xb2
30 0113efd8 31f5eeaa 17d74fb0 11be80e0 00000000 mso!Ordinal3910+0x362
31 0113efec 31ec7ddf 11be80bc 00000000 00000000 mso!Ordinal326+0x2e5
32 0113f01c 31fb61fe 00000000 000000a0 0113f070 mso!Ordinal4153+0x2ed
33 0113f038 31e5f24b 19dc6fb8 0113f070 0113f0cc mso!Ordinal190+0x10fa
34 0113f048 31ec6e16 31ec1825 19dc6fb8 00000202 mso!Ordinal9388+0x2d9
35 0113f0cc 31ec187f 00000202 00000000 005c0040 mso!Ordinal4399+0x2a8
36 0113f0f8 75354923 000d08ee 00000000 00000000 mso!Ordinal1906+0xa5
37 0113f124 75334790 31ec1825 000d08ee 00000202 USER32!_InternalCallWinProc+0x2b
38 0113f1cc 75334091 31ec1825 00000000 00000202 USER32!UserCallWinProcCheckWow+0x1f0
39 0113f238 75333e50 06d5e9b0 0113f254 684aa40a USER32!DispatchMessageWorker+0x231
3a 0113f244 684aa40a 692ae560 692ae560 0113f27c USER32!DispatchMessageW+0x10
3b 0113f254 684a833c 692ae560 00000000 14204f8c wwlib!FMain+0xd5e53
3c 0113f27c 683d4c7d 683d45b7 683d0000 05abfffe wwlib!FMain+0xd3d85
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for winword.exe - 
3d 0113f808 2f1215fb 2f120000 00000000 05abfffe wwlib!FMain+0x6c6
3e 0113f828 2f12156d 2f120000 00000000 05abfffe winword+0x15fb
3f 0113f8b8 75553744 7ffbf000 75553720 d6ba626a winword+0x156d
40 0113f8cc 770aa064 7ffbf000 76672e73 00000000 KERNEL32!BaseThreadInitThunk+0x24
41 0113f914 770aa02f ffffffff 770cd7d9 00000000 ntdll!__RtlUserThreadStart+0x2f
42 0113f924 00000000 2f1210dc 7ffbf000 00000000 ntdll!_RtlUserThreadStart+0x1b

The vulnerability exists due to an error while the vulnerable software attempts to open the specially crafted doc file. Based on our analysis, it’s a use-after-free vulnerability. Let’s look into the specially crafted doc file first. The comparison between the original doc file and the PoC file is shown below:

From the above chart, we can see only the byte at offset 0x20B is different. If we use the OffVis tool to parse them, we can see the difference in file structures.

Original doc File

PoC File

The two bytes at offset 0x20B are located in the FibBase structure. The definition of the FibBase structure appears below:

A - fDot (1 bit): Specifies whether this is a document template. 
B - fGlsy (1 bit): Specifies whether this is a document that contains only AutoText items (see FibRgFcLcb97.fcSttbfGlsy,    FibRgFcLcb97.fcPlcfGlsy and FibRgFcLcb97.fcSttbGlsyStyle). 
C - fComplex (1 bit): Specifies that the last save operation that was performed on this document was an incremental   save operation. 
D - fHasPic (1 bit): When set to 0, there SHOULD be no pictures in the document. 
E - cQuickSaves (4 bits): An unsigned integer. If nFib is less than 0x00D9, then cQuickSaves specifies the number of consecutive times this document was incrementally saved. If nFib is 0x00D9 or greater, then cQuickSaves MUST be 0xF.
F - fEncrypted (1 bit): Specifies whether the document is encrypted or obfuscated as specified in Encryption and Obfuscation. 
G - fWhichTblStm (1 bit): Specifies the Table stream to which the FIB refers. When this value is set to 1, use 1Table; when this value is set to 0, use 0Table. 
H - fReadOnlyRecommended (1 bit): Specifies whether the document author recommended that the document be opened in read-only mode. 
I - fWriteReservation (1 bit): Specifies whether the document has a write-reservation password. 
J - fExtChar (1 bit): This value MUST be 1. 
K - fLoadOverride (1 bit): Specifies whether to override the language information and font that are specified in the paragraph style at istd 0 (the normal style) with the defaults that are appropriate for the installation language of the application. 
L - fFarEast (1 bit): Specifies whether the installation language of the application that created the document was an East Asian language. 
M - fObfuscated (1 bit): If fEncrypted is 1, this bit specifies whether the document is obfuscated by using XOR obfuscation (section; otherwise, this bit MUST be ignored.
The two bytes |F8 5A| at offset 0x20B represent the A,B,C,D,E,F,G,H,I,J,K,L, and M flags described above. Only the bit representing “I – fWriteReservation” is changed from 0 to 1.  Then the vulnerability is triggered.

(71b0.71b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=734e7680 ebx=14ac6ce0 ecx=1c805ef0 edx=02000000 esi=1c803fc8 edi=00000000
eip=734d2f4b esp=0104a37c ebp=0104a398 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
734d2f4b 833918          cmp     dword ptr [ecx],18h  ds:002b:1c805ef0=????????

0:000> dd ecx
1c805ef0  ???????? ???????? ???????? ????????
1c805f00  ???????? ???????? ???????? ????????
1c805f10  ???????? ???????? ???????? ????????
1c805f20  ???????? ???????? ???????? ????????
1c805f30  ???????? ???????? ???????? ????????
1c805f40  ???????? ???????? ???????? ????????
1c805f50  ???????? ???????? ???????? ????????
1c805f60  ???????? ???????? ???????? ????????

0:000> !heap -p -a ecx
    address 1c805ef0 found in
    _DPH_HEAP_ROOT @ 38f1000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   186321a0:         1c805000             2000
    0f649cd2 verifier!AVrfDebugPageHeapFree+0x000000c2
    770282c0 ntdll!RtlDebugFreeHeap+0x0000003c
    76fdaa8f ntdll!RtlpFreeHeap+0x0004de9f
    76fcc650 ntdll!RtlpFreeHeapInternal+0x0000027e
    76f8c72c ntdll!RtlFreeHeap+0x0000002c
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Common Files\Microsoft Shared\office12\mso.dll - 
    6411dd95 mso!Ordinal1743+0x00002e89
    6362b7e7 mso!MsoFreePv+0x0000003a
    6442c2f3 mso!Ordinal8431+0x00000f58
    637e77fe mso!Ordinal1058+0x00000639
    64096aa5 mso!Ordinal1963+0x00000681
    64096ea1 mso!Ordinal8867+0x0000009e
    5222a5ff wwlib!DllGetClassObject+0x0007a1be
    51c82877 wwlib!DllGetLCID+0x001a6f51
    51e32aa8 wwlib!wdCommandDispatch+0x000fec07
    51ae4cc1 wwlib!DllGetLCID+0x0000939b
    51ae3d29 wwlib!DllGetLCID+0x00008403
    51ae438e wwlib!DllGetLCID+0x00008a68
    518ff38b wwlib!FMain+0x0005add4
    518fe7dc wwlib!FMain+0x0005a225
    52581db0 wwlib!DllCanUnloadNow+0x0034e3c3
    5252ce91 wwlib!DllCanUnloadNow+0x002f94a4
    518ba68f wwlib!FMain+0x000160d8
    518a8a1f wwlib!FMain+0x00004468
    518a4a53 wwlib!FMain+0x0000049c
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for winword.exe - 
    2fcb15fb winword+0x000015fb
    2fcb156d winword+0x0000156d
    74483744 KERNEL32!BaseThreadInitThunk+0x00000024
    76faa064 ntdll!__RtlUserThreadStart+0x0000002f
    76faa02f ntdll!_RtlUserThreadStart+0x0000001b

From the above debug information, we can see that this is a typical use-after-free vulnerability that could lead to arbitrary code execution.

Users of all versions of Microsoft Office are encouraged to apply the latest updates from Microsoft. Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should already be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet released IPS signature MS.Office.Word.Use.After.Free on October 5th, 2015.

Affected Products:

Special thanks to Kai Lu of FortiGuard Labs for discovering this vulnerability.