Threat Research
Overview
Microsoft Office is the most popular productivity suite in the world, first released by the Redmond software giant in 1988. Microsoft releases updates and patches for its software, including Office, on what is now commonly known as Patch Tuesday (the second and sometimes the fourth Tuesday of each month). Today, Patch Tuesday includes not one, not two, but three vulnerabilities discovered by researchers at FortiGuard Labs. The first is a heap overflow vulnerability Microsoft Word 2007. Although it was released eight years ago, Office 2007 remains widely used and falls under Microsoft's Extended Support until April 2017. This particular vulnerability could lead to remote code execution.
Analysis
The debug information from the debugger WinDbg is shown below:
31229192 55 push ebp
31229193 8bec mov ebp,esp
31229195 56 push esi
31229196 57 push edi
31229197 8bf1 mov esi,ecx // ecx is 0x0ab78e00
31229199 0fb6beff010000 movzx edi,byte ptr [esi+1FFh] // [esi+1FFh] is 0x31
312291a0 52 push edx
312291a1 8bd7 mov edx,edi
312291a3 e867c7fcff call wwlib!FMain+0x21358 (311f590f)
312291a8 8b4d10 mov ecx,dword ptr [ebp+10h] // here eax is 0x28
312291ab 8b5508 mov edx,dword ptr [ebp+8]
312291ae 8901 mov dword ptr [ecx],eax
312291b0 8b0c86 mov ecx,dword ptr [esi+eax*4]
312291b3 890a mov dword ptr [edx],ecx
312291b5 8b4c8604 mov ecx,dword ptr [esi+eax*4+4]
312291b9 0faf4514 imul eax,dword ptr [ebp+14h] //[ebp+14h] is 0x0d, eax is 0x28*0x0d(0x208)
312291bd 8b550c mov edx,dword ptr [ebp+0Ch]
312291c0 03c6 add eax,esi
//eax is 0x0ab78e00+0x208=0x0ab79008, it points to an invalid heap memory
312291c2 890a mov dword ptr [edx],ecx
312291c4 0fb644b804 movzx eax,byte ptr [eax+edi*4+4] ds:002b:0ab790d0=?? // crash occurs here
312291c9 5f pop edi
312291ca 03c0 add eax,eax
312291cc 5e pop esi
312291cd 5d pop ebp
312291ce c21000 ret 10h
312291d1 55 push ebp
312291d2 8bec mov ebp,esp
312291d4 56 push esi
312291d5 ff7508 push dword ptr [ebp+8]
312291d8 8bf1 mov esi,ecx
312291da e831000000 call wwlib!FMain+0x54c59 (31229210)
312291df c706f0912231 mov dword ptr [esi],offset wwlib!FMain+0x54c39 (312291f0)
312291e5 8bc6 mov eax,esi
312291e7 5e pop esi
312291e8 5d pop ebp
312291e9 c20400 ret 4
0:000> db esi L200+120
0ab78e00 ba 0d 00 00 bc 0d 00 00-1a 00 00 00 00 00 00 00 ................
0ab78e10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0ab78e20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0ab78e30 00 00 00 00 e5 00 00 6b-64 5c 13 00 00 16 24 01 .......kd\....$.
0ab78e40 17 24 01 49 66 01 00 00-00 02 96 1c 00 03 34 01 .$.If.........4.
0ab78e50 07 94 20 01 08 d6 88 00-06 00 00 0f 01 eb 0b 3f .. ............?
0ab78e60 13 4c 1d 55 23 6c 28 a0-06 0f 01 00 00 00 00 04 .L.U#l(.........
0ab78e70 03 00 00 00 00 00 00 04-01 01 00 a0 06 dc 0a 00 ................
0ab78e80 00 00 00 04 01 01 00 04-01 01 00 04 01 01 00 80 ................
0ab78e90 06 54 07 04 01 00 00 ff-ff ff ff 04 01 01 00 04 .T..............
0ab78ea0 01 01 00 80 06 0d 0a 04-01 00 00 ff ff ff ff 04 ................
0ab78eb0 01 01 00 04 01 01 00 a0-06 09 06 00 00 00 00 ff ................
0ab78ec0 ff ff ff 04 01 01 00 04-01 01 00 a0 06 17 05 00 ................
0ab78ed0 00 00 00 ff ff ff ff 00-00 00 00 04 03 00 00 09 ................
0ab78ee0 d6 0a 00 00 e0 00 e0 00-e0 00 e0 00 0a 74 00 00 .............t..
0ab78ef0 a0 04 12 d6 32 00 00 00-ff 00 00 00 ff 00 00 00 ....2...........
0ab78f00 00 00 ff ff ff 00 00 00-00 00 00 00 ff ff ff 00 ................
0ab78f10 00 00 00 00 00 00 ff ff-ff 00 00 00 00 00 00 00 ................
0ab78f20 ff ff ff 00 00 00 00 14-f6 03 f5 29 17 f6 03 00 ...........)....
0ab78f30 00 18 f6 03 89 01 1a d6-18 00 00 00 ff 00 00 00 ................
0ab78f40 ff 00 00 00 ff 00 00 00-ff 00 00 00 ff 00 00 00 ................
0ab78f50 ff 1b d6 18 00 00 00 ff-00 00 00 00 ff ff ff ff ................
0ab78f60 ff ff ff ff ff ff ff ff-ff ff ff ff 1c d6 18 00 ................
0ab78f70 00 00 ff 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0ab78f80 00 00 00 00 00 00 ff 1d-d6 18 00 00 00 00 00 00 ................
0ab78f90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0ab78fa0 00 ff 34 d6 06 00 01 05-03 00 00 34 d6 06 00 01 ..4........4....
0ab78fb0 0a 03 1c 00 61 f6 03 1c-00 70 d6 3c ff ff ff ff ....a....p.<....
0ab78fc0 ff ff ff ff ff ff 00 00-00 ff ff ff 00 00 00 00 ................
0ab78fd0 00 00 00 ff ff ff 00 00-00 00 00 00 00 ff ff ff ................
0ab78fe0 00 00 00 00 00 00 00 ff-ff ff 00 00 00 00 00 00 ................
0ab78ff0 00 ff 00 00 00 ff 00 00-79 74 ae 38 4b 00 00 31 ........yt.8K..1
0ab79000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79080 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79090 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790a0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790b0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790c0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790d0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790e0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab790f0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79100 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0ab79110 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:000> !heap -p -a 0ab790d0
address 0ab790d0 found in
_DPH_HEAP_ROOT @ 4d51000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
ac51b60: ab69000 10000 - ab68000 12000
546c9abc verifier!AVrfDebugPageHeapAllocate+0x0000023c
774dd1f6 ntdll!RtlDebugAllocateHeap+0x0000003c
77434b10 ntdll!RtlpAllocateHeap+0x000000f0
77432e9b ntdll!RtlpAllocateHeapInternal+0x0000027b
77432bfe ntdll!RtlAllocateHeap+0x0000002e
08bdc11f mso!Ordinal1743+0x00002efb
080e5676 mso!MsoPvAllocCore+0x00000036
311d8c87 wwlib!FMain+0x000046d0
311d89e3 wwlib!FMain+0x0000442c
311d4a53 wwlib!FMain+0x0000049c
*** ERROR: Symbol file could not be found. Defaulted to export symbols for winword.exe -
2f0415fb winword+0x000015fb
2f04156d winword+0x0000156d
773338f4 KERNEL32!BaseThreadInitThunk+0x00000024
77465663 ntdll!__RtlUserThreadStart+0x0000002f
7746562e ntdll!_RtlUserThreadStart+0x0000001b
Mitigation
All users of Microsoft Office 2007 are encouraged to upgrade to the latest version of this software. This issue is fixed in the defense-in-depth update. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature MS.Office.Word.Heap.Overflow. Additional information is available on Microsoft TechNet.