Threat Research
It's Patch Tuesday - FortiGuard Labs Discloses a Microsoft Word Heap Overflow Vulnerability
Overview
Microsoft Office is the most popular productivity suite in the world, first released by the Redmond software giant in 1988. Microsoft releases updates and patches for its software, including Office, on what is now commonly known as Patch Tuesday (the second and sometimes the fourth Tuesday of each month). Today, Patch Tuesday includes not one, not two, but three vulnerabilities discovered by researchers at FortiGuard Labs. The first is a heap overflow vulnerability Microsoft Word 2007. Although it was released eight years ago, Office 2007 remains widely used and falls under Microsoft's Extended Support until April 2017. This particular vulnerability could lead to remote code execution.
Analysis
The vulnerability exists due to an error when the vulnerable software attempts to open a specially crafted Word file. Let’s look into the specially crafted Word file first that can cause the heap overflow.
Compared with a normal Word file, our PoC file has three differences at offsets 0x6dff, 0x2200d, and 0x22e0b respectively. The comparison between the normal Word file and the PoC file is shown below.
Figure 1. The Normal Word File vs The PoC File at Offset 0x6dff
Figure 2. The Normal Word File vs The PoC File at Offset 0x2200d
Figure 3. The Normal Word File vs The PoC File at Offset 0x22e0b
When we use the Microsoft Office file parser OffVis (it can be downloaded from http://blogs.technet.com/b/srd/archive/2009/07/31/announcing-offvis.aspx) to parse the PoC file, we can see that the relevant stuctures are identified as
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength,
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[217].rgfc[3] and
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[223].rgfc[2] respectively. See figures 4, 5, and 6 below:
Figure 4. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength
Figure 5. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[217].rgfc[3]
Figure 6. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[223].rgfc[2]
The definitions of PapxFkp and BxPap structures are available in online Microsoft documentation. Follow the links to view the structures.
From the above definitions, we can see the length of the BxPap structure is 0x0d bytes. As shown in Figure 1 and Figure 4, WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength is set to 0x31 in the PoC file. These values are used to calculate memory addresses. Based on our analysis, the following is the vulnerable function which is used to read BxPap.bOffset in the PapxPkp structure. The access violation occurs in this function.
Figure 7. Assembly Code of The Function Sub_31229192
The debug information from the debugger WinDbg is shown below:
31229192 55 push ebp31229193 8bec mov ebp,esp31229195 56 push esi31229196 57 push edi31229197 8bf1 mov esi,ecx // ecx is 0x0ab78e00 31229199 0fb6beff010000 movzx edi,byte ptr [esi+1FFh] // [esi+1FFh] is 0x31312291a0 52 push edx312291a1 8bd7 mov edx,edi312291a3 e867c7fcff call wwlib!FMain+0x21358 (311f590f)312291a8 8b4d10 mov ecx,dword ptr [ebp+10h] // here eax is 0x28312291ab 8b5508 mov edx,dword ptr [ebp+8]312291ae 8901 mov dword ptr [ecx],eax312291b0 8b0c86 mov ecx,dword ptr [esi+eax*4]312291b3 890a mov dword ptr [edx],ecx312291b5 8b4c8604 mov ecx,dword ptr [esi+eax*4+4]312291b9 0faf4514 imul eax,dword ptr [ebp+14h] //[ebp+14h] is 0x0d, eax is 0x28*0x0d(0x208)312291bd 8b550c mov edx,dword ptr [ebp+0Ch]312291c0 03c6 add eax,esi //eax is 0x0ab78e00+0x208=0x0ab79008, it points to an invalid heap memory312291c2 890a mov dword ptr [edx],ecx312291c4 0fb644b804 movzx eax,byte ptr [eax+edi*4+4] ds:002b:0ab790d0=?? // crash occurs here312291c9 5f pop edi312291ca 03c0 add eax,eax312291cc 5e pop esi312291cd 5d pop ebp312291ce c21000 ret 10h312291d1 55 push ebp312291d2 8bec mov ebp,esp312291d4 56 push esi312291d5 ff7508 push dword ptr [ebp+8]312291d8 8bf1 mov esi,ecx312291da e831000000 call wwlib!FMain+0x54c59 (31229210)312291df c706f0912231 mov dword ptr [esi],offset wwlib!FMain+0x54c39 (312291f0)312291e5 8bc6 mov eax,esi312291e7 5e pop esi312291e8 5d pop ebp312291e9 c20400 ret 40:000> db esi L200+1200ab78e00 ba 0d 00 00 bc 0d 00 00-1a 00 00 00 00 00 00 00 ................0ab78e10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0ab78e20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0ab78e30 00 00 00 00 e5 00 00 6b-64 5c 13 00 00 16 24 01 .......kd\....$.0ab78e40 17 24 01 49 66 01 00 00-00 02 96 1c 00 03 34 01 .$.If.........4.0ab78e50 07 94 20 01 08 d6 88 00-06 00 00 0f 01 eb 0b 3f .. ............?0ab78e60 13 4c 1d 55 23 6c 28 a0-06 0f 01 00 00 00 00 04 .L.U#l(.........0ab78e70 03 00 00 00 00 00 00 04-01 01 00 a0 06 dc 0a 00 ................0ab78e80 00 00 00 04 01 01 00 04-01 01 00 04 01 01 00 80 ................0ab78e90 06 54 07 04 01 00 00 ff-ff ff ff 04 01 01 00 04 .T..............0ab78ea0 01 01 00 80 06 0d 0a 04-01 00 00 ff ff ff ff 04 ................0ab78eb0 01 01 00 04 01 01 00 a0-06 09 06 00 00 00 00 ff ................0ab78ec0 ff ff ff 04 01 01 00 04-01 01 00 a0 06 17 05 00 ................0ab78ed0 00 00 00 ff ff ff ff 00-00 00 00 04 03 00 00 09 ................0ab78ee0 d6 0a 00 00 e0 00 e0 00-e0 00 e0 00 0a 74 00 00 .............t..0ab78ef0 a0 04 12 d6 32 00 00 00-ff 00 00 00 ff 00 00 00 ....2...........0ab78f00 00 00 ff ff ff 00 00 00-00 00 00 00 ff ff ff 00 ................0ab78f10 00 00 00 00 00 00 ff ff-ff 00 00 00 00 00 00 00 ................0ab78f20 ff ff ff 00 00 00 00 14-f6 03 f5 29 17 f6 03 00 ...........)....0ab78f30 00 18 f6 03 89 01 1a d6-18 00 00 00 ff 00 00 00 ................0ab78f40 ff 00 00 00 ff 00 00 00-ff 00 00 00 ff 00 00 00 ................0ab78f50 ff 1b d6 18 00 00 00 ff-00 00 00 00 ff ff ff ff ................0ab78f60 ff ff ff ff ff ff ff ff-ff ff ff ff 1c d6 18 00 ................0ab78f70 00 00 ff 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0ab78f80 00 00 00 00 00 00 ff 1d-d6 18 00 00 00 00 00 00 ................0ab78f90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0ab78fa0 00 ff 34 d6 06 00 01 05-03 00 00 34 d6 06 00 01 ..4........4....0ab78fb0 0a 03 1c 00 61 f6 03 1c-00 70 d6 3c ff ff ff ff ....a....p.<....0ab78fc0 ff ff ff ff ff ff 00 00-00 ff ff ff 00 00 00 00 ................0ab78fd0 00 00 00 ff ff ff 00 00-00 00 00 00 00 ff ff ff ................0ab78fe0 00 00 00 00 00 00 00 ff-ff ff 00 00 00 00 00 00 ................0ab78ff0 00 ff 00 00 00 ff 00 00-79 74 ae 38 4b 00 00 31 ........yt.8K..10ab79000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79080 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79090 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790a0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790b0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790c0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790d0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790e0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab790f0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79100 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0ab79110 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0:000> !heap -p -a 0ab790d0 address 0ab790d0 found in _DPH_HEAP_ROOT @ 4d51000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) ac51b60: ab69000 10000 - ab68000 12000 546c9abc verifier!AVrfDebugPageHeapAllocate+0x0000023c 774dd1f6 ntdll!RtlDebugAllocateHeap+0x0000003c 77434b10 ntdll!RtlpAllocateHeap+0x000000f0 77432e9b ntdll!RtlpAllocateHeapInternal+0x0000027b 77432bfe ntdll!RtlAllocateHeap+0x0000002e 08bdc11f mso!Ordinal1743+0x00002efb 080e5676 mso!MsoPvAllocCore+0x00000036 311d8c87 wwlib!FMain+0x000046d0 311d89e3 wwlib!FMain+0x0000442c 311d4a53 wwlib!FMain+0x0000049c*** ERROR: Symbol file could not be found. Defaulted to export symbols for winword.exe - 2f0415fb winword+0x000015fb 2f04156d winword+0x0000156d 773338f4 KERNEL32!BaseThreadInitThunk+0x00000024 77465663 ntdll!__RtlUserThreadStart+0x0000002f 7746562e ntdll!_RtlUserThreadStart+0x0000001bFrom the above analysis, the memory from 0x0ab78e00 to 0x0ab78fff stores the WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24]. Because byLength is changed to a large value, the function tries to access data at the memory address 0x0ab79008 which is an invalid heap memory. When Word parses this structure, it causes a heap overflow. This heap overflow can potentially be exploited for remote code execution.
Mitigation
All users of Microsoft Office 2007 are encouraged to upgrade to the latest version of this software. This issue is fixed in the defense-in-depth update. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature MS.Office.Word.Heap.Overflow. Additional information is available on Microsoft TechNet.
