Threat Research

It's Patch Tuesday - FortiGuard Labs Discloses a Microsoft Word Heap Overflow Vulnerability

By Kai Lu | December 08, 2015

Overview

Microsoft Office is the most popular productivity suite in the world, first released by the Redmond software giant in 1988. Microsoft releases updates and patches for its software, including Office, on what is now commonly known as Patch Tuesday (the second and sometimes the fourth Tuesday of each month). Today, Patch Tuesday includes not one, not two, but three vulnerabilities discovered by researchers at FortiGuard Labs. The first is a heap overflow vulnerability Microsoft Word 2007. Although it was released eight years ago, Office 2007 remains widely used and falls under Microsoft's Extended Support until April 2017. This particular vulnerability could lead to remote code execution.

Analysis

The vulnerability exists due to an error when the vulnerable software attempts to open a specially crafted Word file. Let’s look into the specially crafted Word file first that can cause the heap overflow. 
 
Compared with a normal Word file, our PoC file has three differences at offsets 0x6dff, 0x2200d, and 0x22e0b respectively. The comparison between the normal Word file and the PoC file is shown below.
 
Figure 1. The Normal Word File vs The PoC File at Offset 0x6dff
 
Figure 2. The Normal Word File vs The PoC File at Offset 0x2200d
 
Figure 3. The Normal Word File vs The PoC File at Offset 0x22e0b
 
When we use the Microsoft Office file parser OffVis (it can be downloaded from http://blogs.technet.com/b/srd/archive/2009/07/31/announcing-offvis.aspx) to parse the PoC file, we can see that the relevant stuctures are identified as 
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength, 
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[217].rgfc[3] and 
WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[223].rgfc[2] respectively. See figures 4, 5, and 6 below:
 
Figure 4. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength
 
Figure 5. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[217].rgfc[3]
 
Figure 6. Structure of WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[223].rgfc[2]
 
The definitions of PapxFkp and BxPap structures are available in online Microsoft documentation. Follow the links to view the structures.
 
From the above definitions, we can see the length of the BxPap structure is 0x0d bytes. As shown in Figure 1 and Figure 4, WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24].byLength is set to 0x31 in the PoC file. These values are used to calculate memory addresses. Based on our analysis, the following is the vulnerable function which is used to read BxPap.bOffset in the PapxPkp structure. The access violation occurs in this function.
 
Figure 7. Assembly Code of The Function Sub_31229192
 

The debug information from the debugger WinDbg is shown below:

31229192 55              push    ebp
31229193 8bec          mov     ebp,esp
31229195 56              push    esi
31229196 57              push    edi
31229197 8bf1            mov     esi,ecx                       // ecx is 0x0ab78e00 
31229199 0fb6beff010000  movzx   edi,byte ptr [esi+1FFh]       // [esi+1FFh] is 0x31
312291a0 52              push    edx
312291a1 8bd7            mov     edx,edi
312291a3 e867c7fcff      call    wwlib!FMain+0x21358 (311f590f)
312291a8 8b4d10          mov     ecx,dword ptr [ebp+10h]       // here eax is 0x28
312291ab 8b5508          mov     edx,dword ptr [ebp+8]
312291ae 8901            mov     dword ptr [ecx],eax
312291b0 8b0c86          mov     ecx,dword ptr [esi+eax*4]
312291b3 890a            mov     dword ptr [edx],ecx
312291b5 8b4c8604        mov     ecx,dword ptr [esi+eax*4+4]
312291b9 0faf4514        imul    eax,dword ptr [ebp+14h]   //[ebp+14h] is 0x0d, eax is 0x28*0x0d(0x208)
312291bd 8b550c          mov     edx,dword ptr [ebp+0Ch]
312291c0 03c6            add     eax,esi              
//eax is 0x0ab78e00+0x208=0x0ab79008, it points to an invalid heap memory
312291c2 890a            mov     dword ptr [edx],ecx
312291c4 0fb644b804      movzx   eax,byte ptr [eax+edi*4+4] ds:002b:0ab790d0=?? // crash occurs here
312291c9 5f              pop     edi
312291ca 03c0            add     eax,eax
312291cc 5e              pop     esi
312291cd 5d              pop     ebp
312291ce c21000          ret     10h
312291d1 55              push    ebp
312291d2 8bec            mov     ebp,esp
312291d4 56              push    esi
312291d5 ff7508          push    dword ptr [ebp+8]
312291d8 8bf1            mov     esi,ecx
312291da e831000000      call    wwlib!FMain+0x54c59 (31229210)
312291df c706f0912231    mov     dword ptr [esi],offset wwlib!FMain+0x54c39 (312291f0)
312291e5 8bc6            mov     eax,esi
312291e7 5e              pop     esi
312291e8 5d              pop     ebp
312291e9 c20400          ret     4
 
0:000> db esi L200+120
0ab78e00  ba 0d 00 00 bc 0d 00 00-1a 00 00 00 00 00 00 00  ................
0ab78e10  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ab78e20  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ab78e30  00 00 00 00 e5 00 00 6b-64 5c 13 00 00 16 24 01  .......kd\....$.
0ab78e40  17 24 01 49 66 01 00 00-00 02 96 1c 00 03 34 01  .$.If.........4.
0ab78e50  07 94 20 01 08 d6 88 00-06 00 00 0f 01 eb 0b 3f  .. ............?
0ab78e60  13 4c 1d 55 23 6c 28 a0-06 0f 01 00 00 00 00 04  .L.U#l(.........
0ab78e70  03 00 00 00 00 00 00 04-01 01 00 a0 06 dc 0a 00  ................
0ab78e80  00 00 00 04 01 01 00 04-01 01 00 04 01 01 00 80  ................
0ab78e90  06 54 07 04 01 00 00 ff-ff ff ff 04 01 01 00 04  .T..............
0ab78ea0  01 01 00 80 06 0d 0a 04-01 00 00 ff ff ff ff 04  ................
0ab78eb0  01 01 00 04 01 01 00 a0-06 09 06 00 00 00 00 ff  ................
0ab78ec0  ff ff ff 04 01 01 00 04-01 01 00 a0 06 17 05 00  ................
0ab78ed0  00 00 00 ff ff ff ff 00-00 00 00 04 03 00 00 09  ................
0ab78ee0  d6 0a 00 00 e0 00 e0 00-e0 00 e0 00 0a 74 00 00  .............t..
0ab78ef0  a0 04 12 d6 32 00 00 00-ff 00 00 00 ff 00 00 00  ....2...........
0ab78f00  00 00 ff ff ff 00 00 00-00 00 00 00 ff ff ff 00  ................
0ab78f10  00 00 00 00 00 00 ff ff-ff 00 00 00 00 00 00 00  ................
0ab78f20  ff ff ff 00 00 00 00 14-f6 03 f5 29 17 f6 03 00  ...........)....
0ab78f30  00 18 f6 03 89 01 1a d6-18 00 00 00 ff 00 00 00  ................
0ab78f40  ff 00 00 00 ff 00 00 00-ff 00 00 00 ff 00 00 00  ................
0ab78f50  ff 1b d6 18 00 00 00 ff-00 00 00 00 ff ff ff ff  ................
0ab78f60  ff ff ff ff ff ff ff ff-ff ff ff ff 1c d6 18 00  ................
0ab78f70  00 00 ff 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ab78f80  00 00 00 00 00 00 ff 1d-d6 18 00 00 00 00 00 00  ................
0ab78f90  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
0ab78fa0  00 ff 34 d6 06 00 01 05-03 00 00 34 d6 06 00 01  ..4........4....
0ab78fb0  0a 03 1c 00 61 f6 03 1c-00 70 d6 3c ff ff ff ff  ....a....p.<....
0ab78fc0  ff ff ff ff ff ff 00 00-00 ff ff ff 00 00 00 00  ................
0ab78fd0  00 00 00 ff ff ff 00 00-00 00 00 00 00 ff ff ff  ................
0ab78fe0  00 00 00 00 00 00 00 ff-ff ff 00 00 00 00 00 00  ................
0ab78ff0  00 ff 00 00 00 ff 00 00-79 74 ae 38 4b 00 00 31  ........yt.8K..1
0ab79000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79070  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79080  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79090  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790a0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790b0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790c0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790d0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790e0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab790f0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79100  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0ab79110  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
 
0:000> !heap -p -a 0ab790d0
    address 0ab790d0 found in
    _DPH_HEAP_ROOT @ 4d51000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                  ac51b60:          ab69000     10000 -          ab68000  12000
    546c9abc verifier!AVrfDebugPageHeapAllocate+0x0000023c
    774dd1f6 ntdll!RtlDebugAllocateHeap+0x0000003c
    77434b10 ntdll!RtlpAllocateHeap+0x000000f0
    77432e9b ntdll!RtlpAllocateHeapInternal+0x0000027b
    77432bfe ntdll!RtlAllocateHeap+0x0000002e
    08bdc11f mso!Ordinal1743+0x00002efb
    080e5676 mso!MsoPvAllocCore+0x00000036
    311d8c87 wwlib!FMain+0x000046d0
    311d89e3 wwlib!FMain+0x0000442c
    311d4a53 wwlib!FMain+0x0000049c
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for winword.exe - 
    2f0415fb winword+0x000015fb
    2f04156d winword+0x0000156d
    773338f4 KERNEL32!BaseThreadInitThunk+0x00000024
    77465663 ntdll!__RtlUserThreadStart+0x0000002f
    7746562e ntdll!_RtlUserThreadStart+0x0000001b
 
From the above analysis, the memory from 0x0ab78e00 to 0x0ab78fff stores the WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[574].PAPXFKP[24]. Because byLength is changed to a large value, the function tries to access data at the memory address 0x0ab79008 which is an invalid heap memory. When Word parses this structure, it causes a heap overflow. This heap overflow can potentially be exploited for remote code execution.

Mitigation

All users of Microsoft Office 2007 are encouraged to upgrade to the latest version of this software. This issue is fixed in the defense-in-depth update. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature MS.Office.Word.Heap.Overflow. Additional information is available on Microsoft TechNet.

Join the Discussion