Threat Research

Patch Tuesday Part Deux: FortiGuard Labs Discloses Microsoft Excel Memory Corruption Vulnerability

By Kai Lu | December 08, 2015


Microsoft Patch Tuesday continues with another FortiGuard vulnerability disclosure, this time affecting Microsoft Excel. For a bit of background on Microsoft Office in general and Office 2007 in particular, check out today's first disclosure.

In this case, a memory corruption vulnerability has been discovered in Microsoft Excel 2007. The vulnerability exists due to an error while the vulnerable software attempts to open a specially crafted Excel file. As with the other disclosures today, this vulnerability could lead to remote code execution.


Based on our analysis, this is a memory corruption vulnerability.A comparison between a normal Excel file and a specially crafted PoC file is shown below. 

Figure 1. The Normal Excel File vs The PoC File

From the above figure, we can see only the byte at offset 0xF4E7 is different. Then if we parse the file structures, we can see the difference from this viewpoint:.
Figure 2. File Structure of The PoC File
Figure 3. Structure of The Normal Excel File
As we can see from the above Figure 2, the two bytes |F7 FF| at offset 0xF4E7 in the PoC file are located in the Formula.val.fExprO structure. The definition of the Formula structure can be found in the online Microsoft documents below.
The following is a deep analysis of this vulnerability with the debugger:
58dd77dd 8b4d08          mov     ecx,dword ptr [ebp+8]
58dd77e0 8b91ac000000    mov     edx,dword ptr [ecx+0ACh]
58dd77e6 83e210          and     edx,10h
58dd77e9 0f85e2000000    jne     verifier!AVrfpDphFindBusyMemoryNoCheck+0x171 (58dd78d1)
58dd77ef 8b450c          mov     eax,dword ptr [ebp+0Ch]    
//eax is 0x00730834, it comes from the four bytes |34 08 73 00| at offset 0xF4E3 in the PoC file.
58dd77f2 83e820          sub     eax,20h                    //eax is 0x00730814
58dd77f5 8945dc          mov     dword ptr [ebp-24h],eax
58dd77f8 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
58dd77fb 83e928          sub     ecx,28h
58dd77fe 81e100f0ffff    and     ecx,0FFFFF000h
58dd7804 894de0          mov     dword ptr [ebp-20h],ecx
58dd7807 c745fc00000000  mov     dword ptr [ebp-4],0
58dd780e c745c400000000  mov     dword ptr [ebp-3Ch],0
58dd7815 8b55dc          mov     edx,dword ptr [ebp-24h]       //edx is 0x00730814
58dd7818 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:00730814=????????      
//crash occurs here
58dd781e 7530            jne     verifier!AVrfpDphFindBusyMemoryNoCheck+0xf0 (58dd7850)
58dd7820 8b45dc          mov     eax,dword ptr [ebp-24h]             
58dd7823 81781cbbbbbadc  cmp     dword ptr [eax+1Ch],0DCBABBBBh
58dd782a 7524            jne     verifier!AVrfpDphFindBusyMemoryNoCheck+0xf0 (58dd7850)
58dd782c 8b4de0          mov     ecx,dword ptr [ebp-20h]
58dd782f 8139eeeeeeee    cmp     dword ptr [ecx],0EEEEEEEEh
0:004> dd ebp+0c
0aacf5cc  00730834 00000000 04d416cc 0aacf5e4
0aacf5dc  58dd6d92 04d416cc 0aacf600 58dd7bc0
0aacf5ec  04d41000 00730834 0aacf66c 58df8220
0aacf5fc  b467b831 0aacf61c 58dd9ca0 04d41000
0aacf60c  00730834 00000000 04d41000 00000000
0aacf61c  0aacf67c 773382c0 04d40000 01000002
0aacf62c  00730834 8a48162e 04d40000 00000004
0aacf63c  00000000 00000000 04d40000 00000000
0:004> dd 00730834-20
00730814  ???????? ???????? ???????? ????????
00730824  ???????? ???????? ???????? ????????
00730834  ???????? ???????? ???????? ????????
00730844  ???????? ???????? ???????? ????????
00730854  ???????? ???????? ???????? ????????
00730864  ???????? ???????? ???????? ????????
00730874  ???????? ???????? ???????? ????????
00730884  ???????? ???????? ???????? ????????
0:004> kb
 # ChildEBP RetAddr  Args to Child              
00 0aacf5c0 58dd7935 04d41000 00730834 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
01 0aacf5e4 58dd7bc0 04d41000 00730834 0aacf66c verifier!AVrfpDphFindBusyMemory+0x15
02 0aacf600 58dd9ca0 04d41000 00730834 00000000 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
03 0aacf61c 773382c0 04d40000 01000002 00730834 verifier!AVrfDebugPageHeapFree+0x90
04 0aacf67c 772eaa8f 00730834 8a4817da 04d40000 ntdll!RtlDebugFreeHeap+0x3c
05 0aacf788 772dc650 00000000 00730834 0a91c978 ntdll!RtlpFreeHeap+0x4de9f
06 0aacf7bc 7729c72c 00000000 0aacf7dc 32fdb5cd ntdll!RtlpFreeHeapInternal+0x27e
07 0aacf7c8 32fdb5cd 04d40000 00000000 00730834 ntdll!RtlFreeHeap+0x2c
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0aacf7dc 324eb580 00730834 ffffffff 300a07d3 mso!Ordinal1743+0x2e79
09 0aacfbc4 2f4f743b 0a91c958 301508d0 0a91c978 mso!MsoFreePv+0x3a
0a 0aacfbf0 2f4f73ae 2f4f73a2 0aacfc10 76cb3744 Excel!Ordinal40+0x23743b
0b 0aacfbfc 76cb3744 0a91c958 76cb3720 e0cb65b6 Excel!Ordinal40+0x2373ae
0c 0aacfc10 772ba064 0a91c958 8a481c0a 00000000 KERNEL32!BaseThreadInitThunk+0x24
0d 0aacfc58 772ba02f ffffffff 772dd7da 00000000 ntdll!__RtlUserThreadStart+0x2f
0e 0aacfc68 00000000 2f4f73a2 0a91c958 00000000 ntdll!_RtlUserThreadStart+0x1b

From the above analysis, the address 0x00730834 points to an invalid heap memory address. As a result, it causes the crash when attempting to free it. Because we can control the memory address to be freed, we can free memory at any address and read data at any memory address, potentially leading to arbitrary code execution.

We can modify these four bytes at offset 0xF4E3 as below:
Figure 4. Another PoC File
Then the crash info is shown below:
(1c34.54b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414121 ebx=00000000 ecx=41414000 edx=41414121 esi=58dd9c10 edi=00000000
eip=58dd7818 esp=0b2cf78c ebp=0b2cf7d8 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
58dd7818 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:41414121=????????
0:004> dd edx
41414121  ???????? ???????? ???????? ????????
41414131  ???????? ???????? ???????? ????????
41414141  ???????? ???????? ???????? ????????
41414151  ???????? ???????? ???????? ????????
41414161  ???????? ???????? ???????? ????????
41414171  ???????? ???????? ???????? ????????
41414181  ???????? ???????? ???????? ????????
41414191  ???????? ???????? ???????? ????????
0:004> kb
 # ChildEBP RetAddr  Args to Child              
00 0b2cf7d8 58dd7935 046d1000 41414141 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
01 0b2cf7fc 58dd7bc0 046d1000 41414141 0b2cf884 verifier!AVrfpDphFindBusyMemory+0x15
02 0b2cf818 58dd9ca0 046d1000 41414141 70832348 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
03 0b2cf834 773382c0 046d0000 01000002 41414141 verifier!AVrfDebugPageHeapFree+0x90
04 0b2cf894 772eaa8f 41414141 4f2f0240 046d0000 ntdll!RtlDebugFreeHeap+0x3c
05 0b2cf9a0 772dc650 00000000 41414141 0b0fe978 ntdll!RtlpFreeHeap+0x4de9f
06 0b2cf9d4 7729c72c 00000000 0b2cf9f8 0b2cf9f8 ntdll!RtlpFreeHeapInternal+0x27e
07 0b2cf9e4 32fdb5cd 046d0000 00000000 41414141 ntdll!RtlFreeHeap+0x2c
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0b2cf9f8 324eb580 41414141 ffffffff 300a07d3 mso!Ordinal1743+0x2e79
09 0b2cfde0 2f4f743b 0b0fe958 301508d0 0b0fe978 mso!MsoFreePv+0x3a
0a 0b2cfe0c 2f4f73ae 2f4f73a2 0b2cfe2c 76cb3744 Excel!Ordinal40+0x23743b
0b 0b2cfe18 76cb3744 0b0fe958 76cb3720 391815db Excel!Ordinal40+0x2373ae
0c 0b2cfe2c 772ba064 0b0fe958 4f2f0594 00000000 KERNEL32!BaseThreadInitThunk+0x24
0d 0b2cfe74 772ba02f ffffffff 772dd7ec 00000000 ntdll!__RtlUserThreadStart+0x2f
0e 0b2cfe84 00000000 2f4f73a2 0b0fe958 00000000 ntdll!_RtlUserThreadStart+0x1b

Because we can control the memory address to be freed, we can free memory at any address and read data at any memory address. Attackers can leverage this behavior to control the flow of execution.


All users of Microsoft Office 2007 are encouraged to upgrade to the latest version of this software. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature MS.Excel.Execution.Path.Parsing.Code.Execution. Additional information can be found at and