Threat Research
Overview
Microsoft Patch Tuesday continues with another FortiGuard vulnerability disclosure, this time affecting Microsoft Excel. For a bit of background on Microsoft Office in general and Office 2007 in particular, check out today's first disclosure.
In this case, a memory corruption vulnerability has been discovered in Microsoft Excel 2007. The vulnerability exists due to an error while the vulnerable software attempts to open a specially crafted Excel file. As with the other disclosures today, this vulnerability could lead to remote code execution.
Analysis
Based on our analysis, this is a memory corruption vulnerability.A comparison between a normal Excel file and a specially crafted PoC file is shown below.
Figure 1. The Normal Excel File vs The PoC File
58dd77dd 8b4d08 mov ecx,dword ptr [ebp+8]
58dd77e0 8b91ac000000 mov edx,dword ptr [ecx+0ACh]
58dd77e6 83e210 and edx,10h
58dd77e9 0f85e2000000 jne verifier!AVrfpDphFindBusyMemoryNoCheck+0x171 (58dd78d1)
58dd77ef 8b450c mov eax,dword ptr [ebp+0Ch]
//eax is 0x00730834, it comes from the four bytes |34 08 73 00| at offset 0xF4E3 in the PoC file.
58dd77f2 83e820 sub eax,20h //eax is 0x00730814
58dd77f5 8945dc mov dword ptr [ebp-24h],eax
58dd77f8 8b4d0c mov ecx,dword ptr [ebp+0Ch]
58dd77fb 83e928 sub ecx,28h
58dd77fe 81e100f0ffff and ecx,0FFFFF000h
58dd7804 894de0 mov dword ptr [ebp-20h],ecx
58dd7807 c745fc00000000 mov dword ptr [ebp-4],0
58dd780e c745c400000000 mov dword ptr [ebp-3Ch],0
58dd7815 8b55dc mov edx,dword ptr [ebp-24h] //edx is 0x00730814
58dd7818 813abbbbcdab cmp dword ptr [edx],0ABCDBBBBh ds:002b:00730814=????????
//crash occurs here
58dd781e 7530 jne verifier!AVrfpDphFindBusyMemoryNoCheck+0xf0 (58dd7850)
58dd7820 8b45dc mov eax,dword ptr [ebp-24h]
58dd7823 81781cbbbbbadc cmp dword ptr [eax+1Ch],0DCBABBBBh
58dd782a 7524 jne verifier!AVrfpDphFindBusyMemoryNoCheck+0xf0 (58dd7850)
58dd782c 8b4de0 mov ecx,dword ptr [ebp-20h]
58dd782f 8139eeeeeeee cmp dword ptr [ecx],0EEEEEEEEh
0:004> dd ebp+0c
0aacf5cc 00730834 00000000 04d416cc 0aacf5e4
0aacf5dc 58dd6d92 04d416cc 0aacf600 58dd7bc0
0aacf5ec 04d41000 00730834 0aacf66c 58df8220
0aacf5fc b467b831 0aacf61c 58dd9ca0 04d41000
0aacf60c 00730834 00000000 04d41000 00000000
0aacf61c 0aacf67c 773382c0 04d40000 01000002
0aacf62c 00730834 8a48162e 04d40000 00000004
0aacf63c 00000000 00000000 04d40000 00000000
0:004> dd 00730834-20
00730814 ???????? ???????? ???????? ????????
00730824 ???????? ???????? ???????? ????????
00730834 ???????? ???????? ???????? ????????
00730844 ???????? ???????? ???????? ????????
00730854 ???????? ???????? ???????? ????????
00730864 ???????? ???????? ???????? ????????
00730874 ???????? ???????? ???????? ????????
00730884 ???????? ???????? ???????? ????????
0:004> kb
# ChildEBP RetAddr Args to Child
00 0aacf5c0 58dd7935 04d41000 00730834 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
01 0aacf5e4 58dd7bc0 04d41000 00730834 0aacf66c verifier!AVrfpDphFindBusyMemory+0x15
02 0aacf600 58dd9ca0 04d41000 00730834 00000000 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
03 0aacf61c 773382c0 04d40000 01000002 00730834 verifier!AVrfDebugPageHeapFree+0x90
04 0aacf67c 772eaa8f 00730834 8a4817da 04d40000 ntdll!RtlDebugFreeHeap+0x3c
05 0aacf788 772dc650 00000000 00730834 0a91c978 ntdll!RtlpFreeHeap+0x4de9f
06 0aacf7bc 7729c72c 00000000 0aacf7dc 32fdb5cd ntdll!RtlpFreeHeapInternal+0x27e
07 0aacf7c8 32fdb5cd 04d40000 00000000 00730834 ntdll!RtlFreeHeap+0x2c
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0aacf7dc 324eb580 00730834 ffffffff 300a07d3 mso!Ordinal1743+0x2e79
09 0aacfbc4 2f4f743b 0a91c958 301508d0 0a91c978 mso!MsoFreePv+0x3a
0a 0aacfbf0 2f4f73ae 2f4f73a2 0aacfc10 76cb3744 Excel!Ordinal40+0x23743b
0b 0aacfbfc 76cb3744 0a91c958 76cb3720 e0cb65b6 Excel!Ordinal40+0x2373ae
0c 0aacfc10 772ba064 0a91c958 8a481c0a 00000000 KERNEL32!BaseThreadInitThunk+0x24
0d 0aacfc58 772ba02f ffffffff 772dd7da 00000000 ntdll!__RtlUserThreadStart+0x2f
0e 0aacfc68 00000000 2f4f73a2 0a91c958 00000000 ntdll!_RtlUserThreadStart+0x1b
From the above analysis, the address 0x00730834 points to an invalid heap memory address. As a result, it causes the crash when attempting to free it. Because we can control the memory address to be freed, we can free memory at any address and read data at any memory address, potentially leading to arbitrary code execution.
(1c34.54b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414121 ebx=00000000 ecx=41414000 edx=41414121 esi=58dd9c10 edi=00000000
eip=58dd7818 esp=0b2cf78c ebp=0b2cf7d8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8:
58dd7818 813abbbbcdab cmp dword ptr [edx],0ABCDBBBBh ds:002b:41414121=????????
0:004> dd edx
41414121 ???????? ???????? ???????? ????????
41414131 ???????? ???????? ???????? ????????
41414141 ???????? ???????? ???????? ????????
41414151 ???????? ???????? ???????? ????????
41414161 ???????? ???????? ???????? ????????
41414171 ???????? ???????? ???????? ????????
41414181 ???????? ???????? ???????? ????????
41414191 ???????? ???????? ???????? ????????
0:004> kb
# ChildEBP RetAddr Args to Child
00 0b2cf7d8 58dd7935 046d1000 41414141 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
01 0b2cf7fc 58dd7bc0 046d1000 41414141 0b2cf884 verifier!AVrfpDphFindBusyMemory+0x15
02 0b2cf818 58dd9ca0 046d1000 41414141 70832348 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
03 0b2cf834 773382c0 046d0000 01000002 41414141 verifier!AVrfDebugPageHeapFree+0x90
04 0b2cf894 772eaa8f 41414141 4f2f0240 046d0000 ntdll!RtlDebugFreeHeap+0x3c
05 0b2cf9a0 772dc650 00000000 41414141 0b0fe978 ntdll!RtlpFreeHeap+0x4de9f
06 0b2cf9d4 7729c72c 00000000 0b2cf9f8 0b2cf9f8 ntdll!RtlpFreeHeapInternal+0x27e
07 0b2cf9e4 32fdb5cd 046d0000 00000000 41414141 ntdll!RtlFreeHeap+0x2c
WARNING: Stack unwind information not available. Following frames may be wrong.
08 0b2cf9f8 324eb580 41414141 ffffffff 300a07d3 mso!Ordinal1743+0x2e79
09 0b2cfde0 2f4f743b 0b0fe958 301508d0 0b0fe978 mso!MsoFreePv+0x3a
0a 0b2cfe0c 2f4f73ae 2f4f73a2 0b2cfe2c 76cb3744 Excel!Ordinal40+0x23743b
0b 0b2cfe18 76cb3744 0b0fe958 76cb3720 391815db Excel!Ordinal40+0x2373ae
0c 0b2cfe2c 772ba064 0b0fe958 4f2f0594 00000000 KERNEL32!BaseThreadInitThunk+0x24
0d 0b2cfe74 772ba02f ffffffff 772dd7ec 00000000 ntdll!__RtlUserThreadStart+0x2f
0e 0b2cfe84 00000000 2f4f73a2 0b0fe958 00000000 ntdll!_RtlUserThreadStart+0x1b
Because we can control the memory address to be freed, we can free memory at any address and read data at any memory address. Attackers can leverage this behavior to control the flow of execution.
Mitigation
All users of Microsoft Office 2007 are encouraged to upgrade to the latest version of this software. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature MS.Excel.Execution.Path.Parsing.Code.Execution. Additional information can be found at http://technet.microsoft.com/security/bulletin/MS15-131 and https://www.mitre.org/.