CVE-2017-12109
An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.
libxls 1.4 readxl package 1.0.0 for R (tested using Microsoft R 4.3.1)
http://libxls.sourceforge.net/
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0
CWE-680: Integer Overflow to Buffer Overflow
libxls is a C library supported on windows, mac, cygwin which can read Microsoft Excel File Format ( XLS ) files. The library is used by the readxl package that can be installed in the R programming language. The integer overflow appears in the xls_preparseWorkSheet function, so let’s take a look at the vulnerable code:
Line 970 void xls_preparseWorkSheet(xlsWorkSheet* pWS)
Line 971 {
(...)
Line 985 read = ole2_read(buf, 1,tmp.size,pWS->workbook->olestr);
Line 986 assert(read == tmp.size);
Line 987 // xls_showBOF(&tmp);
Line 988 switch (tmp.id)
Line 989 {
(...)
Line 1004 /* If the ROW record is incorrect or missing, infer the information from
Line 1005 * cell data. */
Line 1006 case 0x00BD: //MULRK
Line 1007 if (pWS->rows.lastcol<xlsShortVal(((MULRK*)buf)->col) + (tmp.size - 6)/6 - 1)
Line 1008 pWS->rows.lastcol=xlsShortVal(((MULRK*)buf)->col) + (tmp.size - 6)/6 - 1;
Line 1009 if (pWS->rows.lastrow<xlsShortVal(((MULRK*)buf)->row))
Line 1010 pWS->rows.lastrow=xlsShortVal(((MULRK*)buf)->row);
Line 1011 break;
The general purpose of the `xls_preparseWorkSheet` function is to obtain the maximal size of `col` and `row` value from records present in the worksheet and update the `lastcol` and `lastrow` fields with that value. As we can see in lines `1007-1008` an integer overflow can occur. This can have two potential impacts. In one case, the maximum value stored in `lastcol` will not be updated even if the MULRK `col` field is greater than the value in `lastcol`. The other case will result in the `lastcol` value being updated to the overflowed value.
The malformed MULRK record is located at offset : 0xCB1F and looks as follows:
0xCB1F BD 00 20 00 AA AA FF FF
Setting breakpoint at line 1007 we can obtain the following information:
(gdb) p/x tmp
$1 = {id = 0xbd, size = 0x20}
(gdb) p/x *((MULRK*)buf)
$3 = {row = 0xaaaa, col = 0xffff, rk = 0x60f3e4}
(gdb) p/x pWS->rows.lastcol
$4 = 0x0
stepping further after line 1008:
(gdb) p/x pWS->rows.lastcol
$5 = 0x2
We see that lastcol field has been updated with overflowed value 0x2.
It has further consequences in function xls_makeTable where based on the lastcol field an array for cells is allocated:
Line 409 void xls_makeTable(xlsWorkSheet* pWS)
Line 410 {
Line 412 struct st_row_data* tmp;
Line 418 for (t=0;t<=pWS->rows.lastrow;t++)
{
Line 420 tmp=&pWS->rows.row[t];
(...)
Line 425 tmp->cells.count = pWS->rows.lastcol+1;
Line 426 tmp->cells.cell=(struct st_cell_data *)calloc(tmp->cells.count,sizeof(struct st_cell_data));
Next during the final parsing of the malformed MULRK record in xls_addCell, an out of bound write occurs because the col value being used as index for the cell array is greater than amount of allocated elements for that array.
Line 446 struct st_cell_data *xls_addCell(xlsWorkSheet* pWS,BOF* bof,BYTE* buf)
Line 447 {
Line 448 struct st_cell_data* cell;
(...)
Line 457 cell=&row->cells.cell[xlsShortVal(((COL*)buf)->col)];
Line 458 cell->id=bof->id;
Line 459 cell->xf=xlsShortVal(((COL*)buf)->xf);
At line 457 the cell element points to a value outside of the array range which leads to an out-of-bounds write at lines 458,459...
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50
"\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", <incomplete sequence \345>) at xls.c:458
458 cell->id=bof->id;
gdb-peda$ p cell
$8 = (struct st_cell_data *) 0xdea898
gdb-peda$ vmmap 0xdea898
Warning: not found or cannot access procfs
Microsoft R crash
(94c.c74): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\Icewall\Documents\R\win-
library\3.4\readxl\libs\x64\readxl.dll -
readxl!xls_addCell+0x61:
00000000`6534b191 668903 mov word ptr [rbx],ax ds:00000000`312f5f58=????
0:000> kb 10
# RetAddr : Args to Child : Call Site
00 00000000`6534c8e2 : 00000000`48332fd0 00000000`31135ff0 00000000`00000006 00000000`00000000 :
readxl!xls_addCell+0x61
01 00000000`65382714 : 00000000`044079c0 00000000`00000000 00000000`00000000 00000000`00000000 :
readxl!xls_parseWorkSheet+0x302
02 00000000`6534572b : 00000000`04407750 00000000`044076b0 00000000`00000000 00007ffe`179295c9 : readxl!
ZN12XlsWorkSheetC1E11XlsWorkBookiN4Rcpp6VectorILi13ENS1_15PreserveStorageEEEb+0x2b4
03 00000000`65343ddb : 00000000`044079b0 00007ffe`02922b4f 00000000`00000000 00000000`00000000 : readxl!
Z9read_xls_SsiN4Rcpp6VectorILi13ENS_15PreserveStorageEEEbNS_12RObject_ImplIS1_EES4_St6vectorISsSaISsEEbi+0x31b
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft\R Open\R-
3.4.1\bin\x64\R.dll -
04 00000000`6c7977cf : 00000000`25cecec8 00000000`10cfdf98 00000000`6cbfdbd0 00000000`04407cd0 :
readxl!readxl_read_xls_+0x1db
05 00000000`6c797f04 : 00000000`00000272 00000000`04407cc8 00000000`00000139 00000000`04407f00 :
R!Rf_NewFrameConfirm+0x7b6f
06 00000000`6c7ee8c8 : 00000000`23747fa0 00000000`2607c7c0 00000000`23747fa0 00000000`6cbfdcb8 :
R!Rf_NewFrameConfirm+0x82a4
07 00000000`6c7f11dd : 00000000`6cbfdc08 00000000`6cbfdd20 00000000`6cbfdc90 00000000`6c7c070c : R!Rf_eval+0x6f8
08 00000000`6c7ee6ba : 00000000`23748010 00000000`14595aa8 00000000`23748010 00000000`25e0b818 :
R!R_execMethod+0x8bd
09 00000000`6c7f0550 : 00000000`31f17618 00000000`145dbd58 00000000`25f56dc0 00000000`264e3c08 : R!Rf_eval+0x4ea
0a 00000000`6c7f08d2 : 00000000`237b8cb8 00000000`261e92b0 00000000`237b8cb8 00000000`264e4270 :
R!R_cmpfun1+0xf50
0b 00000000`6c7e28ba : 00000000`6cbfdbd0 00000000`2607f130 00000000`14590600 00000000`6c7f08d2 :
R!Rf_applyClosure+0x192
0c 00000000`6c7ee341 : 00000000`31efd850 00000000`264e4270 00000000`2607cf08 00000000`6c7eebd5 :
R!R_initAssignSymbols+0xf27a
0d 00000000`6c7eeb9c : 00000000`31dfaad8 0000002e`2375f578 00000000`00000000 00000000`2607c4e8 : R!Rf_eval+0x171
0e 00000000`6c7ee3dc : 00000000`00000000 00000000`14590670 00000000`2607cf08 00000000`324006f8 : R!Rf_eval+0x9cc
0f 00000000`6c82251b : 00000000`2fa88528 00000000`14590788 00000000`23992b28 00000000`6c7f08d2 : R!Rf_eval+0x20c
0:000> lmv m readxl
Browse full module list
start end module name
00000000`65340000 00000000`6543f000 readxl (export symbols) C:\Users\Icewall\Documents\R\win-
library\3.4\readxl\libs\x64\readxl.dll
Loaded symbol image file: C:\Users\Icewall\Documents\R\win-library\3.4\readxl\libs\x64\readxl.dll
Image path: C:\Users\Icewall\Documents\R\win-library\3.4\readxl\libs\x64\readxl.dll
Image name: readxl.dll
Browse all global symbols functions data
Timestamp: Wed Aug 30 18:38:23 2017 (59A6E9FF)
CheckSum: 001018F6
ImageSize: 000FF000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Linux version
[----------------------------------registers-----------------------------------]
RAX: 0xdea898
RBX: 0xb6a8c0 --> 0xaaaa0201
RCX: 0x7fffffffdb80 --> 0x2000bd
RDX: 0xbd
RSI: 0x7fffffffdb80 --> 0x2000bd
RDI: 0xffffffff
RBP: 0x7fffffffdb60 --> 0x7fffffffdc00 --> 0x7fffffffdc70 --> 0x401610 (<__libc_csu_init>: push r15)
RSP: 0x7fffffffdb00 --> 0x60f3a0 --> 0x8000000c90b
RIP: 0x7ffff7bce936 (<xls_addCell+144>: mov WORD PTR [rax],dx)
R8 : 0x60f360 --> 0x0
R9 : 0x800000003000000
R10: 0x6f ('o')
R11: 0x7ffff7bce8a6 (<xls_addCell>: push rbp)
R12: 0x400b60 (<_start>: xor ebp,ebp)
R13: 0x7fffffffdd50 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7bce92b <xls_addCell+133>: mov rax,QWORD PTR [rbp-0x50]
0x7ffff7bce92f <xls_addCell+137>: movzx edx,WORD PTR [rax]
0x7ffff7bce932 <xls_addCell+140>: mov rax,QWORD PTR [rbp-0x28]
=> 0x7ffff7bce936 <xls_addCell+144>: mov WORD PTR [rax],dx
0x7ffff7bce939 <xls_addCell+147>: mov rax,QWORD PTR [rbp-0x58]
0x7ffff7bce93d <xls_addCell+151>: movzx eax,WORD PTR [rax+0x4]
0x7ffff7bce941 <xls_addCell+155>: cwde
0x7ffff7bce942 <xls_addCell+156>: mov edi,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdb00 --> 0x60f3a0 --> 0x8000000c90b
0008| 0x7fffffffdb08 --> 0x607c50 --> 0xbbbbbbbbffffaaaa
0016| 0x7fffffffdb10 --> 0x7fffffffdb80 --> 0x2000bd
0024| 0x7fffffffdb18 --> 0x60f3a0 --> 0x8000000c90b
0032| 0x7fffffffdb20 --> 0x60f3a0 --> 0x8000000c90b
0040| 0x7fffffffdb28 --> 0x60f360 --> 0x0
0048| 0x7fffffffdb30 --> 0x800000003000000
0056| 0x7fffffffdb38 --> 0xdea898
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50
"\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", <incomplete sequence \345>) at xls.c:458
458 cell->id=bof->id;
gdb-peda$ bt
#0 0x00007ffff7bce936 in xls_addCell (pWS=0x60f3a0, bof=0x7fffffffdb80, buf=0x607c50
"\252\252\377\377\273\273\273\273\314\314\314\314\335\335\335\335", <incomplete sequence \345>) at xls.c:458
#1 0x00007ffff7bd0b1a in xls_parseWorkSheet (pWS=0x60f3a0) at xls.c:1150
#2 0x0000000000400ff8 in main (argc=0x2, argv=0x7fffffffdd58) at xls2csv.c:149
#3 0x00007ffff781c830 in __libc_start_main (main=0x400d78 <main>, argc=0x2, argv=0x7fffffffdd58, init=<optimized out>,
fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdd48) at ../csu/libc-start.c:291
#4 0x0000000000400b89 in _start ()
gdb-peda$ exploitable -m
__main__:102: UserWarning: GDB v7.11 may not support required Python API
Warning: machine string printing is deprecated and may be removed in a future release.
EXCEPTION_FAULTING_ADDRESS:0x00000000dea898
EXCEPTION_CODE:0xb
FAULTING_INSTRUCTION:mov WORD PTR [rax],dx
MAJOR_HASH:34754c1fb7e7f36e18e374f783e4c876
MINOR_HASH:34754c1fb7e7f36e18e374f783e4c876
STACK_DEPTH:3
STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/lib/libxlsreader.so.1.2.1!xls_addCell+0x0
STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/lib/libxlsreader.so.1.2.1!xls_parseWorkSheet+0x0
STACK_FRAME:/home/icewall/bugs/libxls-1.4.0/build/bin/xls2csv!main+0x0
INSTRUCTION_ADDRESS:0x007ffff7bce936
INVOKING_STACK_FRAME:0
DESCRIPTION:Access violation on destination operand
SHORT_DESCRIPTION:DestAv (9/29)
OTHER_RULES:AccessViolation (28/29)
CLASSIFICATION:EXPLOITABLE
EXPLANATION:The target crashed on an access violation at an address matching the destination operand of the instruction. This
likely indicates a write access violation, which means the attacker may control the write address and/or value.
Description: Access violation on destination operand
Short description: DestAv (9/29)
Hash: 34754c1fb7e7f36e18e374f783e4c876.34754c1fb7e7f36e18e374f783e4c876
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This
likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (28/29)
2017-10-25 - Vendor Disclosure
2017-11-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.