CVE-2019-5032
An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells for C++ 19.1.0. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Aspose Aspose.Cells for C++ 19.1.0
https://products.aspose.com/cells
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-125: Out-of-bounds Read
This vulnerability is present in the Aspose.Cells for C++ which is used for all kinds of operations related with XLS(X) files.
Aspose.Cells library is used by many companies, banks, government organizations as a part of different software products responsible for data processing/conversion.
There is a vulnerability in the function responsible for handling the LabelSst record. A specially crafted XLS file can lead to an out-of-bounds read and remote code execution.
Letís investigate this vulnerability. After we attempt to e.g convert the malicious XLS using the Aspose.Cells library to PDF we see the following state:
0fb34c50 55 push ebp
0fb34c51 8bec mov ebp,esp
0fb34c53 51 push ecx
0fb34c54 8b4920 mov ecx,dword ptr [ecx+20h]
0fb34c57 8b450c mov eax,dword ptr [ebp+0Ch]
0fb34c5a 56 push esi
0fb34c5b 8b7508 mov esi,dword ptr [ebp+8]
0fb34c5e c745fc00000000 mov dword ptr [ebp-4],0
0fb34c65 8b0c81 mov ecx,dword ptr [ecx+eax*4]
0fb34c68 890e mov dword ptr [esi],ecx
0fb34c6a 85c9 test ecx,ecx
0fb34c6c 7405 je Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x9303 (0fb34c73)
0fb34c6e 8b11 mov edx,dword ptr [ecx] ds:002b:8d1075ff=????????
0fb34c70 ff5204 call dword ptr [edx+4]
0fb34c73 8bc6 mov eax,esi
0fb34c75 5e pop esi
0fb34c76 8be5 mov esp,ebp
0fb34c78 5d pop ebp
0fb34c79 c20800 ret 8
0:000> r
eax=c0febabe ebx=0a6f3810 ecx=8d1075ff edx=11334598 esi=00aff808 edi=0a6f3810
eip=0fb34c6e esp=00aff7c8 ebp=00aff7d0 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x92fe:
0fb34c6e 8b11 mov edx,dword ptr [ecx] ds:002b:8d1075ff=????????
As we can see at the address 0fb34c6e, there is an attempt to obtain a vftable pointer but the ecx register points to an unallocated memory region.
Tracking where the value of the ecx is coming from we can notice that its value is coming from an array 0fb34c65. Index for this array is based on
the eax register and its value is equal c0febabe. It’s clear that this value has been corrupted and element coming from an array is read outside of the bounds of this array.
Further investigation proved that the c0febabe value comes directly from the file and is located at offset : 0x415A.
In the context of the XLS file format, the c0febabe value is a part of the LabelSst record which looks in the following way :
4154h: 03 00 02 00 0F 00 BE BA FE C0 ……æ∫˛¿
According of the MS-XLS documentation the c0febabe value represents
isst field. As we can read :
isst (4 bytes): An unsigned integer that specifies the zero-based index of an element in the array of XLUnicodeRichExtendedString structure in the rgb field of the SST record
in this Workbook Stream ABNF that specifies the string contained in the cell.
MUST be greater than or equal to zero and less than the number of elements in the rgb field of the SST record.
Which in our case is not respected at all which causes an out-of-bounds read and can lead to remote code execution.
0:000> lmv m Aspose*
Browse full module list
start end module name
0f960000 119b3000 Aspose_Cells C (export symbols) d:\projects\apose\cells\bin\Aspose.Cells.dll
Loaded symbol image file: d:\projects\apose\cells\bin\Aspose.Cells.dll
Image path: d:\projects\apose\cells\bin\Aspose.Cells.dll
Image name: Aspose.Cells.dll
Browse all global symbols functions data
Timestamp: Wed Jan 23 06:30:58 2019 (5C47FC12)
CheckSum: 00000000
ImageSize: 02053000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
0fb34c6e 8b11 mov edx,dword ptr [ecx]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0fb34c6e (Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x000092fe)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 8d1075ff
Attempt to read from address 8d1075ff
FAULTING_THREAD: 00005aec
PROCESS_NAME: Demo.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 8d1075ff
FOLLOWUP_IP:
Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
0fb34c6e 8b11 mov edx,dword ptr [ecx]
READ_ADDRESS: 8d1075ff
WATSON_BKT_PROCSTAMP: 5c927c6d
WATSON_BKT_MODULE: Aspose.Cells.dll
WATSON_BKT_MODSTAMP: 5c47fc12
WATSON_BKT_MODOFFSET: 1d4c6e
BUILD_VERSION_STRING: 10.0.17763.292 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 341d6c640f2e2e64408b322307909e8c31a617ca
MODLIST_SHA1_HASH: 625cbb62edbdcfcc13b6376946fce104490067cd
NTGLOBALFLAG: 2100000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
APPLICATION_VERIFIER_LOADED: 1
ANALYSIS_SESSION_HOST: DESKTOP-E4N8506
ANALYSIS_SESSION_TIME: 03-21-2019 19:01:21.0596
ANALYSIS_VERSION: 10.0.15063.468 x86fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n292]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x5aec]
Frame: [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency
ID: [0n264]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x5aec]
Frame: [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency
ID: [0n92]
Type: [AVRF]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x40c8]
TID: [0x5aec]
Frame: [0] : Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_AVRF
DEFAULT_BUCKET_ID: INVALID_POINTER_READ_AVRF
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 10213949 to 0fb34c6e
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00aff7d0 10213949 00aff808 c0febabe 00000000 Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+0x92fe
00aff7e4 10dea1af 00aff808 c0febabe 74cd04d0 Aspose_Cells!Aspose::Cells::Top10Filter::IsVisibleRow+0x2af9
00aff818 10dda501 0d4d64c0 74cd0590 0d39ac30 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x2038f
00aff958 10ddbc73 0d4d64c0 74cd0500 0d4d64c0 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x106e1
00aff9c8 10de9d61 0d4d64c0 74cd06dc 0a6f3810 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x11e53
00affa14 10df829c 0d784570 74cd063c 0a6f3810 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x1ff41
00affaf4 10dd6448 0d7843f0 74cd07f0 0d7843f0 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0x2e47c
00affb38 10c2b886 0d7843f0 74cd0008 0ab10700 Aspose_Cells!Aspose::Cells::Charts::Chart::GetCustomTable+0xc628
00affcc0 10c0f4e4 0ab106a0 0aa51720 74cd0034 Aspose_Cells!Aspose::Cells::Rendering::WorkbookRender::operator=+0xa3b6
00affcfc 101690a8 0ab106a0 74cd01f0 0c7eaf30 Aspose_Cells!Aspose::Cells::Workbook::Workbook+0x144
00affd38 001713ac 00affdd8 0ab106a0 00000000 Aspose_Cells!Aspose::Cells::Factory::CreateIWorkbook+0xe8
00affdf0 00171e7d 00000003 0c7eaf30 05ecbf30 Demo!main+0x25c
00affe38 77130179 00851000 77130160 00affea4 Demo!__scrt_common_main_seh+0xfa
00affe48 7749662d 00851000 698c56b5 00000000 KERNEL32!BaseThreadInitThunk+0x19
00affea4 774965fd ffffffff 774b51bd 00000000 ntdll!__RtlUserThreadStart+0x2f
00affeb4 00000000 00171f05 00851000 00000000 ntdll!_RtlUserThreadStart+0x1b
THREAD_SHA1_HASH_MOD_FUNC: 47330429cc406a298ba1a1f05c059a281789dba6
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: a4ebf591730dc4f6a4dcf80522e2c2e03b19e250
THREAD_SHA1_HASH_MOD: b6a7bf6a73edd091a5aa51fae2b575e76ce18e9c
FAULT_INSTR_CODE: 52ff118b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Aspose_Cells
IMAGE_NAME: Aspose.Cells.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5c47fc12
STACK_COMMAND: ~0s ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Aspose.Cells.dll!Aspose::Cells::Drawing::Area::SetTransparency
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_Aspose_Cells!Aspose::Cells::Drawing::Area::SetTransparency+92fe
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: Aspose.Cells.dll
BUCKET_ID_IMAGE_STR: Aspose.Cells.dll
FAILURE_MODULE_NAME: Aspose_Cells
BUCKET_ID_MODULE_STR: Aspose_Cells
FAILURE_FUNCTION_NAME: Aspose::Cells::Drawing::Area::SetTransparency
BUCKET_ID_FUNCTION_STR: Aspose::Cells::Drawing::Area::SetTransparency
BUCKET_ID_OFFSET: 92fe
BUCKET_ID_MODTIMEDATESTAMP: 5c47fc12
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_READ_AVRF_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: Aspose.Cells.dll!Aspose::Cells::Drawing::Area::SetTransparency
TARGET_TIME: 2019-03-21T18:02:03.000Z
OSBUILD: 17763
OSSERVICEPACK: 292
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.17763.292
ANALYSIS_SESSION_ELAPSED_TIME: a358
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_read_avrf_c0000005_aspose.cells.dll!aspose::cells::drawing::area::settransparency
FAILURE_ID_HASH: {e2b90e26-593c-ec08-6baf-cfe3fd28339c}
Followup: MachineOwner
---------
2019-04-17 - Vendor Disclosure
2019-08-20 - Public Disclosure
2019-08-24 - Vendor acknowledged & advised issues under review
2019-08-30 - Vendor patched
Discovered by Marcin Noga of Cisco Talos.