Talos Vulnerability Report


Microsoft Office Excel s_Schema Code Execution Vulnerability

May 12, 2020
CVE Number



An exploitable code execution vulnerability exists in the Excel s_Schema functionality of Microsoft Corporation Microsoft Office 2001 build 12430.20264 and Microsoft Office 365 ProPlus x86 - version 1908 build 11929.20606. A specially crafted malformed file can cause a use-after-free resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.

Tested Versions

Microsoft Corporation Microsoft Office 2001 build 12430.20264
Microsoft Corporation Microsoft Office Microsoft Office 365 ProPlus x86 - version 1908 build 11929.20606

Product URLs


CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


CWE-416 - Use After Free


.This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment. Being precise, the vulnerability is related with the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.

Tracking an object life cycle we can notice that there is an allocation made :

0045389e 6a00         push    0
004538a0 51           push    ecx
004538a1 ff1564566b02 call    dword ptr [Excel!DllGetLCID+0x1b500 (026b5664)]

0:000> !heap -p -a 5fb26fe0
	address 5fb26fe0 found in
	_DPH_HEAP_ROOT @ 4171000
	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
								5d6d3034:         5fb26fe0               1c -         5fb26000             2000
	601fab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
	779e918b ntdll!RtlDebugAllocateHeap+0x00000039
	779333cd ntdll!RtlpAllocateHeap+0x000000ed
	7793207b ntdll!RtlpAllocateHeapInternal+0x000006db
	77931976 ntdll!RtlAllocateHeap+0x00000036
	7aedc78d mso20win32client!Ordinal951+0x00000034
	004538a7 Excel!Ordinal43+0x000138a7
	00a16155 Excel!Ordinal43+0x005d6155
	01964a2d Excel!MdCallBack+0x00825d55
	00a1600e Excel!Ordinal43+0x005d600e
	794713d5 mso!Ordinal920+0x00000acf
	79471e16 mso!Ordinal4563+0x000005ba
	79421518 mso!Ordinal8579+0x00000e2f

Further, because of malformed form in the HTML/XML in the XLS file content the object gets deallocated:

01207a7a ff7614       push    dword ptr [esi+14h]
01207a7d ffd3         call    ebx

0:000> !heap -p -a 5fb26fe0
	address 5fb26fe0 found in
	_DPH_HEAP_ROOT @ 4171000
	in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
								   5d6d3034:         5fb26000             2000
	601fadc2 verifier!AVrfDebugPageHeapFree+0x000000c2
	779e99e3 ntdll!RtlDebugFreeHeap+0x0000003e
	7792fabe ntdll!RtlpFreeHeap+0x000000ce
	7792f986 ntdll!RtlpFreeHeapInternal+0x00000146
	7792f3de ntdll!RtlFreeHeap+0x0000003e
	7aeec26a mso20win32client!Ordinal456+0x00000050
	01207a7f Excel!MdCallBack+0x000c8da7
	01201f58 Excel!MdCallBack+0x000c3280
	00a05279 Excel!Ordinal43+0x005c5279
	01960be4 Excel!MdCallBack+0x00821f0c
	006188cf Excel!Ordinal43+0x001d88cf
	005fe21d Excel!Ordinal43+0x001be21d
	013abffa Excel!MdCallBack+0x0026d322
	00ff668a Excel!MdCallBack12+0x00564cc5
	00ff68ce Excel!MdCallBack12+0x00564f09
	00478905 Excel!Ordinal43+0x00038905
	0047769d Excel!Ordinal43+0x0003769d
	01b9aa00 Excel!LinkASPPModelTable+0x001b963d
	004c0e63 Excel!Ordinal43+0x00080e63
	004b3343 Excel!Ordinal43+0x00073343
	004b1863 Excel!Ordinal43+0x00071863
	004acbe1 Excel!Ordinal43+0x0006cbe1
	00452b39 Excel!Ordinal43+0x00012b39
	004411fd Excel!Ordinal43+0x000011fd
	77652369 KERNEL32!BaseThreadInitThunk+0x00000019
	7794e5bb ntdll!__RtlUserThreadStart+0x0000002b
	7794e58f ntdll!_RtlUserThreadStart+0x0000001b	

Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed and the object gets re-used inside the following function:

(1dd0.180): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fb26fe0 ebx=7aeec21a ecx=00000000 edx=04170000 esi=5fb16fc8 edi=00000001
eip=01207b25 esp=03120290 ebp=031202b4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
01207b25 83780800        cmp     dword ptr [eax+8],0  ds:0023:5fb26fe8=????????
0:000> kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 031202b4 01201f58 5fb16fc8 00000001 041a5fe8 Excel!MdCallBack+0xc8e4d
01 031203d8 00a05279 00000100 51284de8 00000003 Excel!MdCallBack+0xc3280
02 0312aef0 01960be4 00000000 00000000 00000000 Excel!Ordinal43+0x5c5279
03 0312af38 006188cf 0313aa58 00000000 00000002 Excel!MdCallBack+0x821f0c
04 0313ae98 005fe21d 00000000 00000000 00000002 Excel!Ordinal43+0x1d88cf
05 0313af1c 013abffa 00000000 00000000 00000002 Excel!Ordinal43+0x1be21d
06 0313af68 00ff668a 00000000 00000000 4945aed4 Excel!MdCallBack+0x26d322
07 0313b040 00ff68ce 00000001 00001008 03170001 Excel!MdCallBack12+0x564cc5
08 0313b0d0 00478905 00000001 00001008 03170001 Excel!MdCallBack12+0x564f09
09 0313f2a0 0047769d 0000000f 49a4adf0 00000105 Excel!Ordinal43+0x38905
0a 0313f340 01b9aa00 0000000f 49a4adf0 00000105 Excel!Ordinal43+0x3769d
0b 0313f3f4 004c0e63 00000105 00000000 00000001 Excel!LinkASPPModelTable+0x1b963d
0c 0313f4a0 004b3343 041a5fe8 041a5fe8 00000000 Excel!Ordinal43+0x80e63
0d 0313f980 004b1863 00000001 041a5fe8 0313fb68 Excel!Ordinal43+0x73343
0e 0313f9f8 004acbe1 041c7fda 0000008d 7af230e4 Excel!Ordinal43+0x71863
0f 0313fb60 00452b39 00000000 00452b39 00000000 Excel!Ordinal43+0x6cbe1
10 0313fd80 004411fd 00440000 00000000 041c7fda Excel!Ordinal43+0x12b39
11 0313fdcc 77652369 02fd2000 77652350 0313fe38 Excel!Ordinal43+0x11fd
12 0313fddc 7794e5bb 02fd2000 62e621a8 00000000 KERNEL32!BaseThreadInitThunk+0x19
13 0313fe38 7794e58f ffffffff 77993e71 00000000 ntdll!__RtlUserThreadStart+0x2b
14 0313fe48 00000000 004410b3 02fd2000 00000000 ntdll!_RtlUserThreadStart+0x1b

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.


2020-02-19 - Vendor Disclosure

2020-05-12 - Public Release


Discovered by Marcin 'Icewall' Noga of Cisco Talos.