CVE-2020-0901
An exploitable code execution vulnerability exists in the Excel s_Schema functionality of Microsoft Corporation Microsoft Office 2001 build 12430.20264 and Microsoft Office 365 ProPlus x86 - version 1908 build 11929.20606. A specially crafted malformed file can cause a use-after-free resulting in remote code execution. An attacker can provide a malicious file to trigger this vulnerability.
Microsoft Corporation Microsoft Office 2001 build 12430.20264
Microsoft Corporation Microsoft Office Microsoft Office 365 ProPlus x86 - version 1908 build 11929.20606
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
.This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment.
Being precise, the vulnerability is related with the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000.
A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is an allocation made :
0045389e 6a00 push 0
004538a0 51 push ecx
004538a1 ff1564566b02 call dword ptr [Excel!DllGetLCID+0x1b500 (026b5664)]
0:000> !heap -p -a 5fb26fe0
address 5fb26fe0 found in
_DPH_HEAP_ROOT @ 4171000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5d6d3034: 5fb26fe0 1c - 5fb26000 2000
601fab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
779e918b ntdll!RtlDebugAllocateHeap+0x00000039
779333cd ntdll!RtlpAllocateHeap+0x000000ed
7793207b ntdll!RtlpAllocateHeapInternal+0x000006db
77931976 ntdll!RtlAllocateHeap+0x00000036
7aedc78d mso20win32client!Ordinal951+0x00000034
004538a7 Excel!Ordinal43+0x000138a7
00a16155 Excel!Ordinal43+0x005d6155
01964a2d Excel!MdCallBack+0x00825d55
00a1600e Excel!Ordinal43+0x005d600e
794713d5 mso!Ordinal920+0x00000acf
79471e16 mso!Ordinal4563+0x000005ba
79421518 mso!Ordinal8579+0x00000e2f
Further, because of malformed form in the HTML/XML in the XLS file content the object gets deallocated:
01207a7a ff7614 push dword ptr [esi+14h]
01207a7d ffd3 call ebx
0:000> !heap -p -a 5fb26fe0
address 5fb26fe0 found in
_DPH_HEAP_ROOT @ 4171000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
5d6d3034: 5fb26000 2000
601fadc2 verifier!AVrfDebugPageHeapFree+0x000000c2
779e99e3 ntdll!RtlDebugFreeHeap+0x0000003e
7792fabe ntdll!RtlpFreeHeap+0x000000ce
7792f986 ntdll!RtlpFreeHeapInternal+0x00000146
7792f3de ntdll!RtlFreeHeap+0x0000003e
7aeec26a mso20win32client!Ordinal456+0x00000050
01207a7f Excel!MdCallBack+0x000c8da7
01201f58 Excel!MdCallBack+0x000c3280
00a05279 Excel!Ordinal43+0x005c5279
01960be4 Excel!MdCallBack+0x00821f0c
006188cf Excel!Ordinal43+0x001d88cf
005fe21d Excel!Ordinal43+0x001be21d
013abffa Excel!MdCallBack+0x0026d322
00ff668a Excel!MdCallBack12+0x00564cc5
00ff68ce Excel!MdCallBack12+0x00564f09
00478905 Excel!Ordinal43+0x00038905
0047769d Excel!Ordinal43+0x0003769d
01b9aa00 Excel!LinkASPPModelTable+0x001b963d
004c0e63 Excel!Ordinal43+0x00080e63
004b3343 Excel!Ordinal43+0x00073343
004b1863 Excel!Ordinal43+0x00071863
004acbe1 Excel!Ordinal43+0x0006cbe1
00452b39 Excel!Ordinal43+0x00012b39
004411fd Excel!Ordinal43+0x000011fd
77652369 KERNEL32!BaseThreadInitThunk+0x00000019
7794e5bb ntdll!__RtlUserThreadStart+0x0000002b
7794e58f ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed and the object gets re-used inside the following function:
(1dd0.180): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fb26fe0 ebx=7aeec21a ecx=00000000 edx=04170000 esi=5fb16fc8 edi=00000001
eip=01207b25 esp=03120290 ebp=031202b4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
Excel!MdCallBack+0xc8e4d:
01207b25 83780800 cmp dword ptr [eax+8],0 ds:0023:5fb26fe8=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 031202b4 01201f58 5fb16fc8 00000001 041a5fe8 Excel!MdCallBack+0xc8e4d
01 031203d8 00a05279 00000100 51284de8 00000003 Excel!MdCallBack+0xc3280
02 0312aef0 01960be4 00000000 00000000 00000000 Excel!Ordinal43+0x5c5279
03 0312af38 006188cf 0313aa58 00000000 00000002 Excel!MdCallBack+0x821f0c
04 0313ae98 005fe21d 00000000 00000000 00000002 Excel!Ordinal43+0x1d88cf
05 0313af1c 013abffa 00000000 00000000 00000002 Excel!Ordinal43+0x1be21d
06 0313af68 00ff668a 00000000 00000000 4945aed4 Excel!MdCallBack+0x26d322
07 0313b040 00ff68ce 00000001 00001008 03170001 Excel!MdCallBack12+0x564cc5
08 0313b0d0 00478905 00000001 00001008 03170001 Excel!MdCallBack12+0x564f09
09 0313f2a0 0047769d 0000000f 49a4adf0 00000105 Excel!Ordinal43+0x38905
0a 0313f340 01b9aa00 0000000f 49a4adf0 00000105 Excel!Ordinal43+0x3769d
0b 0313f3f4 004c0e63 00000105 00000000 00000001 Excel!LinkASPPModelTable+0x1b963d
0c 0313f4a0 004b3343 041a5fe8 041a5fe8 00000000 Excel!Ordinal43+0x80e63
0d 0313f980 004b1863 00000001 041a5fe8 0313fb68 Excel!Ordinal43+0x73343
0e 0313f9f8 004acbe1 041c7fda 0000008d 7af230e4 Excel!Ordinal43+0x71863
0f 0313fb60 00452b39 00000000 00452b39 00000000 Excel!Ordinal43+0x6cbe1
10 0313fd80 004411fd 00440000 00000000 041c7fda Excel!Ordinal43+0x12b39
11 0313fdcc 77652369 02fd2000 77652350 0313fe38 Excel!Ordinal43+0x11fd
12 0313fddc 7794e5bb 02fd2000 62e621a8 00000000 KERNEL32!BaseThreadInitThunk+0x19
13 0313fe38 7794e58f ffffffff 77993e71 00000000 ntdll!__RtlUserThreadStart+0x2b
14 0313fe48 00000000 004410b3 02fd2000 00000000 ntdll!_RtlUserThreadStart+0x1b
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.
2020-02-19 - Vendor Disclosure
2020-05-12 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.