CVE-2022-41106
A double-free vulnerability exists in the class attribute functionality of Microsoft Office Excel 2019 x86 - version 2207 build 15427.20210 and version 2202 build 14931.20660. A specially-crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft Office Microsoft Office Excel 2019 x86 - version 2207 build 15427.20210
Microsoft Office Microsoft Office Excel 365 x86 - version 2202 build 14931.20660
Office - https://products.office.com
7.8 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-415 - Double Free
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations, etc.
Tracking a class attribute object life cycle, we can notice that there is an allocation made :
Excel!Ordinal43+0x000151f5:
002e51f0 call dword ptr [mso20win32client!Ordinal1193+0x00000025]
eax=00000001 ebx=034deda4 ecx=0d580000 edx=0d580000 esi=6a504fe8 edi=00000000
eip=0060a993 esp=034dea30 ebp=034dea50 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
Excel!Ordinal43+0x33a993:
0060a993 56 push esi
0:000> !heap -p -a 6a504fe8
address 6a504fe8 found in
_DPH_HEAP_ROOT @ d581000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
6c041410: 6a504fe8 18 - 6a504000 2000
715ba8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
776af4ae ntdll!RtlDebugAllocateHeap+0x00000039
776170f0 ntdll!RtlpAllocateHeap+0x000000f0
77616e4c ntdll!RtlpAllocateHeapInternal+0x0000104c
77615dee ntdll!RtlAllocateHeap+0x0000003e
7090b88c mso20win32client!Ordinal1193+0x00000025
002e51f5 Excel!Ordinal43+0x000151f5
005e6e8b Excel!Ordinal43+0x00316e8b
005f9e72 Excel!Ordinal43+0x00329e72
00922bf0 Excel!Ordinal43+0x00652bf0
0158ac4d Excel!MdCallBack+0x000a100f
01d05c50 Excel!MdCallBack+0x0081c012
004ed954 Excel!Ordinal43+0x0021d954
004e3e8f Excel!Ordinal43+0x00213e8f
017963b5 Excel!MdCallBack+0x002ac777
0138b10d Excel!MdCallBack12+0x009ff0c0
0138af02 Excel!MdCallBack12+0x009feeb5
0030d924 Excel!Ordinal43+0x0003d924
0030c2e2 Excel!Ordinal43+0x0003c2e2
020324d6 Excel!UpgradeASPPModel+0x002a5373
0035b3a5 Excel!Ordinal43+0x0008b3a5
0035054b Excel!Ordinal43+0x0008054b
0034e922 Excel!Ordinal43+0x0007e922
00347594 Excel!Ordinal43+0x00077594
002e418d Excel!Ordinal43+0x0001418d
002d11c3 Excel!Ordinal43+0x000011c3
764efa29 KERNEL32!BaseThreadInitThunk+0x00000019
77637a9e ntdll!__RtlUserThreadStart+0x0000002f
77637a6e ntdll!_RtlUserThreadStart+0x0000001b
Further, because of the malformed form of a name of the class attribute in the XLS file content, the object gets deallocated:
call mso20win32client!Ordinal456+0x00000050
eax=00000001 ebx=034deda4 ecx=0d580000 edx=0d580000 esi=6a504fe8 edi=00000000
eip=0060a99a esp=034dea30 ebp=034dea50 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
Excel!Ordinal43+0x33a99a:
0060a99a 5e pop esi
0:000> !heap -p -a 6a504fe8
address 6a504fe8 found in
_DPH_HEAP_ROOT @ d581000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
6c041410: 6a504000 2000
715bab02 verifier!AVrfDebugPageHeapFree+0x000000c2
776afd06 ntdll!RtlDebugFreeHeap+0x0000003e
77613d56 ntdll!RtlpFreeHeap+0x000000d6
77657a5d ntdll!RtlpFreeHeapInternal+0x00000783
77613c26 ntdll!RtlFreeHeap+0x00000046
70915e7d mso20win32client!Ordinal3788+0x00000043
0060a99a Excel!Ordinal43+0x0033a99a
005fad20 Excel!Ordinal43+0x0032ad20
00922df9 Excel!Ordinal43+0x00652df9
0158ac4d Excel!MdCallBack+0x000a100f
01d05c50 Excel!MdCallBack+0x0081c012
004ed954 Excel!Ordinal43+0x0021d954
004e3e8f Excel!Ordinal43+0x00213e8f
017963b5 Excel!MdCallBack+0x002ac777
0138b10d Excel!MdCallBack12+0x009ff0c0
0138af02 Excel!MdCallBack12+0x009feeb5
0030d924 Excel!Ordinal43+0x0003d924
0030c2e2 Excel!Ordinal43+0x0003c2e2
020324d6 Excel!UpgradeASPPModel+0x002a5373
0035b3a5 Excel!Ordinal43+0x0008b3a5
0035054b Excel!Ordinal43+0x0008054b
0034e922 Excel!Ordinal43+0x0007e922
00347594 Excel!Ordinal43+0x00077594
002e418d Excel!Ordinal43+0x0001418d
002d11c3 Excel!Ordinal43+0x000011c3
764efa29 KERNEL32!BaseThreadInitThunk+0x00000019
77637a9e ntdll!__RtlUserThreadStart+0x0000002f
77637a6e ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed, and the object gets re-used (second free is called) inside the following function:
eax=624c44fc ebx=657628c0 ecx=034deda4 edx=002d6941 esi=651da184 edi=034deda4
eip=0159464e esp=034deab4 ebp=034dead4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
Excel!MdCallBack+0xaaa10:
0159464e ff15240b9a02 call dword ptr [Excel!DllGetLCID+0x1b800 (029a0b24)] ds:002b:029a0b24={mso20win32client!Ordinal3788 (70915e3a)}
0:000> !heap -p -a 624c44fc
address 624c44fc found in
_DPH_HEAP_ROOT @ d581000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
6c041410: 6a504000 2000
715bab02 verifier!AVrfDebugPageHeapFree+0x000000c2
776afd06 ntdll!RtlDebugFreeHeap+0x0000003e
77613d56 ntdll!RtlpFreeHeap+0x000000d6
77657a5d ntdll!RtlpFreeHeapInternal+0x00000783
77613c26 ntdll!RtlFreeHeap+0x00000046
70915e7d mso20win32client!Ordinal3788+0x00000043
0060a993 Excel!Ordinal43+0x0033a993
005fad20 Excel!Ordinal43+0x0032ad20
00922df9 Excel!Ordinal43+0x00652df9
0158ac4d Excel!MdCallBack+0x000a100f
01d05c50 Excel!MdCallBack+0x0081c012
004ed954 Excel!Ordinal43+0x0021d954
004e3e8f Excel!Ordinal43+0x00213e8f
017963b5 Excel!MdCallBack+0x002ac777
0138b10d Excel!MdCallBack12+0x009ff0c0
0138af02 Excel!MdCallBack12+0x009feeb5
0030d924 Excel!Ordinal43+0x0003d924
0030c2e2 Excel!Ordinal43+0x0003c2e2
020324d6 Excel!UpgradeASPPModel+0x002a5373
0035b3a5 Excel!Ordinal43+0x0008b3a5
0035054b Excel!Ordinal43+0x0008054b
0034e922 Excel!Ordinal43+0x0007e922
00347594 Excel!Ordinal43+0x00077594
002e418d Excel!Ordinal43+0x0001418d
002d11c3 Excel!Ordinal43+0x000011c3
764efa29 KERNEL32!BaseThreadInitThunk+0x00000019
77637a9e ntdll!__RtlUserThreadStart+0x0000002f
77637a6e ntdll!_RtlUserThreadStart+0x0000001b
Proper heap grooming can give an attacker full control of this double-free vulnerability and as a result could allow it to be turned into arbitrary code execution.
(f8c.172c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7beac4dc ebx=00000000 ecx=7beac000 edx=7beac4dc esi=715baa40 edi=00000000
eip=715b8758 esp=034de804 ebp=034de850 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8:
715b8758 813abbbbcdab cmp dword ptr [edx],0ABCDBBBBh ds:002b:7beac4dc=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-CML224D
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 14
Key : Analysis.Memory.CommitPeak.Mb
Value: 104
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 529834
Key : Timeline.Process.Start.DeltaSec
Value: 129
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 715b8758 (verifier!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 7beac4dc
Attempt to read from address 7beac4dc
FAULTING_THREAD: 0000172c
PROCESS_NAME: Excel.exe
READ_ADDRESS: 7beac4dc
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 7beac4dc
STACK_TEXT:
034de850 715b8875 0d651000 7beac4fc 00000000 verifier!AVrfpDphFindBusyMemoryNoCheck+0xb8
034de874 715b8ae0 0d651000 7beac4fc 034de904 verifier!AVrfpDphFindBusyMemory+0x15
034de890 715baad0 0d651000 7beac4fc d0786b80 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
034de8ac 776afd06 0d650000 01000002 7beac4fc verifier!AVrfDebugPageHeapFree+0x90
034de914 77613d56 7beac4fc d0786800 00000000 ntdll!RtlDebugFreeHeap+0x3e
034dea70 77657a5d 00000000 7beac4fc 7beac4fc ntdll!RtlpFreeHeap+0xd6
034deacc 77613c26 00000000 00000000 00000000 ntdll!RtlpFreeHeapInternal+0x783
034deaec 70915e7d 0d650000 00000000 7beac4fc ntdll!RtlFreeHeap+0x46
WARNING: Stack unwind information not available. Following frames may be wrong.
034deb04 01594654 7beac4fc 7b23a184 00000000 mso20win32client!Ordinal3788+0x43
034deb2c 018e2728 034dedfc 3a392778 7b238fe8 Excel!MdCallBack+0xaaa16
034deb58 005e72c0 015945b5 7b238fe8 034deda8 Excel!MdCallBack+0x3f8aea
034deb8c 0092352b 00000000 0d687fd8 00000000 Excel!Ordinal43+0x3172c0
034decb8 0158ac4d 00000100 5d1acfa8 00000003 Excel!Ordinal43+0x65352b
034e95e8 01d05c50 00000000 00000000 00000000 Excel!MdCallBack+0xa100f
034e962c 004ed954 034f8c20 5d1acfa8 00000002 Excel!MdCallBack+0x81c012
034f9054 004e3e8f 00000000 00000000 00000002 Excel!Ordinal43+0x21d954
034f90dc 017963b5 00000000 00000000 00000002 Excel!Ordinal43+0x213e8f
034f9130 0138b10d 00000000 02823042 034f9158 Excel!MdCallBack+0x2ac777
034f920c 0138af02 00000001 00001008 00000001 Excel!MdCallBack12+0x9ff0c0
034f92ac 0030d924 00000001 00001008 00000001 Excel!MdCallBack12+0x9feeb5
034fdf98 0030c2e2 0000000f 51eb5fb0 00000825 Excel!Ordinal43+0x3d924
034fe03c 020324d6 0000000f 51eb5fb0 00000825 Excel!Ordinal43+0x3c2e2
034febac 0035b3a5 00000825 00000000 00000001 Excel!UpgradeASPPModel+0x2a5373
034fec58 0035054b 0d687fd8 0d687fd8 00000002 Excel!Ordinal43+0x8b3a5
034ff178 0034e922 00000000 0034e922 0d687fd8 Excel!Ordinal43+0x8054b
034ff200 00347594 70912e2a 02a025f8 0d687fd8 Excel!Ordinal43+0x7e922
034ff5f8 002e418d 00000000 0000000a 032da000 Excel!Ordinal43+0x77594
034ff820 002d11c3 002d0000 00000000 0d6a5ff2 Excel!Ordinal43+0x1418d
034ff86c 764efa29 032da000 764efa10 034ff8d8 Excel!Ordinal43+0x11c3
034ff87c 77637a9e 032da000 d07a7aa8 00000000 KERNEL32!BaseThreadInitThunk+0x19
034ff8d8 77637a6e ffffffff 77658b86 00000000 ntdll!__RtlUserThreadStart+0x2f
034ff8e8 00000000 002d1079 032da000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: mso20win32client!Ordinal3788+43
MODULE_NAME: mso20win32client
IMAGE_NAME: mso20win32client.dll
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_mso20win32client.dll!Ordinal3788
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {9e0de01e-05c0-7738-a011-6d675970da28}
Followup: MachineOwner
---------
0:000> lmv m EXCEL
Browse full module list
start end module name
002d0000 03119000 Excel (export symbols) c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Fri Aug 5 18:42:52 2022 (62ED488C)
CheckSum: 02E43369
ImageSize: 02E49000
File version: 16.0.15427.20210
Product version: 16.0.15427.20210
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.15427.20210
FileVersion: 16.0.15427.20210
FileDescription: Microsoft Excel
0:000> lmv m mso
Browse full module list
start end module name
67200000 68cbd000 mso (deferred)
Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Tue Aug 2 12:12:51 2022 (62E8F8A3)
CheckSum: 01AADAD7
ImageSize: 01ABD000
File version: 16.0.15427.20188
Product version: 16.0.15427.20188
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.15427.20188
FileVersion: 16.0.15427.20188
FileDescription: Microsoft Office component
2022-08-24 - Vendor Disclosure
2022-11-08 - Vendor Patch Release
2022-11-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.