CVE-2023-36041
A use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel ver 2307 Build 16626.20170. A specially crafted excel spreadsheet document can exploit this vulnerability to achieve arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Microsoft Office Professional Plus 2019 Excel ver 2307 Build 16626.20170
Office Professional Plus 2019 - https://www.microsoft.com/pl-pl/microsoft-365/
7.8 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations, etc.
PivotCache element is directly related to PivotTable cache because it keeps all the informations about the table schema and records. For this reason, Excel is parsing PivotCache element to add appropriate information to HtmlPivotTableInfo related structure.
Tracking the life cycle of this object, we can see an allocation made here:
0:000> !heap -p -a 62300f68
address 62300f68 found in
_DPH_HEAP_ROOT @ 6381000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5b6f2bc8: 62300f68 94 - 62300000 2000
unknown!fillpattern
6f11a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
779ef22e ntdll!RtlDebugAllocateHeap+0x00000039
77957100 ntdll!RtlpAllocateHeap+0x000000f0
77956e5c ntdll!RtlpAllocateHeapInternal+0x0000104c
77955dfe ntdll!RtlAllocateHeap+0x0000003e
6e72baa5 mso20win32client!Mso::Memory::AllocateEx+0x00000025
00518459 Excel!FHpAllocCore+0x0000002c
00538648 Excel!PplAllocCore+0x0000003d
00552a62 Excel!HrAllocPl_+0x0000001a
0175ad9d Excel!FCommitHtmlPivotTableInfo+0x0000008f
0175ab18 Excel!FCommitHtmlPivotCacheElement+0x00000038
01f9cb66 Excel!FProcessXmlItem+0x00000a77
00b6431b Excel!OHIU::FProcessXmlItem+0x00000010
69f7f534 mso!FDispatchXmlItem+0x00000191
69f1df25 mso!FProcessCloseXmlTag+0x000001c8
69f193aa mso!TkLexHtml+0x00001081
69f17ffe mso!HI::FDoImportCopyContent+0x000001cf
69f17e1c mso!HI::FDoImport+0x00000019
00b5b68a Excel!HrLoadSheetHtml+0x00000435
01725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c2
01f9e837 Excel!HrLoadBookHtml+0x000000e4
007030a6 Excel!HrFileLoadEx+0x00006b1b
006fc274 Excel!HrFileLoadWithCoauth+0x0000006c
0194963b Excel!HrFileLoadWithCoauth+0x00000047
015179b2 Excel!_HrLoadInternal+0x000001a5
01517705 Excel!_HrLoad+0x000000d1
005420d5 Excel!FStartupFilename+0x00001a07
00540793 Excel!FLoadCmdLine+0x00000099
022d2374 Excel!MergeInstance::ExecuteMergeInstance+0x000000dd
00586acd Excel!DelayedMergeInstance::FProcessRequest+0x0000010a
0057b937 Excel!FDoIdleHardRejectUi+0x00001cc2
00579d19 Excel!FDoIdle+0x0000009d
Next, due to the malformed ElementType element, structure related to HtmlPivotTableInfo gets de-allocated. ElementType element is malformed because it contains an AttributeType that doesn’t belong to the ElementType sub-elements specified by the file format documentation. We can observe the release of this memory in the debugger:
eax=4f5a4f74 ebx=00000005 ecx=00000000 edx=0000008c esi=62300f68 edi=03ade7a0
eip=0053cb48 esp=03ade768 ebp=03ade790 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
Excel!FAddPl+0x109:
0053cb48 ff152ceef302 call dword ptr [Excel!_imp_?FreeMemoryMsoYGXPAXZ (02f3ee2c)] ds:002b:02f3ee2c={mso20win32client!Mso::Memory::Free (6e73d8a5)}
Heap state of the same chunk of memory after above call:
0:000> !heap -p -a 62300f68
address 62300f68 found in
_DPH_HEAP_ROOT @ 6381000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
5b6f2bc8: 62300000 2000
6f11ab02 verifier!AVrfDebugPageHeapFree+0x000000c2
779efa86 ntdll!RtlDebugFreeHeap+0x0000003e
77953d66 ntdll!RtlpFreeHeap+0x000000d6
77997acd ntdll!RtlpFreeHeapInternal+0x00000783
77953c36 ntdll!RtlFreeHeap+0x00000046
6e73d8e8 mso20win32client!Mso::Memory::Free+0x00000043
0053cb4e Excel!FAddPl+0x0000010f
0053ca1a Excel!HrIAddPl_+0x0000001a
0056bb9f Excel!IAddNewPl+0x00000082
0056badf Excel!IAddNewPlPos+0x0000005b
01fbe5cf Excel!IAddPlSort+0x00000034
0175adc2 Excel!FCommitHtmlPivotTableInfo+0x000000b4
0175ab18 Excel!FCommitHtmlPivotCacheElement+0x00000038
01f9cb66 Excel!FProcessXmlItem+0x00000a77
00b6431b Excel!OHIU::FProcessXmlItem+0x00000010
69f7f534 mso!FDispatchXmlItem+0x00000191
6a1f910a mso!FFlushXmlStack+0x000000d7
69f7fa2b mso!FDispatchXmlItem+0x00000688
69f1df25 mso!FProcessCloseXmlTag+0x000001c8
69f193aa mso!TkLexHtml+0x00001081
69f17ffe mso!HI::FDoImportCopyContent+0x000001cf
69f17e1c mso!HI::FDoImport+0x00000019
00b5b68a Excel!HrLoadSheetHtml+0x00000435
01725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c2
01f9e837 Excel!HrLoadBookHtml+0x000000e4
007030a6 Excel!HrFileLoadEx+0x00006b1b
006fc274 Excel!HrFileLoadWithCoauth+0x0000006c
0194963b Excel!HrFileLoadWithCoauth+0x00000047
015179b2 Excel!_HrLoadInternal+0x000001a5
01517705 Excel!_HrLoad+0x000000d1
005420d5 Excel!FStartupFilename+0x00001a07
00540793 Excel!FLoadCmdLine+0x00000099
Even though the memory is freed, the related pointer to this object isn’t reset to NULL. Because of this dangling reference, checks protecting against re-use of this object will fail, and the object will be re-used inside the following function:
0:000> g
(1fe0.70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000
eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
Excel!FCommitHtmlPivotCacheElement+0x17:
0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????
This constitutes a use-after-free condition. With precise heap grooming, an attacker could achieve full control of this use-after-free vulnerability, which could result in further memory corruption and ultimately arbitrary code execution.
0:000> g
(1fe0.70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000
eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
Excel!FCommitHtmlPivotCacheElement+0x17:
0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 14
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-IQDGM2J
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 408
Key : Analysis.Memory.CommitPeak.Mb
Value: 438
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 191065
Key : Timeline.Process.Start.DeltaSec
Value: 163
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0175aaf7 (Excel!FCommitHtmlPivotCacheElement+0x00000017)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 62300f7c
Attempt to read from address 62300f7c
FAULTING_THREAD: 00000070
PROCESS_NAME: Excel.exe
READ_ADDRESS: 62300f7c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 62300f7c
STACK_TEXT:
03ade998 0172719d 03adf044 6359e998 00000000 Excel!FCommitHtmlPivotCacheElement+0x17
03ade9b0 01f9cb66 03adea2c 6359e998 00000001 Excel!HrCommitBookXml+0xca
03adea80 00b6431b 00000000 03adeaec 69f7f534 Excel!FProcessXmlItem+0xa77
03adea8c 69f7f534 02fde194 03adeff0 6359e998 Excel!OHIU::FProcessXmlItem+0x10
03adeaec 69f1df25 0159e998 fd1d5943 57ff8d14 mso!FDispatchXmlItem+0x191
03adeb60 69f193aa 6359e998 64f06f48 fd1d5fbb mso!FProcessCloseXmlTag+0x1c8
03aded98 69f17ffe fd1d5fe3 03adeff0 063b6fd8 mso!TkLexHtml+0x1081
03adedc0 69f17e1c 57ff8d14 00000000 063b6fd8 mso!HI::FDoImportCopyContent+0x1cf
03adedd4 00b5b68a 6359e918 063b6fd8 00000000 mso!HI::FDoImport+0x19
03adef00 01725e74 00000100 54d48fa8 00000003 Excel!HrLoadSheetHtml+0x435
03ae9864 01f9e837 00000000 00000000 00000000 Excel!HrBookLoadHtmlSinglePly+0x4c2
03ae98a8 007030a6 03af8f3c 54d48fa8 00000002 Excel!HrLoadBookHtml+0xe4
03af9370 006fc274 00000000 00000000 00000002 Excel!HrFileLoadEx+0x6b1b
03af940c 0194963b 00000000 00000000 00000002 Excel!HrFileLoadWithCoauth+0x6c
03af9460 015179b2 00000000 03af95c0 02823042 Excel!HrFileLoadWithCoauth+0x47
03af9568 01517705 00000001 00001008 00000001 Excel!_HrLoadInternal+0x1a5
03af9610 005420d5 00000001 00001008 00000001 Excel!_HrLoad+0xd1
03afe388 00540793 0000000f 47092fb0 00000825 Excel!FStartupFilename+0x1a07
03afe42c 022d2374 0000000f 47092fb0 00000825 Excel!FLoadCmdLine+0x99
03afefa4 00586acd 00000825 00000000 00000001 Excel!MergeInstance::ExecuteMergeInstance+0xdd
03aff050 0057b937 063b6fd8 063b6fd8 00000000 Excel!DelayedMergeInstance::FProcessRequest+0x10a
03aff5b0 00579d19 063b6fd8 02fa355c 00000001 Excel!FDoIdleHardRejectUi+0x1cc2
03aff630 00576bf1 6e73a38d 02fa3790 00000000 Excel!FDoIdle+0x9d
03affa30 00517895 00000000 0000000a 0394c000 Excel!MainLoop+0x1326
03affc60 005011c3 00500000 00000000 063d8fc2 Excel!WinMain+0x6c4
03affcac 75a800c9 0394c000 75a800b0 03affd18 Excel!_imp_load__RmGetList+0x1c7
03affcbc 77977b1e 0394c000 84105314 00000000 KERNEL32!BaseThreadInitThunk+0x19
03affd18 77977aee ffffffff 77998c03 00000000 ntdll!__RtlUserThreadStart+0x2f
03affd28 00000000 00501079 0394c000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!FCommitHtmlPivotCacheElement+17
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!FCommitHtmlPivotCacheElement
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {a768443e-18ec-dc72-511b-87f1949b0ed3}
Followup: MachineOwner
---------
0:000> lmva excel
Browse full module list
start end module name
00500000 03717000 Excel (pdb symbols) c:\tools\x86\sym\excel.pdb\FD60CCBC644B4FD0889179BD554363D12\excel.pdb
Loaded symbol image file: c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Fri Aug 4 05:00:26 2023 (64CC69CA)
CheckSum: 0321C631
ImageSize: 03217000
File version: 16.0.16626.20170
Product version: 16.0.16626.20170
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.16626.20170
FileVersion: 16.0.16626.20170
Vendor advisory: https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36041
2023-08-31 - Vendor Disclosure
2023-11-14 - Vendor Patch Release
2023-11-15 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.