Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2016-0035) Analysis

Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2016-0035) Analysis

Recently, I discovered the Use-After-Free vulnerability in Excel programs (all versions) when processing specially constructed excel files. This vulnerability allows remote code execution. However, Microsoft refused to fix the vulnerability, saying that the vulnerability could be blocked by "pop-up. Let's take a look at the pop-up window:

 

Q: Will you click "yes" when this pop-up window appears when we open a trusted file from an email "? I think the answer may be "yes". After all, this is a trusted file and a trusted source (at least you think so ). Although the pop-up window exists, the vulnerability is triggered several seconds after you close the pop-up window or ignore it directly. How big is the impact?

As long as the user does not select "no" within one second, we can track the page heap and user mode stacks in the EXCEL program. You will see the following information:

(868.15c4): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=221beff0 ebx=001c2602 ecx=08a1dff0 edx=00000001 esi=00000000 edi=00000001eip=2fed37f1 esp=001c2264 ebp=001c2294 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246EXCEL!Ordinal40+0x7737f1:2fed37f1 663b5004        cmp     dx,word ptr [eax+4]      ds:0023:221beff4=????0:000> !heap -p -a @eax    address 221beff0 found in    _DPH_HEAP_ROOT @ 11d1000    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)                                   22d31a5c:         221be000             2000    716690b2 verifier!AVrfDebugPageHeapFree+0x000000c2    773a6dbc ntdll!RtlDebugFreeHeap+0x0000002f    7736a4c7 ntdll!RtlpFreeHeap+0x0000005d    77336896 ntdll!RtlFreeHeap+0x00000142    75b6c4d4 kernel32!HeapFree+0x00000014    62296f1b mso!Ordinal9770+0x00007bef    2f98cde3 EXCEL!Ordinal40+0x0022cde3    2f9e2e82 EXCEL!Ordinal40+0x00282e82    2f9e2b35 EXCEL!Ordinal40+0x00282b35    2fa26427 EXCEL!Ordinal40+0x002c6427    2fa260b6 EXCEL!Ordinal40+0x002c60b6    2fa24e39 EXCEL!Ordinal40+0x002c4e39    2fa21994 EXCEL!Ordinal40+0x002c1994    2fa24a26 EXCEL!Ordinal40+0x002c4a26    2fa1f82c EXCEL!Ordinal40+0x002bf82c    2fa1e336 EXCEL!Ordinal40+0x002be336    2fa1d992 EXCEL!Ordinal40+0x002bd992    2fa1ced6 EXCEL!Ordinal40+0x002bced6    2fff23cd EXCEL!Ordinal40+0x008923cd    3002c86e EXCEL!Ordinal40+0x008cc86e    300316f1 EXCEL!Ordinal40+0x008d16f1    30032050 EXCEL!Ordinal40+0x008d2050    30042046 EXCEL!Ordinal40+0x008e2046    62076292 mso!Ordinal9994+0x000024c7    620766cb mso!Ordinal4158+0x000001d8    6205992d mso!Ordinal9839+0x00000ff0    6205a0df mso!Ordinal143+0x00000415    61b50593 mso!Ordinal6326+0x00003b30    6207621f mso!Ordinal9994+0x00002454    6175882e mso!Ordinal53+0x0000083b    617585bc mso!Ordinal53+0x000005c9    6175744a mso!Ordinal7509+0x00000060

It is clear that UAF exists here. To make you think this is a serious vulnerability, the following example shows the possible code execution path: No user mode stack tracing is required. If attackers can forcibly specify the address allocated by memory (which is acceptable), these attackers can execute their Code indirectly.

(1614.1a24): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=5ca5f546 ebx=00000000 ecx=5c991ed8 edx=00266794 esi=5c991ed8 edi=00000000eip=8bec8b55 esp=002667a8 ebp=002667e0 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=002102068bec8b55 ??              ???0:000> kChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong.002667a4 5cdec71b 0x8bec8b55002667e0 5ca40b78 mso!Ordinal8883+0xa1500266810 5ca40b20 mso!Ordinal9662+0xdb200266838 5ca40a84 mso!Ordinal9662+0xd5a00266844 5ca5f015 mso!Ordinal9662+0xcbe00266858 5d67e54f mso!Ordinal10511+0x3de002668cc 5d67e614 mso!Ordinal2804+0x45a002668f0 5d3a5c3c mso!Ordinal2804+0x51f00266b3c 2fafdf1c mso!Ordinal7674+0x26500267230 2fafd9e1 EXCEL!Ordinal40+0x23df1c00267280 3018c1da EXCEL!Ordinal40+0x23d9e10026d184 301916f1 EXCEL!Ordinal40+0x8cc1da0026f798 30192050 EXCEL!Ordinal40+0x8d16f10026fa74 301a2046 EXCEL!Ordinal40+0x8d20500026fa94 5d166292 EXCEL!Ordinal40+0x8e20460026fab4 5d1666cb mso!Ordinal9994+0x24c70026facc 5d14992d mso!Ordinal4158+0x1d80026faf4 5d14a0df mso!Ordinal9839+0xff00026fb0c 5cc40593 mso!Ordinal143+0x4150026fb30 5d16621f mso!Ordinal6326+0x3b300:000> u 5ca40b78mso!Ordinal9662+0xdb2:5ca40b78 8bce            mov     ecx,esi5ca40b7a e84f000000      call    mso!Ordinal9662+0xe08 (5ca40bce)5ca40b7f 8b4e2c          mov     ecx,dword ptr [esi+2Ch]5ca40b82 3bcf            cmp     ecx,edi5ca40b84 7409            je      mso!Ordinal9662+0xdc9 (5ca40b8f)5ca40b86 8b01            mov     eax,dword ptr [ecx]5ca40b88 6a01            push    15ca40b8a ff10            call    dword ptr [eax]

Below is the sub_39270b26 () provided by IDA ():

 

Of course, I will not provide attackers with attack code. Here we only provide readers with relevant learning methods. This vulnerability has been fixed by Microsoft, the Microsoft number MS16-004, that is, the CVE-2016-0035. In addition, since the recent ALSR technology can bypass Microsoft Office Products, the impact of this vulnerability is further expanded.

Which versions will this vulnerability affect? All versions, including the Office2007-2010, and versions that may affect updates (not tested ). During the test, the Office2010 Professional edition with the latest patch is used.

 

Summary

There are still many such vulnerabilities. We also thank Microsoft's MSRC team for re-evaluating the impact of the vulnerability and fixing it in the next few months, we also thank ZDI for helping suppliers solve such problems as they promised.