Microsoft Office Excel Remote Code Execution Vulnerability (CVE-2016-0035) Analysis
Recently, I discovered the Use-After-Free vulnerability in Excel programs (all versions) when processing specially constructed excel files. This vulnerability allows remote code execution. However, Microsoft refused to fix the vulnerability, saying that the vulnerability could be blocked by "pop-up. Let's take a look at the pop-up window:
Q: Will you click "yes" when this pop-up window appears when we open a trusted file from an email "? I think the answer may be "yes". After all, this is a trusted file and a trusted source (at least you think so ). Although the pop-up window exists, the vulnerability is triggered several seconds after you close the pop-up window or ignore it directly. How big is the impact?
As long as the user does not select "no" within one second, we can track the page heap and user mode stacks in the EXCEL program. You will see the following information:
(868.15c4): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=221beff0 ebx=001c2602 ecx=08a1dff0 edx=00000001 esi=00000000 edi=00000001eip=2fed37f1 esp=001c2264 ebp=001c2294 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246EXCEL!Ordinal40+0x7737f1:2fed37f1 663b5004 cmp dx,word ptr [eax+4] ds:0023:221beff4=????0:000> !heap -p -a @eax address 221beff0 found in _DPH_HEAP_ROOT @ 11d1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 22d31a5c: 221be000 2000 716690b2 verifier!AVrfDebugPageHeapFree+0x000000c2 773a6dbc ntdll!RtlDebugFreeHeap+0x0000002f 7736a4c7 ntdll!RtlpFreeHeap+0x0000005d 77336896 ntdll!RtlFreeHeap+0x00000142 75b6c4d4 kernel32!HeapFree+0x00000014 62296f1b mso!Ordinal9770+0x00007bef 2f98cde3 EXCEL!Ordinal40+0x0022cde3 2f9e2e82 EXCEL!Ordinal40+0x00282e82 2f9e2b35 EXCEL!Ordinal40+0x00282b35 2fa26427 EXCEL!Ordinal40+0x002c6427 2fa260b6 EXCEL!Ordinal40+0x002c60b6 2fa24e39 EXCEL!Ordinal40+0x002c4e39 2fa21994 EXCEL!Ordinal40+0x002c1994 2fa24a26 EXCEL!Ordinal40+0x002c4a26 2fa1f82c EXCEL!Ordinal40+0x002bf82c 2fa1e336 EXCEL!Ordinal40+0x002be336 2fa1d992 EXCEL!Ordinal40+0x002bd992 2fa1ced6 EXCEL!Ordinal40+0x002bced6 2fff23cd EXCEL!Ordinal40+0x008923cd 3002c86e EXCEL!Ordinal40+0x008cc86e 300316f1 EXCEL!Ordinal40+0x008d16f1 30032050 EXCEL!Ordinal40+0x008d2050 30042046 EXCEL!Ordinal40+0x008e2046 62076292 mso!Ordinal9994+0x000024c7 620766cb mso!Ordinal4158+0x000001d8 6205992d mso!Ordinal9839+0x00000ff0 6205a0df mso!Ordinal143+0x00000415 61b50593 mso!Ordinal6326+0x00003b30 6207621f mso!Ordinal9994+0x00002454 6175882e mso!Ordinal53+0x0000083b 617585bc mso!Ordinal53+0x000005c9 6175744a mso!Ordinal7509+0x00000060
It is clear that UAF exists here. To make you think this is a serious vulnerability, the following example shows the possible code execution path: No user mode stack tracing is required. If attackers can forcibly specify the address allocated by memory (which is acceptable), these attackers can execute their Code indirectly.
(1614.1a24): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=5ca5f546 ebx=00000000 ecx=5c991ed8 edx=00266794 esi=5c991ed8 edi=00000000eip=8bec8b55 esp=002667a8 ebp=002667e0 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=002102068bec8b55 ?? ???0:000> kChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong.002667a4 5cdec71b 0x8bec8b55002667e0 5ca40b78 mso!Ordinal8883+0xa1500266810 5ca40b20 mso!Ordinal9662+0xdb200266838 5ca40a84 mso!Ordinal9662+0xd5a00266844 5ca5f015 mso!Ordinal9662+0xcbe00266858 5d67e54f mso!Ordinal10511+0x3de002668cc 5d67e614 mso!Ordinal2804+0x45a002668f0 5d3a5c3c mso!Ordinal2804+0x51f00266b3c 2fafdf1c mso!Ordinal7674+0x26500267230 2fafd9e1 EXCEL!Ordinal40+0x23df1c00267280 3018c1da EXCEL!Ordinal40+0x23d9e10026d184 301916f1 EXCEL!Ordinal40+0x8cc1da0026f798 30192050 EXCEL!Ordinal40+0x8d16f10026fa74 301a2046 EXCEL!Ordinal40+0x8d20500026fa94 5d166292 EXCEL!Ordinal40+0x8e20460026fab4 5d1666cb mso!Ordinal9994+0x24c70026facc 5d14992d mso!Ordinal4158+0x1d80026faf4 5d14a0df mso!Ordinal9839+0xff00026fb0c 5cc40593 mso!Ordinal143+0x4150026fb30 5d16621f mso!Ordinal6326+0x3b300:000> u 5ca40b78mso!Ordinal9662+0xdb2:5ca40b78 8bce mov ecx,esi5ca40b7a e84f000000 call mso!Ordinal9662+0xe08 (5ca40bce)5ca40b7f 8b4e2c mov ecx,dword ptr [esi+2Ch]5ca40b82 3bcf cmp ecx,edi5ca40b84 7409 je mso!Ordinal9662+0xdc9 (5ca40b8f)5ca40b86 8b01 mov eax,dword ptr [ecx]5ca40b88 6a01 push 15ca40b8a ff10 call dword ptr [eax]
Below is the sub_39270b26 () provided by IDA ():
Of course, I will not provide attackers with attack code. Here we only provide readers with relevant learning methods. This vulnerability has been fixed by Microsoft, the Microsoft number MS16-004, that is, the CVE-2016-0035. In addition, since the recent ALSR technology can bypass Microsoft Office Products, the impact of this vulnerability is further expanded.
Which versions will this vulnerability affect? All versions, including the Office2007-2010, and versions that may affect updates (not tested ). During the test, the Office2010 Professional edition with the latest patch is used.
Summary
There are still many such vulnerabilities. We also thank Microsoft's MSRC team for re-evaluating the impact of the vulnerability and fixing it in the next few months, we also thank ZDI for helping suppliers solve such problems as they promised.