CVE-2018-3932
An exploitable stack-based buffer overflow exists in the Microsoft Word document conversion functionality of the Antenna House Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312). A crafted Microsoft Word (DOC) document can lead to a stack-based buffer overflow, resulting in remote code execution.
Office Server Document Converter version V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
https://www.rainbowpdf.com/batch-office-server-document-converter/
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow
This vulnerability is present in the Antenna House Office Server Document Converter, which is used as a document converter in many server enterprise solutions.
It can convert common formats such as Microsoft’s document formats into more usable and easily viewed formats.
There is a vulnerability in the conversion process of a DOC to PDF, JPEG and several other formats. A specially crafted Microsoft Word file can lead to stack based-buffer overflow and remote code execution.
Let’s investigate this vulnerability. After we attempt to convert a malicious DOC using the OSDC library, we see the following state:
gdb --args bin/SBCCmd -p @PDF -o /tmp/x.pdf -d ./crashes/9bbd7cd643a0c0f30e6726a5ab502542
(gdb) c
Continuing.
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Copyright (c) 1999-2018 Antenna House, Inc.
---------------------------------------
This is an EVALUATION version.
Prohibits the use of evaluation version
for the real business activity.
Expire Date : Jun 06, 2018
---------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0x00007f264ec28fbb in DfvDocReaderNS::ListProperty::putlsttbl(AHCommonNS::AHPtr<DfvCommon::WordMLDocument>, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, AHCommonNS::AHPtr<DfvCommon::WordMLElement>, DfvDocReaderNS::FIB&, DfvDocReaderNS::LEVELSTYLE&, DfvDocReaderNS::SEP&) () from /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6
(gdb) bt 10
#0 0x00007f264ec28fbb in DfvDocReaderNS::ListProperty::putlsttbl(AHCommonNS::AHPtr<DfvCommon::WordMLDocument>, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, AHCommonNS::AHPtr<DfvCommon::WordMLElement>, DfvDocReaderNS::FIB&, DfvDocReaderNS::LEVELSTYLE&, DfvDocReaderNS::SEP&) () from /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6
#1 0x0031002500310025 in ?? ()
#2 0x0031002500310025 in ?? ()
#3 0x0031002500310025 in ?? ()
#4 0x0031002500310025 in ?? ()
#5 0x0031002500310025 in ?? ()
#6 0x0031002500310025 in ?? ()
#7 0x0031002500310025 in ?? ()
#8 0x0031002500310025 in ?? ()
#9 0x0031002500310025 in ?? ()
(More stack frames follow...)
As we can see, a stack-based buffer overflow appeared inside putlsttbl method.
Let us take a look at the most important parts of pseudo code of the putlsttbl method where the stack overflow occurred:
Line 1 OLEread(v8, &cchXst, 2LL);
Line 2 index = 0;
Line 3 counter = 1;
Line 4 _cchXst = cchXst + 1;
Line 5 memset(rgtchar, 0, 0x80uLL);
Line 6 if ( cchXst )
Line 7 {
Line 9 (...)
Line 10 while ( 1 )
Line 11 {
Line 12 OLEread(v8, element, 2LL);
Line 13 v267 = element[0];
Line 14 if ( LOWORD(element[0]) > 9u )
Line 15 break;
Line 16 offset_next = index + 1;
Line 17 ++counter;
Line 18 offset = index;
Line 19 index += 2;
Line 20 *(_WORD *)&rgtchar[2 * offset] = 37;
Line 21 *(_WORD *)&rgtchar[2 * offset_next] = v267 + 49;
Line 22 if ( counter == _cchXst )
Line 23 goto _end_loop;
Line 24 }
The code above is responsible for parsing the Xst record. At line 1, the size of the Xst record is read and next based on its value a while loop is executed.
During each iteration, four bytes are copied to the rgtchar fixed size buffer (0x80 bytes). Two bytes are a constant value, and another two are bytes read directly from the file at line 12.
Keeping that in mind, we can make a simple calculation that (0x80 / 4 ) - 1 = 0x1f is enough for cchXst to a cause buffer overflow.
Knowing these facts, we know that an attacker fully controls the amount of bytes used for the overflow and partially controls their content.
In these circumstances, an attacker, using a properly malformed Microsoft Word document, can overwrite function return address and turn that into remote code execution.
0x00007f26556f3c30 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) c
Continuing.
SBCCmd : Office Server Document Converter V6.1 Pro MR2 for Linux64 (6,1,2018,0312)
Copyright (c) 1999-2018 Antenna House, Inc.
---------------------------------------
This is an EVALUATION version.
Prohibits the use of evaluation version
for the real business activity.
Expire Date : Jun 06, 2018
---------------------------------------
Program received signal SIGSEGV, Segmentation fault.
0x00007f264ec28fbb in DfvDocReaderNS::ListProperty::putlsttbl(AHCommonNS::AHPtr<DfvCommon::WordMLDocument>, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, AHCommonNS::AHPtr<DfvCommon::WordMLElement>, DfvDocReaderNS::FIB&, DfvDocReaderNS::LEVELSTYLE&, DfvDocReaderNS::SEP&) () from /usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6
(rr) exploitable_active
(rr) exploitable -m
__main__:102: UserWarning: GDB v7.11 may not support required Python API
Warning: machine string printing is deprecated and may be removed in a future release.
EXCEPTION_FAULTING_ADDRESS:0x00000000000000
EXCEPTION_CODE:11
FAULTING_INSTRUCTION:mov WORD PTR [rsp+rcx*2+0x2250],si
MAJOR_HASH:fca1cffba77972f2e409707bae73162c
MINOR_HASH:77e8f007a75237e7dc7ef9121006f132
STACK_DEPTH:1000
STACK_FRAME:/usr/OfficeServerDocumentConverter/lib/libDfvDocReader.so.6.1!DfvDocReaderNS::ListProperty::putlsttbl(AHCommonNS::AHPtr<DfvCommon::WordMLDocument>, OleCompNS::AHOleCompStream*, OleCompNS::AHOleCompStream*, AHCommonNS::AHPtr<DfvCommon::WordMLElement>, DfvDocReaderNS::FIB&, DfvDocReaderNS::LEVELSTYLE&, DfvDocReaderNS::SEP&)+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
STACK_FRAME:Unknown+0x0
(...)
INSTRUCTION_ADDRESS:0x007f264ec28fbb
INVOKING_STACK_FRAME:0
DESCRIPTION:Possible stack corruption
SHORT_DESCRIPTION:PossibleStackCorruption (8/29)
OTHER_RULES:AccessViolation (28/29)
CLASSIFICATION:EXPLOITABLE
EXPLANATION:GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Description: Possible stack corruption
Short description: PossibleStackCorruption (8/29)
Hash: fca1cffba77972f2e409707bae73162c.77e8f007a75237e7dc7ef9121006f132
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable.
Other tags: AccessViolation (28/29)
2018-06-01 - Vendor Disclosure
2018-07-10 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.