CVE-2020-0759
An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Microsoft Office Professional Plus 2016 x86 - version 1909 build 12026.20334
Microsoft Office 365 ProPlus x86 - version 1902 build 11328.20480
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment.
Being precise, the vulnerability is related with the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000.
A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is a constant size space allocation made :
00711123 68e0050000 push 5E0h
00711128 e86e15f7ff call Excel!Ordinal43+0x1269b (0068269b)
eax=024fecfc ebx=00000000 ecx=52704a20 edx=00000000 esi=52704a20 edi=00000000
eip=0095aa74 esp=0331fd4c ebp=0331fd60 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
0:000> !heap -p -a 52704a20
address 52704a20 found in
_DPH_HEAP_ROOT @ 4361000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
52700f70: 52704a20 5e0 - 52704000 2000
? Excel!LinkASPPModelTable+7f9efe
77f3ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
77bc915b ntdll!RtlDebugAllocateHeap+0x00000039
77b133cd ntdll!RtlpAllocateHeap+0x000000ed
77b1207b ntdll!RtlpAllocateHeapInternal+0x000006db
77b11976 ntdll!RtlAllocateHeap+0x00000036
0c804256 mso20win32client!Ordinal951+0x000000a9
0c804211 mso20win32client!Ordinal951+0x00000064
00682827 Excel!Ordinal43+0x00012827
00682713 Excel!Ordinal43+0x00012713
006826ba Excel!Ordinal43+0x000126ba
0071112d Excel!Ordinal43+0x000a112d
00710d7f Excel!Ordinal43+0x000a0d7f
00730ea9 Excel!Ordinal43+0x000c0ea9
00c4a767 Excel!Ordinal43+0x005da767
00c4a335 Excel!Ordinal43+0x005da335
01c7a0c2 Excel!MdCallBack+0x008835c8
008385b7 Excel!Ordinal43+0x001c85b7
008320eb Excel!Ordinal43+0x001c20eb
01695625 Excel!MdCallBack+0x0029eb2b
012970c6 Excel!MdCallBack12+0x005aff8d
0129727a Excel!MdCallBack12+0x005b0141
006a6bff Excel!Ordinal43+0x00036bff
006a59e0 Excel!Ordinal43+0x000359e0
01479076 Excel!MdCallBack+0x0008257c
006eec1e Excel!Ordinal43+0x0007ec1e
006df6b7 Excel!Ordinal43+0x0006f6b7
006dd7c3 Excel!Ordinal43+0x0006d7c3
006d776a Excel!Ordinal43+0x0006776a
006816f6 Excel!Ordinal43+0x000116f6
0067124f Excel!Ordinal43+0x0000124f
77642369 KERNEL32!BaseThreadInitThunk+0x00000019
77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
Further, because of malformed form in the HTML/XML in the XLS file contentm the object gets deallocated:
0095aa6e 8b06 mov eax, dword ptr [esi]
0095aa70 8bce mov ecx, esi
0095aa72 6a01 push 1
0095aa74 ff10 call dword ptr [eax]
0:000> p
eax=52704a20 ebx=00000000 ecx=52704a20 edx=04360000 esi=52704a20 edi=00000000
eip=0095aa76 esp=0331fd50 ebp=0331fd60 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
Excel!Ordinal43+0x2eaa76:
0095aa76 5f pop edi
0:000> !heap -p -a 52704a20
address 52704a20 found in
_DPH_HEAP_ROOT @ 4361000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
52700f70: 52704000 2000
77f3adc2 verifier!AVrfDebugPageHeapFree+0x000000c2
77bc99b3 ntdll!RtlDebugFreeHeap+0x0000003e
77b0fabe ntdll!RtlpFreeHeap+0x000000ce
77b0f986 ntdll!RtlpFreeHeapInternal+0x00000146
77b0f3de ntdll!RtlFreeHeap+0x0000003e
0c81dc9e mso20win32client!Ordinal456+0x0000008c
00688491 Excel!Ordinal43+0x00018491
0095aa76 Excel!Ordinal43+0x002eaa76
00b85a23 Excel!Ordinal43+0x00515a23
00b7e517 Excel!Ordinal43+0x0050e517
01ca5cf6 Excel!MdCallBack+0x008af1fc
01ca5788 Excel!MdCallBack+0x008aec8e
00c4ad64 Excel!Ordinal43+0x005dad64
00c4a335 Excel!Ordinal43+0x005da335
01c7a0c2 Excel!MdCallBack+0x008835c8
008385b7 Excel!Ordinal43+0x001c85b7
008320eb Excel!Ordinal43+0x001c20eb
01695625 Excel!MdCallBack+0x0029eb2b
012970c6 Excel!MdCallBack12+0x005aff8d
0129727a Excel!MdCallBack12+0x005b0141
006a6bff Excel!Ordinal43+0x00036bff
006a59e0 Excel!Ordinal43+0x000359e0
01479076 Excel!MdCallBack+0x0008257c
006eec1e Excel!Ordinal43+0x0007ec1e
006df6b7 Excel!Ordinal43+0x0006f6b7
006dd7c3 Excel!Ordinal43+0x0006d7c3
006d776a Excel!Ordinal43+0x0006776a
006816f6 Excel!Ordinal43+0x000116f6
0067124f Excel!Ordinal43+0x0000124f
77642369 KERNEL32!BaseThreadInitThunk+0x00000019
77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
77b2e58f ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed:
.text:0094CCD7 sub_94CCD7 proc near ; DATA XREF: .rdata:024BD0D8?o
.text:0094CCD7 mov ecx, [ecx+14h]
.text:0094CCDA test ecx, ecx
.text:0094CCDC jnz sub_731B64
.text:0094CCE2 xor eax, eax
.text:0094CCE4 retn
.text:0094CCE4 sub_94CCD7 endp
and the object gets re-used inside the following function:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52704a20 edx=00000000 esi=00000000 edi=36126fa4
eip=00731b66 esp=0331fa3c ebp=0331fa68 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
Excel!Ordinal43+0xc1b66:
00731b66 f6410604 test byte ptr [ecx+6],4 ds:0023:52704a26=??
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
01 0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
02 0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
03 0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
04 0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
05 0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
06 0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
07 0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
08 0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
09 0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0a 0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0b 0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0c 0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0d 0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0e 0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0f 0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
10 0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
11 0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
12 0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
13 0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
14 0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
15 0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
16 0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
17 0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
18 0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
19 0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
1a 0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
1b 0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
1c 0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
1d 0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
1e 0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
1f 0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
20 0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: String
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-FIEQB1A
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 15
Key : Analysis.Memory.CommitPeak.Mb
Value: 67
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 24524
Key : Timeline.Process.Start.DeltaSec
Value: 1501
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00731b66 (Excel!Ordinal43+0x000c1b66)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 52704a26
Attempt to read from address 52704a26
FAULTING_THREAD: 00001b18
PROCESS_NAME: Excel.exe
READ_ADDRESS: 52704a26
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 52704a26
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!Ordinal43+c1b66
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {40392c8d-c128-d7d7-ec8e-63113b975295}
Followup: MachineOwner
---------
0:000> lm a eip
Browse full module list
start end module name
00670000 02fe1000 Excel (export symbols) c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
0:000> lmv a eip
Browse full module list
start end module name
00670000 02fe1000 Excel (export symbols) c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Tue Nov 19 09:26:08 2019 (5DD3A720)
CheckSum: 029756CD
ImageSize: 02971000
File version: 16.0.11328.20480
Product version: 16.0.11328.20480
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.11328.20480
FileVersion: 16.0.11328.20480
FileDescription: Microsoft Excel
2019-12-02 - Vendor Disclosure
2020-02-11 - Vendor patch and Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.