CVE-2020-1226
An exploitable use-after-free vulnerability exists in Excel application of Microsoft Office Professional Plus 2016 x86, version 2002, build 12527.20242 and Microsoft Office 365 ProPlus x86, version 1908, build 11929.20606. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Microsoft Office Excel 2016 Professional Plus Version 2002 build 12527.20242 x86 tested on Windows 10 x86
Microsoft Office Microsoft Office 365 ProPlus x86 - version 1908 build 11929.20606
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations, etc.
This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment.
Specifically, the vulnerability is in relation with the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000.
A specially crafted XLS file in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is a allocation made:
0:004> !heap -p -a ecx
address 36242ff8 found in
_DPH_HEAP_ROOT @ 4211000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
614418bc: 53094ff4 8 - 53094000 2000
6592ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
7703918b ntdll!RtlDebugAllocateHeap+0x00000039
76f833cd ntdll!RtlpAllocateHeap+0x000000ed
76f8207b ntdll!RtlpAllocateHeapInternal+0x000006db
76f81976 ntdll!RtlAllocateHeap+0x00000036
79eee525 mso20win32client!Ordinal951+0x00000034
0e295aa4 mso40uiwin32client!Ordinal2022+0x000022fa
0e4b0bda mso40uiwin32client!Ordinal248+0x000041f7
0e2a3eb9 mso40uiwin32client!Ordinal2987+0x000041a5
75782369 KERNEL32!BaseThreadInitThunk+0x00000019
76f9e5bb ntdll!__RtlUserThreadStart+0x0000002b
76f9e58f ntdll!_RtlUserThreadStart+0x0000001b
Further, because of malformed form in the HTML/XML in the XLS file content the object gets deallocated:
0e2d4522 ff15a4da8c0e call dword ptr [mso40uiwin32client!Ordinal3735+0x1e4b (0e8cdaa4)] ds:0023:0e8cdaa4={mso20win32client!Ordinal456 (79efb34e)}
0:000> !heap -p -a 53094ff4
address 53094ff4 found in
_DPH_HEAP_ROOT @ 4211000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
614418bc: 53094000 2000
6592adc2 verifier!AVrfDebugPageHeapFree+0x000000c2
770399e3 ntdll!RtlDebugFreeHeap+0x0000003e
76f7fabe ntdll!RtlpFreeHeap+0x000000ce
76f7f986 ntdll!RtlpFreeHeapInternal+0x00000146
76f7f3de ntdll!RtlFreeHeap+0x0000003e
79efb39e mso20win32client!Ordinal456+0x00000050
0e344296 mso40uiwin32client!Ordinal3976+0x000051ba
0e344553 mso40uiwin32client!Ordinal3976+0x00005477
0e300627 mso40uiwin32client!Ordinal684+0x00001065
0e300246 mso40uiwin32client!Ordinal684+0x00000c84
0e2ffc09 mso40uiwin32client!Ordinal684+0x00000647
0e334de8 mso40uiwin32client!Ordinal2222+0x000002a1
0e2c427c mso40uiwin32client!Ordinal935+0x0000056f
0e2a3eb9 mso40uiwin32client!Ordinal2987+0x000041a5
75782369 KERNEL32!BaseThreadInitThunk+0x00000019
76f9e5bb ntdll!__RtlUserThreadStart+0x0000002b
76f9e58f ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets reused inside the following function:
(10cc.678): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=27294f14 ebx=00000000 ecx=53094ff4 edx=001781e8 esi=4bc2cfc4 edi=558dcfc4
eip=009ebd70 esp=001781c8 ebp=001781ec iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
Excel!Ordinal43+0x53bd70:
009ebd70 8b01 mov eax,dword ptr [ecx] ds:0023:53094ff4=????????
009ebd72 ff5078 call dword ptr [eax+78h]
0:000> kb
# ChildEBP RetAddr Args to Child
00 02fc862c 009b160c 00000000 00000001 02fc9028 Excel!Ordinal43+0x53bd70
01 02fc8648 009ed523 00000000 00000001 4d09aad8 Excel!Ordinal43+0x50160c
02 02fc8694 009eef99 00000000 00000001 2f972bf4 Excel!Ordinal43+0x53d523
03 02fc86c8 009b420c 00000000 61273e48 00000001 Excel!Ordinal43+0x53ef99
04 00000000 00000000 00000000 00000000 00000000 Excel!Ordinal43+0x50420c
Proper heap grooming can give an attacker full control of this use-after-free vulnerability which could lead to arbitrary code execution.
(eac.b44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=61988f14 ebx=00000000 ecx=547c2d7c edx=02fc8628 esi=37a04fc4 edi=5ce18fc4
eip=009ebd70 esp=02fc8608 ebp=02fc862c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
Excel!Ordinal43+0x53bd70:
009ebd70 8b01 mov eax,dword ptr [ecx] ds:0023:547c2d7c=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 02fc862c 009b160c 00000000 00000001 02fc9028 Excel!Ordinal43+0x53bd70
01 02fc8648 009ed523 00000000 00000001 4d09aad8 Excel!Ordinal43+0x50160c
02 02fc8694 009eef99 00000000 00000001 2f972bf4 Excel!Ordinal43+0x53d523
03 02fc86c8 009b420c 00000000 61273e48 00000001 Excel!Ordinal43+0x53ef99
04 00000000 00000000 00000000 00000000 00000000 Excel!Ordinal43+0x50420c
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: String
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-FIEQB1A
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 12
Key : Analysis.Memory.CommitPeak.Mb
Value: 107
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 576913
Key : Timeline.Process.Start.DeltaSec
Value: 156
ADDITIONAL_XML: 1
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 009ebd70 (Excel!Ordinal43+0x0053bd70)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 547c2d7c
Attempt to read from address 547c2d7c
FAULTING_THREAD: 00000b44
PROCESS_NAME: Excel.exe
READ_ADDRESS: 547c2d7c
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 547c2d7c
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
02fc862c 009b160c 00000000 00000001 02fc9028 Excel!Ordinal43+0x53bd70
02fc8648 009ed523 00000000 00000001 4d09aad8 Excel!Ordinal43+0x50160c
02fc8694 009eef99 00000000 00000001 2f972bf4 Excel!Ordinal43+0x53d523
02fc86c8 009b420c 00000000 61273e48 00000001 Excel!Ordinal43+0x53ef99
00000000 00000000 00000000 00000000 00000000 Excel!Ordinal43+0x50420c
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!Ordinal43+53bd70
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {40392c8d-c128-d7d7-ec8e-63113b975295}
Followup: MachineOwner
---------
0:000> lmv m EXCEL
Browse full module list
start end module name
004b0000 02ea0000 Excel (export symbols) C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Sat Feb 29 11:54:45 2020 (5E5A42F5)
CheckSum: 029EB0F6
ImageSize: 029F0000
File version: 16.0.12527.20242
Product version: 16.0.12527.20242
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.12527.20242
FileVersion: 16.0.12527.20242
FileDescription: Microsoft Excel
0:000> lmv m mso
Browse full module list
start end module name
0f870000 11024000 mso (deferred)
Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Sat Feb 29 12:01:11 2020 (5E5A4477)
CheckSum: 017A715D
ImageSize: 017B4000
File version: 16.0.12527.20242
Product version: 16.0.12527.20242
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.12527.20242
FileVersion: 16.0.12527.20242
FileDescription: Microsoft Office component
2020-03-19 - Vendor Disclosure
2020-06-09 - Vendor Patched
2020-06-10 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.