CVE-2020-17123
An exploitable use-after-free vulnerability exists in Excel as part of Microsoft Office 365 ProPlus x86, version 2002, build 12527.20988. A specially crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Microsoft Office 365 ProPlus x86 - version 2002 build 12527.20988
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416 - Use After Free
This vulnerability is present in Microsoft Office Excel, which is part of the Microsoft Office collection of software applications. This vulnerability is related to the component responsible for handling the Microsoft® Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is a allocation made :
0045389e 6a00 push 0
004538a0 51 push ecx
004538a1 ff1564566b02 call dword ptr [Excel!DllGetLCID+0x1b500 (026b5664)]
0:000> !heap -p -a 08672fe0
address 08672fe0 found in
_DPH_HEAP_ROOT @ 421000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
fea2924: 8672fe0 1c - 8672000 2000
6238ae30 verifier!AVrfDebugPageHeapAllocate+0x00000240
779e29a2 ntdll!RtlDebugAllocateHeap+0x00000039
779a1bea ntdll!RtlpAllocateHeap+0x00072eca
7792d9fc ntdll!RtlpAllocateHeapInternal+0x0000071c
7792d2a6 ntdll!RtlAllocateHeap+0x00000036
79cee588 mso20win32client!Ordinal951+0x00000034
00ef517a Excel!Ordinal43+0x0001517a
014cbf35 Excel!Ordinal43+0x005ebf35
02428b62 Excel!MdCallBack+0x0082dd92
014cbdee Excel!Ordinal43+0x005ebdee
0e6985bf mso!Ordinal4847+0x00000c1e
0e652487 mso!Ordinal874+0x00000866
0e64baf1 mso!Ordinal8579+0x00000e9c
0e64a949 mso!MsoHrSetupHTMLImport+0x00000c54
0e64a6f9 mso!MsoHrSetupHTMLImport+0x00000a04
014bb623 Excel!Ordinal43+0x005db623
014baf5a Excel!Ordinal43+0x005daf5a
02424db3 Excel!MdCallBack+0x00829fe3
010c84e7 Excel!Ordinal43+0x001e84e7
010b49e1 Excel!Ordinal43+0x001d49e1
01e71956 Excel!MdCallBack+0x00276b86
01aaf3ba Excel!MdCallBack12+0x00568cd2
01aaf602 Excel!MdCallBack12+0x00568f1a
00f1afac Excel!Ordinal43+0x0003afac
00f19d91 Excel!Ordinal43+0x00039d91
02662d5c Excel!LinkASPPModelTable+0x001bdabd
00f6454e Excel!Ordinal43+0x0008454e
00f5688b Excel!Ordinal43+0x0007688b
00f54dab Excel!Ordinal43+0x00074dab
00f4fec4 Excel!Ordinal43+0x0006fec4
00ef40cd Excel!Ordinal43+0x000140cd
00ee11fd Excel!Ordinal43+0x000011fd
Further, because of the malformed form of the HTML/XML in the XLS file content, the object gets deallocated:
01cc4551 ff36 push dword ptr [esi]
01cc4553 ff1560c61803 call dword ptr [Excel!DllGetLCID+0x1b75c (0318c660)]
0:000> !heap -p -a 5fb26fe0
address 5fb26fe0 found in
_DPH_HEAP_ROOT @ 4171000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
5d6d3034: 5fb26000 2000
601fadc2 verifier!AVrfDebugPageHeapFree+0x000000c2
779e99e3 ntdll!RtlDebugFreeHeap+0x0000003e
7792fabe ntdll!RtlpFreeHeap+0x000000ce
7792f986 ntdll!RtlpFreeHeapInternal+0x00000146
7792f3de ntdll!RtlFreeHeap+0x0000003e
7aeec26a mso20win32client!Ordinal456+0x00000050
01207a7f Excel!MdCallBack+0x000c8da7
01201f58 Excel!MdCallBack+0x000c3280
00a05279 Excel!Ordinal43+0x005c5279
01960be4 Excel!MdCallBack+0x00821f0c
006188cf Excel!Ordinal43+0x001d88cf
005fe21d Excel!Ordinal43+0x001be21d
013abffa Excel!MdCallBack+0x0026d322
00ff668a Excel!MdCallBack12+0x00564cc5
00ff68ce Excel!MdCallBack12+0x00564f09
00478905 Excel!Ordinal43+0x00038905
0047769d Excel!Ordinal43+0x0003769d
01b9aa00 Excel!LinkASPPModelTable+0x001b963d
004c0e63 Excel!Ordinal43+0x00080e63
004b3343 Excel!Ordinal43+0x00073343
004b1863 Excel!Ordinal43+0x00071863
004acbe1 Excel!Ordinal43+0x0006cbe1
00452b39 Excel!Ordinal43+0x00012b39
004411fd Excel!Ordinal43+0x000011fd
77652369 KERNEL32!BaseThreadInitThunk+0x00000019
7794e5bb ntdll!__RtlUserThreadStart+0x0000002b
7794e58f ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets re-used inside the following function:
(3e20.4e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fbcbfe0 ebx=79cfb00e ecx=00000000 edx=04c40000 esi=52ec2fc8 edi=5e09afe0
eip=01cc3c63 esp=039c0cf0 ebp=039c0d14 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
Excel!MdCallBack+0xc8e93:
01cc3c63 83780800 cmp dword ptr [eax+8],0 ds:0023:5fbcbfe8=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039c0d14 01cbe089 52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
01 039c0e10 014bb748 039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
02 039c0f48 014baf5a 00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
03 039cba60 02424db3 00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
04 039cbaa8 010c84e7 039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
05 039daa00 010b49e1 00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
06 039daa84 01e71956 00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
07 039daad0 01aaf3ba 00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
08 039daba8 01aaf602 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
09 039dac38 00f1afac 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
0a 039dee00 00f19d91 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
0b 039deea0 02662d5c 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
0c 039def54 00f6454e 00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
0d 039df000 00f5688b 04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
0e 039df4e0 00f54dab 00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
0f 039df558 00f4fec4 04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
10 039df6c0 00ef40cd 00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
11 039df8e4 00ee11fd 00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
12 039df930 75f65529 03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
13 039df940 7795b27b 03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
14 039df99c 7795b249 ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
15 039df9ac 00000000 00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.
(3e20.4e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5fbcbfe0 ebx=79cfb00e ecx=00000000 edx=04c40000 esi=52ec2fc8 edi=5e09afe0
eip=01cc3c63 esp=039c0cf0 ebp=039c0d14 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
Excel!MdCallBack+0xc8e93:
01cc3c63 83780800 cmp dword ptr [eax+8],0 ds:0023:5fbcbfe8=????????
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 039c0d14 01cbe089 52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
01 039c0e10 014bb748 039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
02 039c0f48 014baf5a 00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
03 039cba60 02424db3 00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
04 039cbaa8 010c84e7 039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
05 039daa00 010b49e1 00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
06 039daa84 01e71956 00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
07 039daad0 01aaf3ba 00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
08 039daba8 01aaf602 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
09 039dac38 00f1afac 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
0a 039dee00 00f19d91 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
0b 039deea0 02662d5c 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
0c 039def54 00f6454e 00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
0d 039df000 00f5688b 04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
0e 039df4e0 00f54dab 00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
0f 039df558 00f4fec4 04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
10 039df6c0 00ef40cd 00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
11 039df8e4 00ee11fd 00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
12 039df930 75f65529 03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
13 039df940 7795b27b 03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
14 039df99c 7795b249 ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
15 039df9ac 00000000 00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 01cc3c63 (Excel!MdCallBack+0x000c8e93)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 5fbcbfe8
Attempt to read from address 5fbcbfe8
FAULTING_THREAD: 000004e0
PROCESS_NAME: Excel.exe
READ_ADDRESS: 5fbcbfe8
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 5fbcbfe8
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
039c0d14 01cbe089 52ec2fc8 04c77fe0 039c1040 Excel!MdCallBack+0xc8e93
039c0e10 014bb748 039c0fa8 00000000 04c77fe0 Excel!MdCallBack+0xc32b9
039c0f48 014baf5a 00000100 0ae7afa8 00000003 Excel!Ordinal43+0x5db748
039cba60 02424db3 00000000 00000000 00000000 Excel!Ordinal43+0x5daf5a
039cbaa8 010c84e7 039da3c0 0ae7afa8 00000002 Excel!MdCallBack+0x829fe3
039daa00 010b49e1 00000000 00000000 00000002 Excel!Ordinal43+0x1e84e7
039daa84 01e71956 00000000 00000000 00000002 Excel!Ordinal43+0x1d49e1
039daad0 01aaf3ba 00000000 02823042 039daaf4 Excel!MdCallBack+0x276b86
039daba8 01aaf602 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568cd2
039dac38 00f1afac 00000001 00001008 03c50c01 Excel!MdCallBack12+0x568f1a
039dee00 00f19d91 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x3afac
039deea0 02662d5c 0000000f 4d44cfb0 00000825 Excel!Ordinal43+0x39d91
039def54 00f6454e 00000825 00000000 00000001 Excel!LinkASPPModelTable+0x1bdabd
039df000 00f5688b 04c77fe0 04c77fe0 00000000 Excel!Ordinal43+0x8454e
039df4e0 00f54dab 00000001 04c77fe0 039df6c8 Excel!Ordinal43+0x7688b
039df558 00f4fec4 04c9dfc4 0000008d 79d349ea Excel!Ordinal43+0x74dab
039df6c0 00ef40cd 00000000 00ef40cd 00000000 Excel!Ordinal43+0x6fec4
039df8e4 00ee11fd 00ee0000 00000000 04c9dfc4 Excel!Ordinal43+0x140cd
039df930 75f65529 03aa6000 75f65510 039df99c Excel!Ordinal43+0x11fd
039df940 7795b27b 03aa6000 1c052573 00000000 KERNEL32!BaseThreadInitThunk+0x19
039df99c 7795b249 ffffffff 77998497 00000000 ntdll!__RtlUserThreadStart+0x2b
039df9ac 00000000 00ee10b3 03aa6000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!MdCallBack+c8e93
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!MdCallBack
OS_VERSION: 10.0.20201.1000
BUILDLAB_STR: rs_prerelease
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
IMAGE_VERSION: 16.0.12527.20988
FAILURE_ID_HASH: {33071d76-7bec-d578-777e-e20f28c1cf92}
Followup: MachineOwner
---------
0:000> lmv m EXCEL
Browse full module list
start end module name
00ee0000 038d3000 Excel (export symbols) c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Fri Aug 7 01:51:22 2020 (5F2C977A)
CheckSum: 029F1351
ImageSize: 029F3000
File version: 16.0.12527.20988
Product version: 16.0.12527.20988
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.12527.20988
FileVersion: 16.0.12527.20988
FileDescription: Microsoft Excel
0:000> lmv m mso
Browse full module list
start end module name
0f3c0000 10b76000 mso (deferred)
Image path: C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll
Image name: mso.dll
Browse all global symbols functions data
Timestamp: Fri Aug 7 01:46:51 2020 (5F2C966B)
CheckSum: 017ADCBB
ImageSize: 017B6000
File version: 16.0.12527.20988
Product version: 16.0.12527.20988
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: MSO
OriginalFilename: MSO.dll
ProductVersion: 16.0.12527.20988
FileVersion: 16.0.12527.20988
FileDescription: Microsoft Office component
2020-09-11 - Vendor Disclosure
2020-12-08 - Public Release
Discovered by Marcin 'Icewall' Noga of Cisco Talos.