Talos Vulnerability Report

TALOS-2021-1259

Microsoft Office Excel 2019/365 ConditionalFormatting code execution vulnerability

October 12, 2021
CVE Number

CVE-2021-40474

Details

Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes, such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations and more.

Tracking an object life cycle we can notice that there is an allocation made :

eax=7130ef40 ebx=2ce549d8 ecx=00500fdb edx=05bc0000 esi=2ce549d8 edi=05bf6fe0
eip=004eeb00 esp=032dcd24 ebp=032dcd2c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206

Excel!Ordinal43+0x30eb00:
004eeb00 ff15106a7f02    call    dword ptr [Excel!DllGetLCID+0x1c654 (027f6a10)] ds:002b:027f6a10={mso20win32client!Ordinal456 (6901765e)}

0:000> !heap -p -a 2ce549d8 
	address 2ce549d8 found in
	_DPH_HEAP_ROOT @ 5bc1000
	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
								2cb93d34:         2ce549d8              628 -         2ce54000             2000
	6987a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
	7770ef8e ntdll!RtlDebugAllocateHeap+0x00000039
	77676150 ntdll!RtlpAllocateHeap+0x000000f0
	776757fe ntdll!RtlpAllocateHeapInternal+0x000003ee
	776753fe ntdll!RtlAllocateHeap+0x0000003e
	6900b361 mso20win32client!Ordinal951+0x0000003f
	001f7fac Excel!Ordinal43+0x00017fac
	001f7f67 Excel!Ordinal43+0x00017f67
	001f7f13 Excel!Ordinal43+0x00017f13
	0029cc1c Excel!Ordinal43+0x000bcc1c
	0029c792 Excel!Ordinal43+0x000bc792
	002c8c2a Excel!Ordinal43+0x000e8c2a
	01795675 Excel!MdCallBack+0x008e4ad0
	00f68e73 Excel!MdCallBack+0x000b82ce
	0179548b Excel!MdCallBack+0x008e48e6
	004037fc Excel!Ordinal43+0x002237fc
	003f8f0f Excel!Ordinal43+0x00218f0f
	011e27e9 Excel!MdCallBack+0x00331c44
	00cd807a Excel!Ordinal43+0x00af807a
	00cd7e5d Excel!Ordinal43+0x00af7e5d
	00220c51 Excel!Ordinal43+0x00040c51
	0021f647 Excel!Ordinal43+0x0003f647
	01a6f8de Excel!UpgradeASPPModel+0x0022fd13
	002747b1 Excel!Ordinal43+0x000947b1
	002678d8 Excel!Ordinal43+0x000878d8
	002654ee Excel!Ordinal43+0x000854ee
	0025dbcb Excel!Ordinal43+0x0007dbcb
	001f7201 Excel!Ordinal43+0x00017201
	001e11c3 Excel!Ordinal43+0x000011c3
	7747fa29 KERNEL32!BaseThreadInitThunk+0x00000019
	776975f4 ntdll!__RtlUserThreadStart+0x0000002f
	776975c4 ntdll!_RtlUserThreadStart+0x0000001b

Further, because of the malformed form of the HTML/XML in the XLS file content, the object gets deallocated:

call mso20win32client!Ordinal456+0x00000050

0:000> !heap -p -a 2ce549d8 
	address 2ce549d8 found in
	_DPH_HEAP_ROOT @ 5bc1000
	in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
								   2cb93d34:         2ce54000             2000
	6987ab02 verifier!AVrfDebugPageHeapFree+0x000000c2
	7770f7e6 ntdll!RtlDebugFreeHeap+0x0000003e
	776c67e0 ntdll!RtlpFreeHeap+0x0004e000
	776b621d ntdll!RtlpFreeHeapInternal+0x00000783
	77678786 ntdll!RtlFreeHeap+0x00000046
	690176ae mso20win32client!Ordinal456+0x00000050
	004eeb06 Excel!Ordinal43+0x0030eb06
	00500f8d Excel!Ordinal43+0x00320f8d
	004fcd39 Excel!Ordinal43+0x0031cd39
	004f34c6 Excel!Ordinal43+0x003134c6
	017cc452 Excel!MdCallBack+0x0091b8ad
	017cb787 Excel!MdCallBack+0x0091abe2
	01795e75 Excel!MdCallBack+0x008e52d0
	00f68e73 Excel!MdCallBack+0x000b82ce
	0179548b Excel!MdCallBack+0x008e48e6
	004037fc Excel!Ordinal43+0x002237fc
	003f8f0f Excel!Ordinal43+0x00218f0f
	011e27e9 Excel!MdCallBack+0x00331c44
	00cd807a Excel!Ordinal43+0x00af807a
	00cd7e5d Excel!Ordinal43+0x00af7e5d
	00220c51 Excel!Ordinal43+0x00040c51
	0021f647 Excel!Ordinal43+0x0003f647
	01a6f8de Excel!UpgradeASPPModel+0x0022fd13
	002747b1 Excel!Ordinal43+0x000947b1
	002678d8 Excel!Ordinal43+0x000878d8
	002654ee Excel!Ordinal43+0x000854ee
	0025dbcb Excel!Ordinal43+0x0007dbcb
	001f7201 Excel!Ordinal43+0x00017201
	001e11c3 Excel!Ordinal43+0x000011c3
	7747fa29 KERNEL32!BaseThreadInitThunk+0x00000019
	776975f4 ntdll!__RtlUserThreadStart+0x0000002f
	776975c4 ntdll!_RtlUserThreadStart+0x0000001b	

Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting against re-use of this object are bypassed and the object gets re-used inside the following function:

(1178.304): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=023b4984 ebx=6e624f84 ecx=2ce549d8 edx=00000000 esi=6fc5cfa4 edi=00000000
eip=002c9b02 esp=032dca5c ebp=032dca8c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
Excel!Ordinal43+0xe9b02:
002c9b02 f6410604        test    byte ptr [ecx+6],4         ds:002b:2ce549de=??
0:000> kb
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
032dca8c 01cebb14 6e624f80 00000010 6fc5cfa4 Excel!Ordinal43+0xe9b02
032dcaac 00fdefa4 71eeefdc 00000001 6fc5cfa4 Excel!UpgradeASPPModel+0x4abf49
032dcac8 00fd6197 71eeefdc 032dd0f0 032dcbb0 Excel!MdCallBack+0x12e3ff
032dcae4 0178dcc9 032dd0f0 0000039e ffffffff Excel!MdCallBack+0x1255f2
032dcb68 00f64a5b 71582998 05bf6fe0 032dd0f0 Excel!MdCallBack+0x8dd124
032dcb84 017930c8 71582998 00000001 02882ee0 Excel!MdCallBack+0xb3eb6
032dcc4c 0179310e 00000000 032dccb0 651aa6ef Excel!MdCallBack+0x8e2523
032dcc58 651aa6ef 02882ee0 032dd09c 71582998 Excel!MdCallBack+0x8e2569
032dccb0 65144ca4 00000000 8381a313 0000000a mso!Ordinal10758+0x21f
032dcd24 6513f8ce 71582998 032dcd94 8381a07f mso!MsoVBADigSigRemoveSignedDataMsg+0x40f2
032dce48 6513c6d0 00000001 71582998 6513c6d0 mso!Ordinal8579+0x2bfb
032dce80 6513c4df 48900ff0 00000000 032dcfa4 mso!Ordinal2012+0x295
032dce90 0179596c 71582918 05bf6fe0 00000000 mso!Ordinal2012+0xa4
032dcfa4 00f68e73 00000100 5092efa8 00000003 Excel!MdCallBack+0x8e4dc7
032e78e8 0179548b 00000000 00000000 00000000 Excel!MdCallBack+0xb82ce
032e7930 004037fc 032f7360 00000000 00000002 Excel!MdCallBack+0x8e48e6
032f77a0 003f8f0f 00000000 00000000 00000002 Excel!Ordinal43+0x2237fc
032f7828 011e27e9 00000000 00000000 00000002 Excel!Ordinal43+0x218f0f
032f7874 00cd807a 00000000 02823042 032f7898 Excel!MdCallBack+0x331c44
032f7944 00cd7e5d 00000001 00001008 00000001 Excel!Ordinal43+0xaf807a
032f79dc 00220c51 00000001 00001008 00000001 Excel!Ordinal43+0xaf7e5d
032fcbac 0021f647 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x40c51
032fcc4c 01a6f8de 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x3f647
032fdcc4 002747b1 00000825 00000000 00000001 Excel!UpgradeASPPModel+0x22fd13
032fdd74 002678d8 05bf6fe0 05bf6fe0 00000000 Excel!Ordinal43+0x947b1
032ff1e4 002654ee 05bf6fe0 0284e138 032ff680 Excel!Ordinal43+0x878d8
032ff25c 0025dbcb 7a6f30ff 05bf6fec 00000000 Excel!Ordinal43+0x854ee
032ff678 001f7201 05bf6fe8 001f7201 00000000 Excel!Ordinal43+0x7dbcb
032ff8b4 001e11c3 001e0000 00000000 05c14fca Excel!Ordinal43+0x17201
032ff900 7747fa29 030fb000 7747fa10 032ff96c Excel!Ordinal43+0x11c3
032ff910 776975f4 030fb000 49867263 00000000 KERNEL32!BaseThreadInitThunk+0x19
032ff96c 776975c4 ffffffff 776b733e 00000000 ntdll!__RtlUserThreadStart+0x2f
032ff97c 00000000 001e1079 030fb000 00000000 ntdll!_RtlUserThreadStart+0x1b

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

Crash Information

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.Sec
	Value: 6

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on DESKTOP-CML224D

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 232

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 111

	Key  : Analysis.System
	Value: CreateObject

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 32507

	Key  : Timeline.Process.Start.DeltaSec
	Value: 94


NTGLOBALFLAG:  2000000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 002c9b02 (Excel!Ordinal43+0x000e9b02)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 2ce549de
Attempt to read from address 2ce549de

FAULTING_THREAD:  00000304

PROCESS_NAME:  Excel.exe

READ_ADDRESS:  2ce549de 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  2ce549de

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
032dca8c 01cebb14 6e624f80 00000010 6fc5cfa4 Excel!Ordinal43+0xe9b02
032dcaac 00fdefa4 71eeefdc 00000001 6fc5cfa4 Excel!UpgradeASPPModel+0x4abf49
032dcac8 00fd6197 71eeefdc 032dd0f0 032dcbb0 Excel!MdCallBack+0x12e3ff
032dcae4 0178dcc9 032dd0f0 0000039e ffffffff Excel!MdCallBack+0x1255f2
032dcb68 00f64a5b 71582998 05bf6fe0 032dd0f0 Excel!MdCallBack+0x8dd124
032dcb84 017930c8 71582998 00000001 02882ee0 Excel!MdCallBack+0xb3eb6
032dcc4c 0179310e 00000000 032dccb0 651aa6ef Excel!MdCallBack+0x8e2523
032dcc58 651aa6ef 02882ee0 032dd09c 71582998 Excel!MdCallBack+0x8e2569
032dccb0 65144ca4 00000000 8381a313 0000000a mso!Ordinal10758+0x21f
032dcd24 6513f8ce 71582998 032dcd94 8381a07f mso!MsoVBADigSigRemoveSignedDataMsg+0x40f2
032dce48 6513c6d0 00000001 71582998 6513c6d0 mso!Ordinal8579+0x2bfb
032dce80 6513c4df 48900ff0 00000000 032dcfa4 mso!Ordinal2012+0x295
032dce90 0179596c 71582918 05bf6fe0 00000000 mso!Ordinal2012+0xa4
032dcfa4 00f68e73 00000100 5092efa8 00000003 Excel!MdCallBack+0x8e4dc7
032e78e8 0179548b 00000000 00000000 00000000 Excel!MdCallBack+0xb82ce
032e7930 004037fc 032f7360 00000000 00000002 Excel!MdCallBack+0x8e48e6
032f77a0 003f8f0f 00000000 00000000 00000002 Excel!Ordinal43+0x2237fc
032f7828 011e27e9 00000000 00000000 00000002 Excel!Ordinal43+0x218f0f
032f7874 00cd807a 00000000 02823042 032f7898 Excel!MdCallBack+0x331c44
032f7944 00cd7e5d 00000001 00001008 00000001 Excel!Ordinal43+0xaf807a
032f79dc 00220c51 00000001 00001008 00000001 Excel!Ordinal43+0xaf7e5d
032fcbac 0021f647 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x40c51
032fcc4c 01a6f8de 0000000f 1b7fcfb0 00000825 Excel!Ordinal43+0x3f647
032fdcc4 002747b1 00000825 00000000 00000001 Excel!UpgradeASPPModel+0x22fd13
032fdd74 002678d8 05bf6fe0 05bf6fe0 00000000 Excel!Ordinal43+0x947b1
032ff1e4 002654ee 05bf6fe0 0284e138 032ff680 Excel!Ordinal43+0x878d8
032ff25c 0025dbcb 7a6f30ff 05bf6fec 00000000 Excel!Ordinal43+0x854ee
032ff678 001f7201 05bf6fe8 001f7201 00000000 Excel!Ordinal43+0x7dbcb
032ff8b4 001e11c3 001e0000 00000000 05c14fca Excel!Ordinal43+0x17201
032ff900 7747fa29 030fb000 7747fa10 032ff96c Excel!Ordinal43+0x11c3
032ff910 776975f4 030fb000 49867263 00000000 KERNEL32!BaseThreadInitThunk+0x19
032ff96c 776975c4 ffffffff 776b733e 00000000 ntdll!__RtlUserThreadStart+0x2f
032ff97c 00000000 001e1079 030fb000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  Excel!Ordinal43+e9b02

MODULE_NAME: Excel

IMAGE_NAME:  Excel.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

FAILURE_ID_HASH:  {40392c8d-c128-d7d7-ec8e-63113b975295}

Followup:     MachineOwner
---------


0:000> lmv m EXCEL
Browse full module list
start    end        module name
001e0000 02f63000   Excel      (export symbols)       c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
	Loaded symbol image file: c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
	Image path: Excel.exe
	Image name: Excel.exe
	Browse all global symbols  functions  data
	Timestamp:        Mon Feb 15 20:34:11 2021 (602ACCB3)
	CheckSum:         02D8532D
	ImageSize:        02D83000
	File version:     16.0.13628.20448
	Product version:  16.0.13628.20448
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        1.0 App
	File date:        00000000.00000000
	Translations:     0000.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     Excel
		OriginalFilename: Excel.exe
		ProductVersion:   16.0.13628.20448
		FileVersion:      16.0.13628.20448
		FileDescription:  Microsoft Excel


	
0:000> lmv m mso
Browse full module list
start    end        module name
650e0000 66804000   mso        (export symbols)       C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
	Loaded symbol image file: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
	Image path: C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\mso.dll
	Image name: mso.dll
	Browse all global symbols  functions  data
	Timestamp:        Sat Jan 30 08:44:58 2021 (60150E7A)
	CheckSum:         017206E1
	ImageSize:        01724000
	File version:     16.0.13628.20318
	Product version:  16.0.13628.20318
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        2.0 Dll
	File date:        00000000.00000000
	Translations:     0409.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     MSO
		OriginalFilename: MSO.dll
		ProductVersion:   16.0.13628.20318
		FileVersion:      16.0.13628.20318
		FileDescription:  Microsoft Office component

Timeline

2021-07-22 - Vendor Disclosure
2021-10-12 - Vendor Patch
2021-10-12 - Public Release

Credit

Discovered by Marcin 'Icewall' Noga of Cisco Talos.