Sunday, 15 May 2016

[EN] MS Excel 2010 DoS (poc)

Below you will find DoS poc for MS Excel 2010.

Found during some fuzzing exercises... ;)

Also you will find a small description, directly from Windbg:



TL;DR - poc + readme.txt ;)

Microsoft Office is prone to a remote denial-of-service vulnerability.

Attackers can exploit this issue to crash the affected application.
----------------------------------------------------------------------
Found  : 11.05.2016
----------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 30000000 313d1000   Excel.exe
ModLoad: 7c900000 7c9af000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
(...)
ModLoad: 6bdc0000 6be7c000   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
ModLoad: 65100000 6519e000   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
(cb4.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL -
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104          push    dword ptr [ecx+4]    ds:0023:00000004=????????

0:000> r;!exploitable -v;r;ub;kv;q
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104          push    dword ptr [ecx+4]    ds:0023:00000004=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:44175083 push dword ptr [ecx+4]

Basic Block:
    44175083 push dword ptr [ecx+4]
       Tainted Input operands: 'ecx'
    44175086 push dword ptr [ecx]
       Tainted Input operands: 'ecx'
    44175088 mov ecx,dword ptr [ebp+8]
    4417508b mov eax,dword ptr [ecx]
    4417508d call dword ptr [eax+4]
       Tainted Input operands: 'StackContents'

Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1

 Hash Usage : Stack Trace:
Major+Minor : OGL!GdipGetImageThumbnail+0x1118e
Major+Minor : OGL!GdipGetPathPointsI+0x2da6
Major+Minor : OGL!GdipGetPathPointsI+0x2b0e
Major+Minor : OGL!GdipGetPathPointsI+0x2a98
Major+Minor : GDI32!SetMetaRgn+0x87
Minor       : OGL!GdipCreateMetafileFromWmfFile+0x652
Minor       : OGL!GdipGetPathPointsI+0x2d1b
Minor       : OGL!GdipGetPathPointsI+0x2b73
Minor       : OGL!GdipCreateMetafileFromWmfFile+0x573
Minor       : OGL!GdipGetVisibleClipBoundsI+0x1c6
Minor       : OGL!GdipDrawImageRectRect+0x111
Minor       : gfx+0x147d74
Minor       : gfx+0x4f9f
Minor       : gfx+0x13ec8
Minor       : gfx+0x13ec8
Minor       : gfx+0x13ec8
Minor       : gfx+0x4ecd
Minor       : gfx+0xed1a
Minor       : gfx+0xecef
Minor       : gfx+0xecc3
Minor       : gfx+0xf6fc
Minor       : gfx+0xe84d
Minor       : gfx+0xf4db
Minor       : gfx+0xe84d
Minor       : gfx+0xf685
Minor       : gfx+0xe817
Minor       : gfx+0xebd8
Minor       : oart!Ordinal3680+0xb8
Minor       : oart!Ordinal1491+0x156
Minor       : Excel!Ordinal40+0x20d620
Minor       : Excel!Ordinal40+0x1f8e2c
Minor       : Excel!Ordinal40+0x60961
Minor       : Excel!Ordinal40+0x607aa
Minor       : Excel!Ordinal40+0x5e95b
Minor       : Excel!Ordinal40+0x5e76f
Minor       : Excel!Ordinal40+0x2f054
Minor       : Excel!Ordinal40+0x1763d
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!IsWindowUnicode+0xa1
Minor       : USER32!CallWindowProcW+0x1b
Minor       : Comctl32!Ordinal11+0x328
Minor       : Comctl32!RemoveWindowSubclass+0x17e
Minor       : Comctl32!DefSubclassProc+0x46
Minor       : mso!Ordinal1888+0x38e
Minor       : mso!Ordinal4894+0x24b
Minor       : Comctl32!RemoveWindowSubclass+0x17e
Minor       : Comctl32!DefSubclassProc+0xa9
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!DefWindowProcW+0x180
Minor       : USER32!DefWindowProcW+0x1cc
Minor       : ntdll!KiUserCallbackDispatcher+0x13
Minor       : USER32!DispatchMessageW+0xf
Minor       : Excel!Ordinal40+0x24572
Minor       : Excel!Ordinal40+0x24441
Minor       : Excel!Ordinal40+0x424b
Minor       : Excel!Ordinal40+0x3f0a
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x0000000044175083

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull

Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1)

This is a user mode read access violation near null, and is probably not exploitable.
----------------------------------------------------------------------
More:

> r
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104          push    dword ptr [ecx+4]    ds:0023:00000004=????????

> ub
OGL!GdipGetImageThumbnail+0x1117b:
44175070 8b01            mov     eax,dword ptr [ecx]
44175072 ff5004          call    dword ptr [eax+4]
44175075 8bc8            mov     ecx,eax
44175077 e88e4af0ff      call    OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d              pop     ebp
4417507d c21000          ret     10h
44175080 55              push    ebp
44175081 8bec            mov     ebp,esp

> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6
0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e
0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98
0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87
0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652
0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b
0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73
0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573
0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6
0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111
0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74
0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f
0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8
0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8
0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8
0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd
0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a
0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef
0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3
----------------------------------------------------------------------

0:000> u eip
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104          push    dword ptr [ecx+4]
44175086 ff31            push    dword ptr [ecx]
44175088 8b4d08          mov     ecx,dword ptr [ebp+8]
4417508b 8b01            mov     eax,dword ptr [ecx]
4417508d ff5004          call    dword ptr [eax+4]
44175090 8bc8            mov     ecx,eax
44175092 e8922bebff      call    OGL!GdipDeletePen+0x115 (44027c29)
44175097 5d              pop     ebp


0:000> kvn1
 # ChildEBP RetAddr  Args to Child             
00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e

0:000> dd ecx+4
00000004  ???????? ???????? ???????? ????????
00000014  ???????? ???????? ???????? ????????
00000024  ???????? ???????? ???????? ????????
00000034  ???????? ???????? ???????? ????????
00000044  ???????? ???????? ???????? ????????
00000054  ???????? ???????? ???????? ????????
00000064  ???????? ???????? ???????? ????????
00000074  ???????? ???????? ???????? ????????


0:000> u eip-11
OGL!GdipGetImageThumbnail+0x1117d:
44175072 ff5004          call    dword ptr [eax+4]
44175075 8bc8            mov     ecx,eax
44175077 e88e4af0ff      call    OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d              pop     ebp
4417507d c21000          ret     10h
44175080 55              push    ebp
44175081 8bec            mov     ebp,esp
44175083 ff7104          push    dword ptr [ecx+4] <= crash

OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104          push    dword ptr [ecx+4]    ds:0023:00000004=????????

----------------------------------------------------------------------
By: HauntIT Blog @ 2016



(Update: 17.05 - thanks Exploit DB)

If you will have any questions/comments - feel free to mail me
or just leave a PM @Twitter.

Cheers.



No comments:

Post a comment

What do You think...?