Microsoft Windows TabStrip MSCOMCTL.OCX RCE Vulnerability

2012-08-15T00:00:00
ID AKB:4DF5EF01-8CC5-4A65-87F7-E627FAA3F022
Type attackerkb
Reporter AttackerKB
Modified 2021-07-27T00:00:00

Description

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka “MSCOMCTL.OCX RCE Vulnerability.”

Recent assessments:

wchen-r7 at September 12, 2019 6:07pm UTC reported:

To trigger this:

  1. Open the poc with Microsoft Word 2003

  2. Close Microsoft Word, that’s when the crash is triggered.

    0:000> r eax=056ef534 ebx=00000000 ecx=00000000 edx=02ac0007 esi=0571c18c edi=00000000 eip=2758fce3 esp=0012e348 ebp=0012e3f4 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212 MSCOMCTL!DllGetClassObject+0x8f9f: 2758fce3 ff5108 call dword ptr [ecx+8] ds:0023:00000008=???????? 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012e3f4 650cd2e2 MSCOMCTL!DllGetClassObject+0x8f9f 0012e40c 650cd052 VBE6!rtcSendKeys+0x1d442 00000000 00000000 VBE6!rtcSendKeys+0x1d1b2

    MSCOMCTL!DllGetClassObject+0x8f91: 2758fcd5 57 push edi 2758fcd6 8b7828 mov edi,dword ptr [eax+28h] 2758fcd9 8b481c mov ecx,dword ptr [eax+1Ch] 2758fcdc 895848 mov dword ptr [eax+48h],ebx 2758fcdf 83c01c add eax,1Ch 2758fce2 50 push eax 2758fce3 ff5108 call dword ptr [ecx+8]

    0:000> dc eax 056faeb4 00000000 00000000 00000000 00000000 ................ 056faec4 31005c00 00000000 693f3800 44001029 ..1.....8?i)..D 056faed4 4d55434f 00317e45 03004400 00000000 OCUME~1..D...... 056faee4 3c3f37be eb4118bd 000014a6 6f004400 .7?<..A......D.o 056faef4 75006300 65006d00 74006e00 20007300 .c.u.m.e.n.t.s. 056faf04 6e006100 20006400 65005300 74007400 .a.n.d. .S.e.t.t 056faf14 6e006900 73006700 18000000 00000000 .i.n.g.s........ 056faf24 00000000 00130010 010c017a 0018e920 ........z... ...

Note:
This crash is different than CVE-2012-0158, despite the fact they both target the same component.
CVE-0158 is due to a memcpy call, and then retn to the user-controlled stack. However, this PoC
leverages from a CALL [ECX+8] call.

  • Using samples provided by nex

071cb2398e5b6ad9e965c4191443227166861129eb4aca6fc1fc647b85eb91d6

Office 2003 crash:

0:004&gt; sxe ld mscomctl
0:004&gt; g
ModLoad: 27580000 27685000   C:\WINDOWS\system32\MSCOMCTL.OCX
eax=00000000 ebx=00000000 ecx=02bd0000 edx=7c90e4f4 esi=00000000 edi=00000000
eip=7c90e4f4 esp=0011fe58 ebp=0011ff4c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90e4f4 c3              ret
0:000&gt; u 2758fce3
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\MSCOMCTL.OCX -
MSCOMCTL!DllGetClassObject+0x8f9f:
2758fce3 ff5108          call    dword ptr [ecx+8]
2758fce6 3bfb            cmp     edi,ebx
2758fce8 8bc7            mov     eax,edi
2758fcea 75ea            jne     MSCOMCTL!DllGetClassObject+0x8f92 (2758fcd6)
2758fcec 5f              pop     edi
2758fced ebd1            jmp     MSCOMCTL!DllGetClassObject+0x8f7c (2758fcc0)
2758fcef 56              push    esi
2758fcf0 57              push    edi
0:000&gt; bp 2758fce3
0:000&gt; g
Breakpoint 0 hit
eax=01d028a4 ebx=00000000 ecx=2759e3e8 edx=fffffd37 esi=00211ca4 edi=00000000
eip=2758fce3 esp=001213f8 ebp=00121434 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
MSCOMCTL!DllGetClassObject+0x8f9f:
2758fce3 ff5108          call    dword ptr [ecx+8]    ds:0023:2759e3f0=a0255827

Another crash, with interesting stack??

0:000&gt; kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00125fb8 30e5982d 01ee0010 3144c8a5 01ee0070 mso!Ordinal2669+0x5f
00125fe0 31443f75 01ee0070 00010000 001260d0 mso!Ordinal2669+0x18
00126000 311a5a49 01ee0010 001260d0 012d0920 mso!Ordinal530+0x352
00126020 311a5f47 001260d0 01c0687c 012d075c mso!Ordinal2690+0x1ac
0012603c 306063d0 012d0920 001260d0 30161ba0 mso!Ordinal2690+0x6aa
00126058 30161a59 001260b0 00000000 00000000 WINWORD!wdCommandDispatch+0x1d695
0012608c 30609242 001260b0 000000d2 00a20394 WINWORD+0x161a59
001261b0 7c80ae80 30c90000 00000000 30c90000 WINWORD!wdCommandDispatch+0x20507
0012622c 7c80ae6e 00126254 7c80ae80 30c90000 kernel32!GetProcAddress+0x5b
00126254 00126244 30c90000 0012f904 30ed90c6 kernel32!GetProcAddress+0x43
0012626c 30e59897 30e5982d 00a20178 30e5979a 0x126244 &lt;====
00126270 30e5982d 00a20178 30e5979a 00a353a4 mso!Ordinal2669+0x82
00126278 30e5979a 00a353a4 000000d8 300d9800 mso!Ordinal2669+0x18
00126294 3018c671 00000001 000000d8 000000c8 mso!Ordinal2402+0x13
001262ac 3060295c 00000000 00000003 00a20178 WINWORD+0x18c671
001262d4 3060958f 30609596 00126308 00000000 WINWORD!wdCommandDispatch+0x19c21
00126338 304c7d41 01c05c78 00000001 00000000 WINWORD!wdCommandDispatch+0x20854
00126354 3003caf0 00000003 00000001 00000001 WINWORD+0x4c7d41
00000000 00000000 00000000 00000000 00000000 WINWORD+0x3caf0

Office 2007 crash

Microsoft (R) Windows Debugger Version 6.2.8400.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 30000000 30057000   C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
ModLoad: 7c900000 7c9af000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 78130000 781cb000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\MSVCR80.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 31240000 322ec000   C:\Program Files\Microsoft Office\Office12\wwlib.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\ole32.dll
ModLoad: 3a9d0000 3b750000   C:\Program Files\Microsoft Office\Office12\oart.dll
ModLoad: 32600000 33618000   C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
ModLoad: 3fde0000 40221000   C:\WINDOWS\system32\msi.dll
ModLoad: 33d00000 33dd7000   C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
ModLoad: 773d0000 774d3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\Comctl32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 00cc0000 01314000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
ModLoad: 6bdc0000 6be7a000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.DLL
ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\comctl32.dll
ModLoad: 01bf0000 025cd000   C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
ModLoad: 79000000 7904a000   C:\WINDOWS\system32\mscoree.dll
ModLoad: 603b0000 60416000   C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.DLL
ModLoad: 73000000 73026000   C:\WINDOWS\system32\Winspool.DRV
ModLoad: 7e660000 7e715000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\PS5UI.DLL
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\UxTheme.DLL
ModLoad: 3a780000 3a889000   C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 78800000 7895c000   C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 02dd0000 03095000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 3bd10000 3bea5000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
ModLoad: 76f50000 76f58000   C:\WINDOWS\system32\WTSAPI32.DLL
ModLoad: 76360000 76370000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 5b860000 5b8b5000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 73ba0000 73bb3000   C:\WINDOWS\system32\sti.dll
ModLoad: 74ae0000 74ae7000   C:\WINDOWS\system32\CFGMGR32.dll
ModLoad: 7e1e0000 7e282000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 6bd10000 6bd24000   C:\Program Files\Microsoft Office\Office12\MSOHEV.DLL
ModLoad: 40390000 40446000   C:\Program Files\Microsoft Office\Office12\msproof6.dll
ModLoad: 7c420000 7c4a7000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\MSVCP80.dll
ModLoad: 7e720000 7e7d0000   C:\WINDOWS\system32\SXS.DLL
(a7c.b3c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c90120e esp=03f3ffcc ebp=03f3fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:007&gt; g
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 7e290000 7e401000   C:\WINDOWS\system32\SHDOCVW.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 754d0000 75550000   C:\WINDOWS\system32\CRYPTUI.dll
ModLoad: 771b0000 7725a000   C:\WINDOWS\system32\WININET.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
ModLoad: 27580000 27685000   C:\WINDOWS\system32\MSCOMCTL.OCX
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 42640000 426c7000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\PSCRIPT5.DLL
ModLoad: 73b30000 73b45000   C:\WINDOWS\system32\mscms.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
ModLoad: 10000000 1001f000   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\tpps.dll
(a7c.df4): Unknown exception - code e0000002 (first chance)
ModLoad: 65000000 65278000   C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\VBE6.DLL
ModLoad: 65300000 65326000   C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA6\1033\VBE6INTL.DLL
(a7c.df4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\MSCOMCTL.OCX -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office12\wwlib.dll -
eax=001d2d9c ebx=00000000 ecx=000000c4 edx=0237000d esi=0015e484 edi=00000118
eip=2758fce3 esp=00121d10 ebp=00121d64 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
MSCOMCTL!DllGetClassObject+0x8f9f:
2758fce3 ff5108          call    dword ptr [ecx+8]    ds:0023:000000cc=????????
0:000&gt; dd ecx
000000c4  ???????? ???????? ???????? ????????
000000d4  ???????? ???????? ???????? ????????
000000e4  ???????? ???????? ???????? ????????
000000f4  ???????? ???????? ???????? ????????
00000104  ???????? ???????? ???????? ????????
00000114  ???????? ???????? ???????? ????????
00000124  ???????? ???????? ???????? ????????
00000134  ???????? ???????? ???????? ????????

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0