CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.8%
**Title:**Microsoft Word Malformed FIB Arbitrary Free Vulnerability
**Advisory ID:**CORE-2008-0228
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/word-arbitrary-free>
**Date published:**2008-12-10
**Date of last update:**2008-12-10
**Vendors contacted:**Microsoft
**Release mode:**Coordinated release
**Class:**Arbitrary free
**Remotely Exploitable:**Yes (client-side)
**Locally Exploitable:**No
Bugtraq ID:32580
CVE Name:CVE-2008-4024
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the user running the MS Word application.
More specifically, a Word file with a specially crafted lcbPlcfBkfSdt
field value (offset 0x4f0
) inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions and enable an arbitrary free with controlled values.
Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008.
Microsoft recommends that customers apply the update immediately.
This vulnerability was discovered and researched by Ricardo Narvaja, from CORE IMPACT’s Exploit Writing Team (EWT), Core Security Technologies.
A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted lcbPlcfBkfSdt
field value (offset 0x4f0
) inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible .doc
file, and then change the byte at offset 0x4f0, this is the lcbPlcfBkfSdt
field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function __MsoPvFree
. If the lcbPlcfBkfSdt
value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program.
The execution of __MsoPvFree
is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before free
is called. However this scenario is complex due to the limitations of the __MsoPvFree
API, including checks that make the exploitation difficult.
The vendor’s analysis indicates that the root cause of this vulnerability is the processing of a PlfLfo
structure that is read in from the file. It contains an array of Lfo
objects. If any of those Lfo
objects has a clfolvl
value of 0 and a plfolvl
(the previous 4 bytes) value that is non-zero, Word will attempt to free memory at plfolvl
. This is because plfolvl
is supposed to be overwritten with a valid pointer to allocated memory, but if clfolvl
is 0 this initialization step is skipped. Later on cleanup code will check if plfolvl
has a non-zero value and if so, attempt to free the memory chunk it points to.
A Proof of Concept .doc
file which makes Word 2000 and Word 2002 crash (WINWORD.EXE
, main thread, module MS09
).
[1] Word 97-2007 Binary File Format (*.doc) Specification
<http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <https://www.coresecurity.com/core-labs>.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at <https://www.coresecurity.com>.
The contents of this advisory are copyright © 2008 Core Security Technologies and © 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team.