Microsoft Office Excel remote code execution vulnerability, CVE-2 0 1 6-0 0 3 5 analysis-vulnerability warning-the black bar safety net

2016-01-22T00:00:00
ID MYHACK58:62201671283
Type myhack58
Reporter 佚名
Modified 2016-01-22T00:00:00

Description

Recently I found Excel programs all version in processing of the special structure of the excel file, there is a Use-After-Free vulnerability. The vulnerability is successfully exploited can allow remote code execution. However Microsoft refuses to patch the vulnerability, saying that by“pop-UPS”approach can block the vulnerability. The following take a look at this pop-UPS is how: ! How, when we from an e-mail to open a trusted file, this pop-up appear when you will click on“yes”? I think the answer might be“yes”, after all, this is a trusted file and is also having a credible source, at least you think so to. Although the pop-UPS there, but when you close the pop-UPS or directly to disregard it, click on“yes”after a few seconds, the vulnerability is triggered. Then this have much impact? As long as the user within 1 second do not select“no”, we can be in the EXCEL program in the page stack and user mode stack trace, you will see the following information: (8 6 8. 15c4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=221beff0 ebx=001c2602 ecx=08a1dff0 edx=0 0 0 0 0 0 0 1 esi=0 0 0 0 0 0 0 0 edi=0 0 0 0 0 0 0 1 eip=2fed37f1 esp=001c2264 ebp=001c2294 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 2 1 0 2 4 6 EXCEL! Ordinal40+0x7737f1: 2fed37f1 663b5004 cmp dx,word ptr [eax+4] ds:0 0 2 3:221beff4=???? 0:0 0 0> ! heap-p-a @eax address 221beff0 found in _DPH_HEAP_ROOT @ 11d1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 22d31a5c: 221be000 2 0 0 0 716690b2 verifier! AVrfDebugPageHeapFree+0x000000c2 773a6dbc ntdll! RtlDebugFreeHeap+0x0000002f 7736a4c7 ntdll! RtlpFreeHeap+0x0000005d 7 7 3 3 6 8 9 6 ntdll! RtlFreeHeap+0x00000142 75b6c4d4 kernel32! HeapFree+0x00000014 62296f1b mso! Ordinal9770+0x00007bef 2f98cde3 EXCEL! Ordinal40+0x0022cde3 2f9e2e82 EXCEL! Ordinal40+0x00282e82 2f9e2b35 EXCEL! Ordinal40+0x00282b35 2fa26427 EXCEL! Ordinal40+0x002c6427 2fa260b6 EXCEL! Ordinal40+0x002c60b6 2fa24e39 EXCEL! Ordinal40+0x002c4e39 2fa21994 EXCEL! Ordinal40+0x002c1994 2fa24a26 EXCEL! Ordinal40+0x002c4a26 2fa1f82c EXCEL! Ordinal40+0x002bf82c 2fa1e336 EXCEL! Ordinal40+0x002be336 2fa1d992 EXCEL! Ordinal40+0x002bd992 2fa1ced6 EXCEL! Ordinal40+0x002bced6 2fff23cd EXCEL! Ordinal40+0x008923cd 3002c86e EXCEL! Ordinal40+0x008cc86e 300316f1 EXCEL! Ordinal40+0x008d16f1 3 0 0 3 2 0 5 0 EXCEL! Ordinal40+0x008d2050 3 0 0 4 2 0 4 6 EXCEL! Ordinal40+0x008e2046 6 2 0 7 6 2 9 2 mso! Ordinal9994+0x000024c7 620766cb mso! Ordinal4158+0x000001d8 6205992d mso! Ordinal9839+0x00000ff0 6205a0df mso! Ordinal143+0x00000415 61b50593 mso! Ordinal6326+0x00003b30 6207621f mso! Ordinal9994+0x00002454 6175882e mso! Ordinal53+0x0000083b 617585bc mso! Ordinal53+0x000005c9 6175744a mso! Ordinal7509+0x00000060 Clearly, here the presence of UAF, in order to make you feel this is a serious vulnerability, the following example is a possible code execution path: you do not need the user mode stack trace. If the attacker can force the specified memory after the allocation of address of the facts, then the attacker can indirectly execute their code. (1 6 1 4. 1a24): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=5ca5f546 ebx=0 0 0 0 0 0 0 0 ecx=5c991ed8 edx=0 0 2 6 6 7 9 4 esi=5c991ed8 edi=0 0 0 0 0 0 0 0 eip=8bec8b55 esp=002667a8 ebp=002667e0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0 0 2 3 ds=0 0 2 3 es=0 0 2 3 fs=003b gs=0 0 0 0 efl=0 0 2 1 0 2 0 6 8bec8b55?? ???

[1] [2] next