For CVE-2015-2545 vulnerability research and analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201785156
Type myhack58
Reporter 佚名
Modified 2017-04-12T00:00:00


1. Overview

This is one of the MSOffice vulnerability that allows by using a special Encapsulated PostScript (EPS)graphics files for arbitrary code execution. This vulnerability 2015 3 months was found, the vulnerability is not patched case lasted 4 months. After that, Microsoft released a fix patch(MS15-099), to solve this security issue.

Vulnerability published:2015-09-08

Vulnerability update time:2015-09-08

The impact of the system

Microsoft Office 2007 SP3 Microsoft Office 2010 SP2 Microsoft Office 2013 SP1 Microsoft Office 2013 RT SP1 Microsoft Office for Mac 2011 Microsoft Office for Mac 2016 Microsoft Office Compatibility Pack SP3

Vulnerability information

Microsoft Office is a Microsoft released the Office processing the application kit.

Microsoft Office processing the EPS file there is memory corruption, allowing an attacker to construct a malicious file that induce application of the analysis, may cause the application to crash or execute arbitrary code.

The user can refer to the following vendor-provided security patches to fix the vulnerabilities: <>

2. Sample source

Through theTwittersearchcve-2015-2545to get the relevant information, filter the information to obtain its hash valuehash value: 375e51a989525cfec8296faaffdefa35, after Google search its hash value, and finally in the[ a sample.] (<>)

3. Analysis

3.1 vulnerability the causes and the use of

When EPS in the processdictionary type(dict)in thecopy operation, will accept a copy of the party'skey value pairs, and the own space data delete all, and then re-allocate a space for data Copy(normally a dictionary to copy only when you want to copy the elements to operate, and does not affect other elements). And EPS in the processforall operation, when the processing type asdictionary(dict),forallby processing the dictionary(dict)in each of thekey value pairs, theforallgetthe current key-value pairofcontentand aptrNext pointer, and point to the next to process the key-value pairs, and Key(Key)and value(value)of the content intooperation stack, thenforall process(proc), after treatmentremains ptrNext pointerin order to process the next key-value pair. If theforallprocess in the Dictionary of thecopy(copy)operation, the copy operation will bekey value pairsentrydelete all, and forall the ptrNext pointer is stillthere, thenptrNextbecomes awild pointer, as long as carefully constructed pointer to the data, you can achieve the use effect. The sample utilized by way of the wild pointer in the final constructed out of a starting address is 0x0, the size of 0x7fffffffstring object, so that you can in the space foranyof theread-writeoperation, as well as the lateROP, Shellcodethe use of the operation.

3.2 test environment

  1. Microsoft Windows [version 6.1.7601] ultimate sp1 English x86
  2. Windows Debugger Version 6.12.0002.633 X86
  3. IDA6. 8. 150423 (32-bit)
  4. OllyDbg 1.0
  5. Notepad++
  6. Microsoft Office Word 2007(12.0.6612.1000) SP3 MSO(12.0.6607.10000)

3.3 commissioning direction

This sample is from 3 to debug analysis, the first debugging directions: locate the most simple you can get the information of the position of theROP, and the second direction of the focus direction: awild pointer, and the third direction:Rop+Shellocde, a total of 3 directions for debugging analysis.

3.4 debugging analysis-CreateFile to start with[in the first direction]

  1. Through Windbg to open the sample directly run, you can find the sample in the temporary directory folder for create file, create file order: plugin.dll > igfxe.exe after that directly comes to mind is inZwCreateFileunder the breakpoint [this breakpoint location not very good, because the word in the open when ever running the CreateFile, but by tracing back The can find the content they want with you.


Figure 1

  1. Backtracking to find theROP,Figure 2call itropcall, the test, in the respective call under the breakpoint, single-step tracking can be, on the rop, change the stack space of the operation as well as the back of the shellcode where the first unknown segmentation analysis, they can single-step tracking can be.


Figure 1


Figure 2

3.5 debugging analysis-wild pointer generation process[the second direction]

3.5.1 a simple example to explain UAF

This process is relatively complex, need to understand the“PostScript”syntax, you can download the<<PLRM2. pdf>>to learn; we also learn about theUAFsimple knowledge, what is theUAFfor? Is literally means“after the release of re-use“, examples are as follows:

include<stdio. h>

include<stdlib. h>

include<malloc. h>

void *pfunc1() { printf("testn"); }

typedef struct Object1_struct{ int flag; void (*pfunc1)(); char message[4]; }OBJECT1;

typedef struct Object2_struct{ int flag; int flag2; char *welcome; }OBJECT2;

int main() { int i; OBJECT1 pObject1; OBJECT2 pObject2; pObject1 = (OBJECT1 *)malloc(sizeof(OBJECT1));//init the struct pObject1->flag = 1; //pObject1->pfunc1(); //pObject1->message = "this is first create!";

free(pObject1); /forget pObject1 = NULL/ for(i=0;i<1000;i++) { pObject2 = (OBJECT2 )malloc(sizeof(OBJECT2));//heap spray pObject2->flag=2; pObject2->flag2=4; pObject2->welcome = "AAAA"; } /fill pointer*/

if(pObject1 != NULL) pObject1->pfunc1(); return 0; }

[1] [2] [3] [4] [5] [6] next