Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosTalos IntelligenceTALOS-2019-0968
HistoryFeb 11, 2020 - 12:00 a.m.

Microsoft Office Excel Ordinal43 code execution vulnerability

2020-02-1100:00:00
Talos Intelligence
www.talosintelligence.com
272

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.047 Low

EPSS

Percentile

92.7%

JSON

Summary

An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Tested Versions

Microsoft Office Professional Plus 2016 x86 - version 1909 build 12026.20334
Microsoft Office 365 ProPlus x86 - version 1902 build 11328.20480

Product URLs

<https://products.office.com>

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416: Use After Free

Details

This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment. Being precise, the vulnerability is related with the component responsible for handling the Microsoftยฎ Office HTML and XML format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.

Tracking an object life cycle we can notice that there is a constant size space allocation made :

00711123 68e0050000   push    5E0h
00711128 e86e15f7ff   call    Excel!Ordinal43+0x1269b (0068269b)

eax=024fecfc ebx=00000000 ecx=52704a20 edx=00000000 esi=52704a20 edi=00000000
eip=0095aa74 esp=0331fd4c ebp=0331fd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
0:000&gt; !heap -p -a 52704a20
	address 52704a20 found in
	_DPH_HEAP_ROOT @ 4361000
	in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
								52700f70:         52704a20              5e0 -         52704000             2000
		  ? Excel!LinkASPPModelTable+7f9efe
	77f3ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
	77bc915b ntdll!RtlDebugAllocateHeap+0x00000039
	77b133cd ntdll!RtlpAllocateHeap+0x000000ed
	77b1207b ntdll!RtlpAllocateHeapInternal+0x000006db
	77b11976 ntdll!RtlAllocateHeap+0x00000036
	0c804256 mso20win32client!Ordinal951+0x000000a9
	0c804211 mso20win32client!Ordinal951+0x00000064
	00682827 Excel!Ordinal43+0x00012827
	00682713 Excel!Ordinal43+0x00012713
	006826ba Excel!Ordinal43+0x000126ba
	0071112d Excel!Ordinal43+0x000a112d
	00710d7f Excel!Ordinal43+0x000a0d7f
	00730ea9 Excel!Ordinal43+0x000c0ea9
	00c4a767 Excel!Ordinal43+0x005da767
	00c4a335 Excel!Ordinal43+0x005da335
	01c7a0c2 Excel!MdCallBack+0x008835c8
	008385b7 Excel!Ordinal43+0x001c85b7
	008320eb Excel!Ordinal43+0x001c20eb
	01695625 Excel!MdCallBack+0x0029eb2b
	012970c6 Excel!MdCallBack12+0x005aff8d
	0129727a Excel!MdCallBack12+0x005b0141
	006a6bff Excel!Ordinal43+0x00036bff
	006a59e0 Excel!Ordinal43+0x000359e0
	01479076 Excel!MdCallBack+0x0008257c
	006eec1e Excel!Ordinal43+0x0007ec1e
	006df6b7 Excel!Ordinal43+0x0006f6b7
	006dd7c3 Excel!Ordinal43+0x0006d7c3
	006d776a Excel!Ordinal43+0x0006776a
	006816f6 Excel!Ordinal43+0x000116f6
	0067124f Excel!Ordinal43+0x0000124f
	77642369 KERNEL32!BaseThreadInitThunk+0x00000019
	77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b

Further, because of malformed form in the HTML/XML in the XLS file contentm the object gets deallocated:

0095aa6e 8b06         mov     eax, dword ptr [esi]
0095aa70 8bce         mov     ecx, esi
0095aa72 6a01         push    1
0095aa74 ff10         call    dword ptr [eax]

0:000&gt; p
eax=52704a20 ebx=00000000 ecx=52704a20 edx=04360000 esi=52704a20 edi=00000000
eip=0095aa76 esp=0331fd50 ebp=0331fd60 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
Excel!Ordinal43+0x2eaa76:
0095aa76 5f              pop     edi
0:000&gt; !heap -p -a 52704a20
	address 52704a20 found in
	_DPH_HEAP_ROOT @ 4361000
	in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
								   52700f70:         52704000             2000
	77f3adc2 verifier!AVrfDebugPageHeapFree+0x000000c2
	77bc99b3 ntdll!RtlDebugFreeHeap+0x0000003e
	77b0fabe ntdll!RtlpFreeHeap+0x000000ce
	77b0f986 ntdll!RtlpFreeHeapInternal+0x00000146
	77b0f3de ntdll!RtlFreeHeap+0x0000003e
	0c81dc9e mso20win32client!Ordinal456+0x0000008c
	00688491 Excel!Ordinal43+0x00018491
	0095aa76 Excel!Ordinal43+0x002eaa76
	00b85a23 Excel!Ordinal43+0x00515a23
	00b7e517 Excel!Ordinal43+0x0050e517
	01ca5cf6 Excel!MdCallBack+0x008af1fc
	01ca5788 Excel!MdCallBack+0x008aec8e
	00c4ad64 Excel!Ordinal43+0x005dad64
	00c4a335 Excel!Ordinal43+0x005da335
	01c7a0c2 Excel!MdCallBack+0x008835c8
	008385b7 Excel!Ordinal43+0x001c85b7
	008320eb Excel!Ordinal43+0x001c20eb
	01695625 Excel!MdCallBack+0x0029eb2b
	012970c6 Excel!MdCallBack12+0x005aff8d
	0129727a Excel!MdCallBack12+0x005b0141
	006a6bff Excel!Ordinal43+0x00036bff
	006a59e0 Excel!Ordinal43+0x000359e0
	01479076 Excel!MdCallBack+0x0008257c
	006eec1e Excel!Ordinal43+0x0007ec1e
	006df6b7 Excel!Ordinal43+0x0006f6b7
	006dd7c3 Excel!Ordinal43+0x0006d7c3
	006d776a Excel!Ordinal43+0x0006776a
	006816f6 Excel!Ordinal43+0x000116f6
	0067124f Excel!Ordinal43+0x0000124f
	77642369 KERNEL32!BaseThreadInitThunk+0x00000019
	77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
	77b2e58f ntdll!_RtlUserThreadStart+0x0000001b

Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed:

.text:0094CCD7 sub_94CCD7      proc near               ; DATA XREF: .rdata:024BD0D8?o
.text:0094CCD7                 mov     ecx, [ecx+14h]
.text:0094CCDA                 test    ecx, ecx
.text:0094CCDC                 jnz     sub_731B64
.text:0094CCE2                 xor     eax, eax
.text:0094CCE4                 retn
.text:0094CCE4 sub_94CCD7      endp

and the object gets re-used inside the following function:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52704a20 edx=00000000 esi=00000000 edi=36126fa4
eip=00731b66 esp=0331fa3c ebp=0331fa68 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
Excel!Ordinal43+0xc1b66:
00731b66 f6410604        test    byte ptr [ecx+6],4         ds:0023:52704a26=??
	
0:000&gt; kb
 # ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
01 0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
02 0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
03 0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
04 0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
05 0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
06 0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
07 0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
08 0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
09 0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0a 0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0b 0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0c 0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0d 0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0e 0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0f 0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
10 0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
11 0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
12 0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
13 0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
14 0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
15 0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
16 0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
17 0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
18 0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
19 0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
1a 0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
1b 0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
1c 0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
1d 0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
1e 0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
1f 0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
20 0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.

Crash Information

0:000&gt; !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


KEY_VALUES_STRING: 1

	Key  : AV.Dereference
	Value: String

	Key  : AV.Fault
	Value: Read

	Key  : Analysis.CPU.Sec
	Value: 3

	Key  : Analysis.DebugAnalysisProvider.CPP
	Value: Create: 8007007e on DESKTOP-FIEQB1A

	Key  : Analysis.DebugData
	Value: CreateObject

	Key  : Analysis.DebugModel
	Value: CreateObject

	Key  : Analysis.Elapsed.Sec
	Value: 15

	Key  : Analysis.Memory.CommitPeak.Mb
	Value: 67

	Key  : Analysis.System
	Value: CreateObject

	Key  : Timeline.OS.Boot.DeltaSec
	Value: 24524

	Key  : Timeline.Process.Start.DeltaSec
	Value: 1501


NTGLOBALFLAG:  2000000

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

APPLICATION_VERIFIER_LOADED: 1

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00731b66 (Excel!Ordinal43+0x000c1b66)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 52704a26
Attempt to read from address 52704a26

FAULTING_THREAD:  00001b18

PROCESS_NAME:  Excel.exe

READ_ADDRESS:  52704a26 

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si  do pami ci pod adresem 0x%p. Pami   nie mo e by  %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  52704a26

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  Excel!Ordinal43+c1b66

MODULE_NAME: Excel

IMAGE_NAME:  Excel.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

FAILURE_ID_HASH:  {40392c8d-c128-d7d7-ec8e-63113b975295}

Followup:     MachineOwner
---------




0:000&gt; lm a eip
Browse full module list
start    end        module name
00670000 02fe1000   Excel      (export symbols)       c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
0:000&gt; lmv a eip
Browse full module list
start    end        module name
00670000 02fe1000   Excel      (export symbols)       c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
	Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
	Image path: Excel.exe
	Image name: Excel.exe
	Browse all global symbols  functions  data
	Timestamp:        Tue Nov 19 09:26:08 2019 (5DD3A720)
	CheckSum:         029756CD
	ImageSize:        02971000
	File version:     16.0.11328.20480
	Product version:  16.0.11328.20480
	File flags:       0 (Mask 3F)
	File OS:          40004 NT Win32
	File type:        1.0 App
	File date:        00000000.00000000
	Translations:     0000.04e4
	Information from resource tables:
		CompanyName:      Microsoft Corporation
		ProductName:      Microsoft Office
		InternalName:     Excel
		OriginalFilename: Excel.exe
		ProductVersion:   16.0.11328.20480
		FileVersion:      16.0.11328.20480
    FileDescription:  Microsoft Excel

Timeline

2019-12-02 - Vendor Disclosure
2020-02-11 - Vendor patch and Public Release

Related

mskb 3
openvas 5
nessus 5
talosblog 2
mscve 1
cvelist 1
cve 1
prion 1
nvd 1
kaspersky 1
mskb
mskb
Description of the security update for Excel 2013: February 11, 2020
2020-02-11 08:00:00
Description of the security update for Excel 2010: February 11, 2020
2020-02-11 08:00:00
Description of the security update for Excel 2016: February 11, 2020
2020-02-11 08:00:00
openvas
openvas
Microsoft Office Remote Code Execution Vulnerability (Feb 2020) - Mac OS X
2020-02-13 00:00:00
Microsoft Excel 2013 Service Pack 1 Remote Code Execution Vulnerability (KB4484265)
2020-02-12 00:00:00
Microsoft Excel 2016 Remote Code Execution Vulnerability (KB4484256)
2020-02-12 00:00:00
nessus
nessus
Security Updates for Microsoft Excel Products C2R (February 2020)
2022-06-10 00:00:00
Security Updates for Microsoft Excel Products (February 2020)
2020-02-11 00:00:00
Security Updates for Microsoft Office Products (February 2020) (macOS)
2020-02-12 00:00:00
talosblog
talosblog
Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
2020-02-11 11:31:09
Microsoft Patch Tuesday โ€” Feb. 2020: Vulnerability disclosures and Snort coverage
2020-02-13 08:22:46
mscve
mscve
Microsoft Excel Remote Code Execution Vulnerability
2020-02-11 08:00:00
cvelist
cvelist
CVE-2020-0759
2020-02-11 21:23:29
cve
cve
CVE-2020-0759
2020-02-11 22:15:22
prion
prion
Remote code execution
2020-02-11 22:15:00
nvd
nvd
CVE-2020-0759
2020-02-11 22:15:22
kaspersky
kaspersky
KLA11663 Multiple vulnerabilities in Microsoft Office
2020-02-11 00:00:00

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.047 Low

EPSS

Percentile

92.7%

JSON
Related for TALOS-2019-0968
mskb3openvas5nessus5talosblog2mscve1cvelist1cve1prion1nvd1kaspersky1