9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.047 Low
EPSS
Percentile
92.7%
An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
Microsoft Office Professional Plus 2016 x86 - version 1909 build 12026.20334
Microsoft Office 365 ProPlus x86 - version 1902 build 11328.20480
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
This vulnerability is present in the Microsoft Office Excel being a part of the Microsoft Office collection of software applications used in an office environment. Being precise, the vulnerability is related with the component responsible for handling the Microsoftยฎ Office HTML and XML
format introduced in Microsoft Office 2000. A specially crafted XLS file being written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution.
Tracking an object life cycle we can notice that there is a constant size space allocation made :
00711123 68e0050000 push 5E0h
00711128 e86e15f7ff call Excel!Ordinal43+0x1269b (0068269b)
eax=024fecfc ebx=00000000 ecx=52704a20 edx=00000000 esi=52704a20 edi=00000000
eip=0095aa74 esp=0331fd4c ebp=0331fd60 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
0:000> !heap -p -a 52704a20
address 52704a20 found in
_DPH_HEAP_ROOT @ 4361000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
52700f70: 52704a20 5e0 - 52704000 2000
? Excel!LinkASPPModelTable+7f9efe
77f3ab70 verifier!AVrfDebugPageHeapAllocate+0x00000240
77bc915b ntdll!RtlDebugAllocateHeap+0x00000039
77b133cd ntdll!RtlpAllocateHeap+0x000000ed
77b1207b ntdll!RtlpAllocateHeapInternal+0x000006db
77b11976 ntdll!RtlAllocateHeap+0x00000036
0c804256 mso20win32client!Ordinal951+0x000000a9
0c804211 mso20win32client!Ordinal951+0x00000064
00682827 Excel!Ordinal43+0x00012827
00682713 Excel!Ordinal43+0x00012713
006826ba Excel!Ordinal43+0x000126ba
0071112d Excel!Ordinal43+0x000a112d
00710d7f Excel!Ordinal43+0x000a0d7f
00730ea9 Excel!Ordinal43+0x000c0ea9
00c4a767 Excel!Ordinal43+0x005da767
00c4a335 Excel!Ordinal43+0x005da335
01c7a0c2 Excel!MdCallBack+0x008835c8
008385b7 Excel!Ordinal43+0x001c85b7
008320eb Excel!Ordinal43+0x001c20eb
01695625 Excel!MdCallBack+0x0029eb2b
012970c6 Excel!MdCallBack12+0x005aff8d
0129727a Excel!MdCallBack12+0x005b0141
006a6bff Excel!Ordinal43+0x00036bff
006a59e0 Excel!Ordinal43+0x000359e0
01479076 Excel!MdCallBack+0x0008257c
006eec1e Excel!Ordinal43+0x0007ec1e
006df6b7 Excel!Ordinal43+0x0006f6b7
006dd7c3 Excel!Ordinal43+0x0006d7c3
006d776a Excel!Ordinal43+0x0006776a
006816f6 Excel!Ordinal43+0x000116f6
0067124f Excel!Ordinal43+0x0000124f
77642369 KERNEL32!BaseThreadInitThunk+0x00000019
77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
Further, because of malformed form in the HTML/XML in the XLS file contentm the object gets deallocated:
0095aa6e 8b06 mov eax, dword ptr [esi]
0095aa70 8bce mov ecx, esi
0095aa72 6a01 push 1
0095aa74 ff10 call dword ptr [eax]
0:000> p
eax=52704a20 ebx=00000000 ecx=52704a20 edx=04360000 esi=52704a20 edi=00000000
eip=0095aa76 esp=0331fd50 ebp=0331fd60 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
Excel!Ordinal43+0x2eaa76:
0095aa76 5f pop edi
0:000> !heap -p -a 52704a20
address 52704a20 found in
_DPH_HEAP_ROOT @ 4361000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
52700f70: 52704000 2000
77f3adc2 verifier!AVrfDebugPageHeapFree+0x000000c2
77bc99b3 ntdll!RtlDebugFreeHeap+0x0000003e
77b0fabe ntdll!RtlpFreeHeap+0x000000ce
77b0f986 ntdll!RtlpFreeHeapInternal+0x00000146
77b0f3de ntdll!RtlFreeHeap+0x0000003e
0c81dc9e mso20win32client!Ordinal456+0x0000008c
00688491 Excel!Ordinal43+0x00018491
0095aa76 Excel!Ordinal43+0x002eaa76
00b85a23 Excel!Ordinal43+0x00515a23
00b7e517 Excel!Ordinal43+0x0050e517
01ca5cf6 Excel!MdCallBack+0x008af1fc
01ca5788 Excel!MdCallBack+0x008aec8e
00c4ad64 Excel!Ordinal43+0x005dad64
00c4a335 Excel!Ordinal43+0x005da335
01c7a0c2 Excel!MdCallBack+0x008835c8
008385b7 Excel!Ordinal43+0x001c85b7
008320eb Excel!Ordinal43+0x001c20eb
01695625 Excel!MdCallBack+0x0029eb2b
012970c6 Excel!MdCallBack12+0x005aff8d
0129727a Excel!MdCallBack12+0x005b0141
006a6bff Excel!Ordinal43+0x00036bff
006a59e0 Excel!Ordinal43+0x000359e0
01479076 Excel!MdCallBack+0x0008257c
006eec1e Excel!Ordinal43+0x0007ec1e
006df6b7 Excel!Ordinal43+0x0006f6b7
006dd7c3 Excel!Ordinal43+0x0006d7c3
006d776a Excel!Ordinal43+0x0006776a
006816f6 Excel!Ordinal43+0x000116f6
0067124f Excel!Ordinal43+0x0000124f
77642369 KERNEL32!BaseThreadInitThunk+0x00000019
77b2e5bb ntdll!__RtlUserThreadStart+0x0000002b
77b2e58f ntdll!_RtlUserThreadStart+0x0000001b
Unfortunately, the null value is not assigned to a pointer related with this object after deallocation. Because of that, further checks protecting again re-use of this object are bypassed:
.text:0094CCD7 sub_94CCD7 proc near ; DATA XREF: .rdata:024BD0D8?o
.text:0094CCD7 mov ecx, [ecx+14h]
.text:0094CCDA test ecx, ecx
.text:0094CCDC jnz sub_731B64
.text:0094CCE2 xor eax, eax
.text:0094CCE4 retn
.text:0094CCE4 sub_94CCD7 endp
and the object gets re-used inside the following function:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52704a20 edx=00000000 esi=00000000 edi=36126fa4
eip=00731b66 esp=0331fa3c ebp=0331fa68 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
Excel!Ordinal43+0xc1b66:
00731b66 f6410604 test byte ptr [ecx+6],4 ds:0023:52704a26=??
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
01 0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
02 0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
03 0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
04 0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
05 0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
06 0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
07 0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
08 0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
09 0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0a 0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0b 0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0c 0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0d 0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0e 0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0f 0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
10 0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
11 0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
12 0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
13 0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
14 0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
15 0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
16 0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
17 0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
18 0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
19 0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
1a 0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
1b 0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
1c 0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
1d 0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
1e 0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
1f 0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
20 0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b
Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into a arbitrary code execution.
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Dereference
Value: String
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-FIEQB1A
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 15
Key : Analysis.Memory.CommitPeak.Mb
Value: 67
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 24524
Key : Timeline.Process.Start.DeltaSec
Value: 1501
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00731b66 (Excel!Ordinal43+0x000c1b66)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 52704a26
Attempt to read from address 52704a26
FAULTING_THREAD: 00001b18
PROCESS_NAME: Excel.exe
READ_ADDRESS: 52704a26
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo a a si do pami ci pod adresem 0x%p. Pami nie mo e by %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 52704a26
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0331fa68 00cf64bb 3338efdc 00000010 36126fa4 Excel!Ordinal43+0xc1b66
0331fa88 014da897 28354fe4 00000001 36126fa4 Excel!MdCallBack12+0xf382
0331faa4 014da938 28354fe4 03320054 00000000 Excel!MdCallBack+0xe3d9d
0331fac0 00c5f3fa 03320054 0000039e ffffffff Excel!MdCallBack+0xe3e3e
0331fb44 00c5ec0a 50c10998 03320054 00000001 Excel!Ordinal43+0x5ef3fa
0331fb5c 00c5dfb0 50c10998 00000001 00000001 Excel!Ordinal43+0x5eec0a
0331fc34 00c5d58c 50c10998 00000000 0331fc9c Excel!Ordinal43+0x5edfb0
0331fc44 790aaa3f 028f2f78 03320000 50c10998 Excel!Ordinal43+0x5ed58c
0331fc9c 7905b84a 50c10998 590b9279 0000000a mso!Ordinal1328+0x10b8
0331fd10 79057fd2 50c10998 0331fda4 50c10918 mso!Ordinal2401+0x5e7
0331fddc 79056c03 590b916d 03320000 04395ff0 mso!Ordinal8579+0xf84
0331fe04 79056a3f 49954ff0 00000000 0331ff28 mso!Ordinal172+0x665
0331fe14 00c4a9ce 50c10918 04395ff0 40902de8 mso!Ordinal172+0x4a1
0331ff28 00c4a335 00000100 40902de8 00000003 Excel!Ordinal43+0x5da9ce
0332aa54 01c7a0c2 00000000 21524fc8 40906de8 Excel!Ordinal43+0x5da335
0332aa9c 008385b7 0333ad24 40902de8 00000002 Excel!MdCallBack+0x8835c8
0333b164 008320eb 00000000 00000000 00000002 Excel!Ordinal43+0x1c85b7
0333b1b8 01695625 00000000 00000000 00000002 Excel!Ordinal43+0x1c20eb
0333b204 012970c6 00000000 0150870c 002a067c Excel!MdCallBack+0x29eb2b
0333b2c8 0129727a 00000001 00001008 00000001 Excel!MdCallBack12+0x5aff8d
0333b358 006a6bff 00000001 00001008 00000001 Excel!MdCallBack12+0x5b0141
0333f530 006a59e0 0000000f 44312df0 00000105 Excel!Ordinal43+0x36bff
0333f5d0 01479076 0000000f 44312df0 00000105 Excel!Ordinal43+0x359e0
0333f684 006eec1e 00000105 00000000 00000001 Excel!MdCallBack+0x8257c
0333f73c 006df6b7 00000000 000080df 04395ff0 Excel!Ordinal43+0x7ec1e
0333fb18 006dd7c3 04395ff0 000080df 00000000 Excel!Ordinal43+0x6f6b7
0333fb88 006d776a 04395ff0 0000008d 00600000 Excel!Ordinal43+0x6d7c3
0333fcf0 006816f6 028fbe28 00000000 030f9000 Excel!Ordinal43+0x6776a
0333ff04 0067124f 00670000 00000000 043b7fcc Excel!Ordinal43+0x116f6
0333ff50 77642369 030f9000 77642350 0333ffbc Excel!Ordinal43+0x124f
0333ff60 77b2e5bb 030f9000 28190e15 00000000 KERNEL32!BaseThreadInitThunk+0x19
0333ffbc 77b2e58f ffffffff 77b73e1a 00000000 ntdll!__RtlUserThreadStart+0x2b
0333ffcc 00000000 006710bd 030f9000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!Ordinal43+c1b66
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!Ordinal43
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {40392c8d-c128-d7d7-ec8e-63113b975295}
Followup: MachineOwner
---------
0:000> lm a eip
Browse full module list
start end module name
00670000 02fe1000 Excel (export symbols) c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
0:000> lmv a eip
Browse full module list
start end module name
00670000 02fe1000 Excel (export symbols) c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Loaded symbol image file: c:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Tue Nov 19 09:26:08 2019 (5DD3A720)
CheckSum: 029756CD
ImageSize: 02971000
File version: 16.0.11328.20480
Product version: 16.0.11328.20480
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.11328.20480
FileVersion: 16.0.11328.20480
FileDescription: Microsoft Excel
2019-12-02 - Vendor Disclosure
2020-02-11 - Vendor patch and Public Release
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.047 Low
EPSS
Percentile
92.7%