CVE Certified

MOAUB #24 – Microsoft Excel OBJ Record Stack Overflow

24th September 2010 - by admin

Month of all User Bugs

Abysssec Research
1) Advisory information
Title Microsoft Excel OBJ Record Stack Overflow
Version Excell 2002 sp3
Discovery http://www.abysssec.com
Vendor http://www.microsoft.com
Impact Critical
Contact shahin [at] abysssec.com , info [at] abysssec.com
Twitter @abysssec
CVE CVE-2010-0822
2) Vulnerable version
Microsoft Open XML File Format Converter for Mac 0
Microsoft Office 2008 for Mac 0
Microsoft Office 2004 for Mac 0
Microsoft Excel 2002 SP3
+ Microsoft Office XP SP3
Microsoft Excel 2002 SP2
+ Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Excel 2002 SP1
+ Microsoft Office XP SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Excel 2002
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95 SR2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
Avaya Messaging Application Server MM 3.1
Avaya Messaging Application Server MM 3.0
Avaya Messaging Application Server MM 2.0
Avaya Messaging Application Server MM 1.1
Avaya Messaging Application Server 5
Avaya Messaging Application Server 4
Avaya Messaging Application Server 0
Avaya Meeting Exchange – Webportal 0
Avaya Meeting Exchange – Web Conferencing Server 0
Avaya Meeting Exchange – Streaming Server 0
Avaya Meeting Exchange – Recording Server 0
Avaya Meeting Exchange – Client Registration Server 0
3) Vulnerability information
Class 1- Code execution
Impact Attackers can exploit this issue by enticing an unsuspecting user to open a specially crafted Excel (‘.xls’) file. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application.
Remotely Exploitable Yes
Locally Exploitable Yes
4) Vulnerabilities detail

The OBJ record is equal to graphic objects and control objects like Line, Rectangular, CheckBox control and … in excel. OBJ record has various types that type of each record is distinguished by subrecords of the OBJ record. Structure of the subrecord is the same as record structure in the BIFF files. It means first 2bytes is the identity for subrecord. And next 2byes specify the length and bytes after that are data. Various subrecord are:

Subrecord   Number  Description
ftEnd       00h     End of OBJ record
(Reserved)  01h
(Reserved)  02h
(Reserved)  03h
ftMacro     04h     Fmla-style macro
ftButton    05h     Command button
ftGmo       06h     Group marker
ftCf        07h     Clipboard format
ftPioGrbit  08h     Picture option flags
ftPictFmla  09h     Picture fmla-style macro
ftCbls      0Ah     Check box link
ftRbo       0Bh     Radio button
ftSbs       0Ch     Scroll bar
ftNts       0Dh     Note structure
ftSbsFmla   0Eh     Scroll bar fmla-style macro
ftGboData   0Fh     Group box data
ftEdoData   10h     Edit control data
ftRboData   11h     Radio button data
ftCblsData  12h     Check box data
ftLbsData   13h     List box data
ftCblsFmla  14h     Check box link fmla-style macro
ftCmo       15h     Common object data

Always the first subrecord is ftCmo and the last one is ftEnd. Here are the fields of ftCmo:

Offset   Field Name         Size     Contents
0        ft                 2        =ftCmo (15h)
2        cb                 2        Length of ftCmo data
4        ot                 2        Object type (see following table)
6        id                 2        Object ID number
8        grbit              2        Option flags (see following table)
14      (Reserved)          12       Reserved; must be 0 (zero)

sub_30164E23 function is responsible for processing this record. the vulnerability we are going to show you is not exists in this function. This function store values related to subrecord into the buffer. In the next functions subrecord section is processed. One of the functions that process values subrecord fields is sub_3012FABC. This function process ftCmo fields:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
.text:3012FAC8                 mov     edi, [ebp+arg_0]
.text:3012FACB                 xor     esi, esi
.text:3012FACD                 cmp     dword_307E1FB4, esi
.text:3012FAD3                 mov     ebx, [edi+6]
.text:3012FAD6                 mov     [ebp+var_4], esi
.text:3012FAD9                 mov     [ebp+var_4C], esi
.text:3012FADC                 mov     [ebp+var_48], esi
.text:3012FADF                 mov     [ebp+var_44], esi
.text:3012FAE2                 mov     [ebp+var_40], esi
.text:3012FAE5                 ja      loc_30274818
.text:3012FAEB                 cmp     dword_307DB7A4, esi
.text:3012FAF1                 jnz     short loc_3012FAFB
.text:3012FAF3                 cmp     ebx, esi
.text:3012FAF5                 jnz     loc_30127293
...
.text:30127293                 push    dword ptr [ebx+4]
.text:30127296                 call    sub_30127263

First line pointer to some buffer containing the content of ftCmo subrecord is copied to the edi register. Then in next steps, sixth offset from this buffer is copied to ebx register. If you pay attention to the ftCmo structure, you will notice that from this offset 12bytes is reserved. So the result which copied to the ebx is the first 4bytes of this reserved value.

Now if you follow the code you notice that we can have a jump to address 30127293 which in this address value of ebx register ( can be initialize by us ) plus 4 is passed as an argument to the sub_30127263 function. in fact this point is the vulnerable point because of no check on this field.

In sub_30127263 function only argument (which we have specified) is added to 10 and is passed to the MSO_804 function.

1
2
3
4
5
6
7
8
.text:30127263                 push    ebp
.text:30127264                 mov     ebp, esp
.text:30127266                 mov     eax, [ebp+arg_0]
.text:30127269                 push    esi
.text:3012726A                 mov     esi, [eax+0Ah]
.text:3012726D                 push    esi
.text:3012726E                 call    MSO_804 [307D538C]
...

The only task that is performed in MSO_804 function is incrementing its argument by 60 and return its contents.

1
2
3
4
5
6
7
8
30E27FB0 #804       PUSH EBP
30E27FB1            MOV EBP,ESP
30E27FB3            MOV EAX,DWORD PTR SS:[EBP+8]
30E27FB6            TEST EAX,EAX
30E27FB8            JE mso.30C7A572
30E27FBE            MOV EAX,DWORD PTR DS:[EAX+3C]
30E27FC1            POP EBP
30E27FC2            RETN 4

Back to the sub_30127263 function, after executing the MSO_804 contents of return value of this function ( under our control) is stored in ecx register and a little bit more content of some offset from this register is called.

1
2
3
4
5
6
7
8
9
10
...
.text:30127274                 test    eax, eax
.text:30127276                 jz      short loc_3012728E
.text:30127278                 mov     ecx, [eax]
.text:3012727A                 lea     edx, [ebp+arg_0]
.text:3012727D                 push    edx
.text:3012727E                 push    0BEh
.text:30127283                 push    esi
.text:30127284                 push    eax
.text:30127285                 call    dword ptr [ecx+11Ch]

Here you see a comparison between vulnerable and patched version of Excel xp sp3. sub_30164D0 function store content of the ftCmo subrecord in to a buffer. As you see in the patched version first 4bytes of the 12bytes reserved value is set zero.

Exploit

we can change EIP value to our arbitrary value. The only thing we should perform is to change some of the values in excel to point the program executing call [ecx+11c] instruction. And because we have value of ecx we can control the execution flow.

On the other hand some of the registers points to our data in excel file so it is simple to set EIP to some call reg value and place our shellcode in a location of the file which that register points.

Check out the Microsoft Excel OBJ Record Stack Overflow Exploit.