| Title | Microsoft Excel OBJ Record Stack Overflow |
| Version | Excell 2002 sp3 |
| Discovery | http://www.abysssec.com |
| Vendor | http://www.microsoft.com |
| Impact | Critical |
| Contact | shahin [at] abysssec.com , info [at] abysssec.com |
| @abysssec | |
| CVE | CVE-2010-0822 |
| Microsoft Open XML File Format Converter for Mac 0 |
| Microsoft Office 2008 for Mac 0 |
| Microsoft Office 2004 for Mac 0 |
| Microsoft Excel 2002 SP3 |
| + Microsoft Office XP SP3 |
| Microsoft Excel 2002 SP2 |
| + Microsoft Office XP SP2 |
| - Microsoft Windows 2000 Professional SP3 |
| - Microsoft Windows 2000 Professional SP2 |
| - Microsoft Windows 2000 Professional SP1 |
| - Microsoft Windows 2000 Professional |
| - Microsoft Windows 98 |
| - Microsoft Windows 98SE |
| - Microsoft Windows ME |
| - Microsoft Windows NT Workstation 4.0 SP6a |
| - Microsoft Windows NT Workstation 4.0 SP6 |
| - Microsoft Windows NT Workstation 4.0 SP5 |
| - Microsoft Windows NT Workstation 4.0 SP4 |
| - Microsoft Windows NT Workstation 4.0 SP3 |
| - Microsoft Windows NT Workstation 4.0 SP2 |
| - Microsoft Windows NT Workstation 4.0 SP1 |
| - Microsoft Windows NT Workstation 4.0 |
| - Microsoft Windows XP Home SP1 |
| - Microsoft Windows XP Home |
| - Microsoft Windows XP Professional SP1 |
| - Microsoft Windows XP Professional |
| Microsoft Excel 2002 SP1 |
| + Microsoft Office XP SP1 |
| - Microsoft Windows 2000 Advanced Server SP2 |
| - Microsoft Windows 2000 Advanced Server SP1 |
| - Microsoft Windows 2000 Advanced Server |
| - Microsoft Windows 2000 Datacenter Server SP2 |
| - Microsoft Windows 2000 Datacenter Server SP1 |
| - Microsoft Windows 2000 Datacenter Server |
| - Microsoft Windows 2000 Professional SP2 |
| - Microsoft Windows 2000 Professional SP1 |
| - Microsoft Windows 2000 Professional |
| - Microsoft Windows 2000 Server SP2 |
| - Microsoft Windows 2000 Server SP1 |
| - Microsoft Windows 2000 Server |
| - Microsoft Windows 2000 Terminal Services SP2 |
| - Microsoft Windows 2000 Terminal Services SP1 |
| - Microsoft Windows 2000 Terminal Services |
| - Microsoft Windows 98 |
| - Microsoft Windows 98SE |
| - Microsoft Windows ME |
| - Microsoft Windows NT Enterprise Server 4.0 SP6a |
| - Microsoft Windows NT Enterprise Server 4.0 SP6 |
| - Microsoft Windows NT Enterprise Server 4.0 SP5 |
| - Microsoft Windows NT Enterprise Server 4.0 SP4 |
| - Microsoft Windows NT Enterprise Server 4.0 SP3 |
| - Microsoft Windows NT Enterprise Server 4.0 SP2 |
| - Microsoft Windows NT Enterprise Server 4.0 SP1 |
| - Microsoft Windows NT Enterprise Server 4.0 |
| - Microsoft Windows NT Server 4.0 SP6a |
| - Microsoft Windows NT Server 4.0 SP6 |
| - Microsoft Windows NT Server 4.0 SP5 |
| - Microsoft Windows NT Server 4.0 SP4 |
| - Microsoft Windows NT Server 4.0 SP3 |
| - Microsoft Windows NT Server 4.0 SP2 |
| - Microsoft Windows NT Server 4.0 SP1 |
| - Microsoft Windows NT Server 4.0 |
| - Microsoft Windows NT Terminal Server 4.0 SP6 |
| - Microsoft Windows NT Terminal Server 4.0 SP5 |
| - Microsoft Windows NT Terminal Server 4.0 SP4 |
| - Microsoft Windows NT Terminal Server 4.0 SP3 |
| - Microsoft Windows NT Terminal Server 4.0 SP2 |
| - Microsoft Windows NT Terminal Server 4.0 SP1 |
| - Microsoft Windows NT Terminal Server 4.0 |
| - Microsoft Windows NT Workstation 4.0 SP6a |
| - Microsoft Windows NT Workstation 4.0 SP6 |
| - Microsoft Windows NT Workstation 4.0 SP5 |
| - Microsoft Windows NT Workstation 4.0 SP4 |
| - Microsoft Windows NT Workstation 4.0 SP3 |
| - Microsoft Windows NT Workstation 4.0 SP2 |
| - Microsoft Windows NT Workstation 4.0 SP1 |
| - Microsoft Windows NT Workstation 4.0 |
| - Microsoft Windows XP Home |
| - Microsoft Windows XP Professional |
| Microsoft Excel 2002 |
| + Microsoft Office XP |
| - Microsoft Windows 2000 Professional SP2 |
| - Microsoft Windows 2000 Professional SP1 |
| - Microsoft Windows 2000 Professional |
| - Microsoft Windows 95 SR2 |
| - Microsoft Windows 95 |
| - Microsoft Windows 98 |
| - Microsoft Windows 98SE |
| - Microsoft Windows ME |
| - Microsoft Windows NT 4.0 SP6a |
| - Microsoft Windows NT 4.0 SP5 |
| - Microsoft Windows NT 4.0 SP4 |
| - Microsoft Windows NT 4.0 SP3 |
| - Microsoft Windows NT 4.0 SP2 |
| - Microsoft Windows NT 4.0 SP1 |
| - Microsoft Windows NT 4.0 |
| Avaya Messaging Application Server MM 3.1 |
| Avaya Messaging Application Server MM 3.0 |
| Avaya Messaging Application Server MM 2.0 |
| Avaya Messaging Application Server MM 1.1 |
| Avaya Messaging Application Server 5 |
| Avaya Messaging Application Server 4 |
| Avaya Messaging Application Server 0 |
| Avaya Meeting Exchange – Webportal 0 |
| Avaya Meeting Exchange – Web Conferencing Server 0 |
| Avaya Meeting Exchange – Streaming Server 0 |
| Avaya Meeting Exchange – Recording Server 0 |
| Avaya Meeting Exchange – Client Registration Server 0 |
| Class | 1- Code execution |
| Impact | Attackers can exploit this issue by enticing an unsuspecting user to open a specially crafted Excel (‘.xls’) file. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. |
| Remotely Exploitable | Yes |
| Locally Exploitable | Yes |
The OBJ record is equal to graphic objects and control objects like Line, Rectangular, CheckBox control and … in excel. OBJ record has various types that type of each record is distinguished by subrecords of the OBJ record. Structure of the subrecord is the same as record structure in the BIFF files. It means first 2bytes is the identity for subrecord. And next 2byes specify the length and bytes after that are data. Various subrecord are:
ftEnd 00h End of OBJ record
(Reserved) 01h
(Reserved) 02h
(Reserved) 03h
ftMacro 04h Fmla-style macro
ftButton 05h Command button
ftGmo 06h Group marker
ftCf 07h Clipboard format
ftPioGrbit 08h Picture option flags
ftPictFmla 09h Picture fmla-style macro
ftCbls 0Ah Check box link
ftRbo 0Bh Radio button
ftSbs 0Ch Scroll bar
ftNts 0Dh Note structure
ftSbsFmla 0Eh Scroll bar fmla-style macro
ftGboData 0Fh Group box data
ftEdoData 10h Edit control data
ftRboData 11h Radio button data
ftCblsData 12h Check box data
ftLbsData 13h List box data
ftCblsFmla 14h Check box link fmla-style macro
ftCmo 15h Common object data
Always the first subrecord is ftCmo and the last one is ftEnd. Here are the fields of ftCmo:
0 ft 2 =ftCmo (15h)
2 cb 2 Length of ftCmo data
4 ot 2 Object type (see following table)
6 id 2 Object ID number
8 grbit 2 Option flags (see following table)
14 (Reserved) 12 Reserved; must be 0 (zero)
sub_30164E23 function is responsible for processing this record. the vulnerability we are going to show you is not exists in this function. This function store values related to subrecord into the buffer. In the next functions subrecord section is processed. One of the functions that process values subrecord fields is sub_3012FABC. This function process ftCmo fields:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:3012FAC8 mov edi, [ebp+arg_0] .text:3012FACB xor esi, esi .text:3012FACD cmp dword_307E1FB4, esi .text:3012FAD3 mov ebx, [edi+6] .text:3012FAD6 mov [ebp+var_4], esi .text:3012FAD9 mov [ebp+var_4C], esi .text:3012FADC mov [ebp+var_48], esi .text:3012FADF mov [ebp+var_44], esi .text:3012FAE2 mov [ebp+var_40], esi .text:3012FAE5 ja loc_30274818 .text:3012FAEB cmp dword_307DB7A4, esi .text:3012FAF1 jnz short loc_3012FAFB .text:3012FAF3 cmp ebx, esi .text:3012FAF5 jnz loc_30127293 ... .text:30127293 push dword ptr [ebx+4] .text:30127296 call sub_30127263 |
First line pointer to some buffer containing the content of ftCmo subrecord is copied to the edi register. Then in next steps, sixth offset from this buffer is copied to ebx register. If you pay attention to the ftCmo structure, you will notice that from this offset 12bytes is reserved. So the result which copied to the ebx is the first 4bytes of this reserved value.
Now if you follow the code you notice that we can have a jump to address 30127293 which in this address value of ebx register ( can be initialize by us ) plus 4 is passed as an argument to the sub_30127263 function. in fact this point is the vulnerable point because of no check on this field.
In sub_30127263 function only argument (which we have specified) is added to 10 and is passed to the MSO_804 function.
1 2 3 4 5 6 7 8 | .text:30127263 push ebp .text:30127264 mov ebp, esp .text:30127266 mov eax, [ebp+arg_0] .text:30127269 push esi .text:3012726A mov esi, [eax+0Ah] .text:3012726D push esi .text:3012726E call MSO_804 [307D538C] ... |
The only task that is performed in MSO_804 function is incrementing its argument by 60 and return its contents.
1 2 3 4 5 6 7 8 | 30E27FB0 #804 PUSH EBP 30E27FB1 MOV EBP,ESP 30E27FB3 MOV EAX,DWORD PTR SS:[EBP+8] 30E27FB6 TEST EAX,EAX 30E27FB8 JE mso.30C7A572 30E27FBE MOV EAX,DWORD PTR DS:[EAX+3C] 30E27FC1 POP EBP 30E27FC2 RETN 4 |
Back to the sub_30127263 function, after executing the MSO_804 contents of return value of this function ( under our control) is stored in ecx register and a little bit more content of some offset from this register is called.
1 2 3 4 5 6 7 8 9 10 | ... .text:30127274 test eax, eax .text:30127276 jz short loc_3012728E .text:30127278 mov ecx, [eax] .text:3012727A lea edx, [ebp+arg_0] .text:3012727D push edx .text:3012727E push 0BEh .text:30127283 push esi .text:30127284 push eax .text:30127285 call dword ptr [ecx+11Ch] |
Here you see a comparison between vulnerable and patched version of Excel xp sp3. sub_30164D0 function store content of the ftCmo subrecord in to a buffer. As you see in the patched version first 4bytes of the 12bytes reserved value is set zero.
we can change EIP value to our arbitrary value. The only thing we should perform is to change some of the values in excel to point the program executing call [ecx+11c] instruction. And because we have value of ecx we can control the execution flow.
On the other hand some of the registers points to our data in excel file so it is simple to set EIP to some call reg value and place our shellcode in a location of the file which that register points.
Check out the Microsoft Excel OBJ Record Stack Overflow Exploit.