Microsoft Office 2007 - 'mso.dll' Use-After-Free (MS15-081)







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.



The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.

The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.

Attached files:

Fuzzed minimized PoC: 1567070353_min.doc
Fuzzed non-minimized PoC: 1567070353_crash.doc
Original non-fuzzed file: 1567070353_orig.doc

DLL Versions:
mso.dll: 12.0.6721.5000
wwlib.dll: 12.0.6720.5000

Observed Crash:
eax=00000001 ebx=00000004 ecx=0189ff18 edx=00000019 esi=32646a30 edi=0db0eff8
eip=32fbca76 esp=0012bc98 ebp=0012bcb8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202

32fbca73 8b7df8          mov     edi,dword ptr [ebp-8]
=> 32fbca76 f6470201        test    byte ptr [edi+2],1         ds:0023:0db0effa=??
32fbca7a 7419            je      mso!Ordinal2690+0x476 (32fbca95)
32fbca7c 833e07          cmp     dword ptr [esi],7
32fbca7f 7414            je      mso!Ordinal2690+0x476 (32fbca95)
32fbca81 8b4508          mov     eax,dword ptr [ebp+8]
32fbca84 6a20            push    20h
32fbca86 ff7010          push    dword ptr [eax+10h]
32fbca89 8d4dfc          lea     ecx,[ebp-4]
32fbca8c 51              push    ecx
32fbca8d ff10            call    dword ptr [eax]
32fbca8f 8127fffffeff    and     dword ptr [edi],0FFFEFFFFh

Stack Trace:
0:000> kb 8
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bcb8 32fbcdc3 0012be28 0d9f4fe8 00000000 mso!Ordinal2690+0x457
0012bccc 32fbce5b 0012be28 0d9f4fe8 0012be28 mso!Ordinal2690+0x7a4
0012bd20 32fbc93e 0012be28 0d9f4fe8 0ddceeb8 mso!Ordinal2690+0x83c
0012bd74 32fbcd73 0012be28 0d9f4fe8 0db2f45a mso!Ordinal2690+0x31f
0012bd94 316dfe8f 0dbe8e38 0012be28 317e9c10 mso!Ordinal2690+0x754
0012bdb0 317e9aa4 0012be08 00000000 00000000 wwlib!wdCommandDispatch+0xcd37
0012bde4 31980e8d 0012be08 000000b4 038b78bc wwlib!wdCommandDispatch+0x11694c
0012c07c 31980b0f 0db2c9c0 00000000 00000001 wwlib!wdCommandDispatch+0x2add35

In this crash the value being dereferenced in edi is free-ed memory:

0:000> !heap -p -a 0xdb0eff8
    address 0db0eff8 found in
    _DPH_HEAP_ROOT @ 1151000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                    d9e5240:          db0e000             2000
    7c83e330 ntdll!RtlFreeHeap+0x0000011a
    0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8
    331039d5 mso!Ordinal1743+0x00002d4d
    329c91d1 mso!MsoFreePv+0x0000003f
    329c913c mso!Ordinal519+0x00000017
    32a54dcc mso!Ordinal320+0x00000021
    32bb6f2e mso!Ordinal379+0x00000eae

There is a 1-bit clear at the location specified by edi shortly after the faulting eip location as well making this an exploitable condition. 

Proof of Concept: