Microsoft Office 2007 - OneTableDocumentStream Invalid Object







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.



The following access violation was observed in Microsoft Office 2007
(Word document):

(8c0.e68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
32881800 0fb74614         movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d038 328a0a4e mso!Ordinal7799+0x2fc
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
0012dde4 320c337c mso!Ordinal4388+0x19a
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
0012df1c 312dadf8 wwlib!FMain+0x96d7c
0012df84 312da84c wwlib!FMain+0x96849
0012e074 6be51b27 wwlib!FMain+0x9629d
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209


- Reproduce on Windows Server 2003 and Windows 7.

- The crash occurs due to an invalid read dereference of a bad object
pointer. If the word value read is controlled and set to a value other
than 0xFFFF, then a controlled value is used as an indirect call
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).

- The bad object pointer is passed in to MSO.dll from wwlib.dll
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).

- The test-case reduces to a 50-bit difference from the original
sample document.

- The affected bits lie in the OneTableDocumentStream's data section,
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.

- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
source buffer from the OneTableDocumentStream's data section, and
copies this invalid data into a stack buffer. The bad object pointer
comes from this stack-based structure.

- Attached files: 037542f7_crash.rtf (crashing file),
037542f7_orig.doc (original file). A test case with full control of
the crashing register value (0xAAAAAAAA) is also attached

Proof of Concept: