Microsoft Office 2007 - Malformed Document Stack Buffer Overflow








The following access violation was observed in Microsoft Office 2007
(Word document):

(e24.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0583a748 ebx=00eb4684 ecx=003ad1a3 edx=00000000 esi=049860bc edi=00122238
eip=7814500a esp=001221e0 ebp=001221e8 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
7814500a f3a5            rep  movsd ds:049860bc=???????? es:00122238=3348bcd8
0:000> k
ChildEBP RetAddr
001221e8 31249c0e MSVCR80!memcpy+0x5a
00122204 3126a371 wwlib!FMain+0x565f
00122220 3203de3c wwlib!FMain+0x25dc2
00122268 320dab4c wwlib!DllCanUnloadNow+0x56a6bb
00122280 31fc363f wwlib!DllGetClassObject+0x9c88a
0012229c 31f9acde wwlib!DllCanUnloadNow+0x4efebe
001222b4 31f9b0e5 wwlib!DllCanUnloadNow+0x4c755d
00122308 31bd68c2 wwlib!DllCanUnloadNow+0x4c7964
001223bc 3201a69b wwlib!DllCanUnloadNow+0x103141
00122a68 3129f4eb wwlib!DllCanUnloadNow+0x546f1a
00123b68 3129e8e5 wwlib!FMain+0x5af3c
00123bac 32073906 wwlib!FMain+0x5a336
00126d28 32073627 wwlib!DllGetClassObject+0x35644
0012b14c 32073294 wwlib!DllGetClassObject+0x35365
0012b19c 3209ac20 wwlib!DllGetClassObject+0x34fd2
0012e2f8 3208c781 wwlib!DllGetClassObject+0x5c95e
0012e31c 31314684 wwlib!DllGetClassObject+0x4e4bf
0012f580 320e04b7 wwlib!FMain+0xd00d5
0012f630 320e037f wwlib!DllGetClassObject+0xa21f5
0012f648 32812493 wwlib!DllGetClassObject+0xa20bd


- Reproduces on Windows Server 2003 and Windows 7

- The crash occurs due to a memcpy with an invalid source buffer.

- The invalid source buffer is actually indicative of an invalid size
being used in a pointer calculation at 3126A360 (wwlib.dll
12.0.6707.5000). This invalid size can also be seen in ecx at the time
of access violation.

- The large size parameter can result in a stack-based buffer overflow.

- Alternatively, if the copy operation succeeds (by using a size value
large enough to result in an out-of-bounds source buffer, but not so
large to cause an access violation during copy), then it is also
possible to get an arbitrary free from later usage of controlled
pointers in the destination buffer.

- The crashing test case was created using a chunk reordering
strategy, and does not cleanly minimize (106 bit change from original

- Attached files: 86ea4a3c_crash.rtf (crashing file),
86ea4a3c_orig.doc (original file)

Proof of Concept: