Heap Overflow in COleMemFile::LoadDiFatList

vendor:

by:

Project Zero

7.5

CVSS

HIGH

Heap Overflow

122

CWE

Product Name:

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

Heap Overflow in COleMemFile::LoadDiFatList

In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated. The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a heap overflow.

Mitigation:

Source

Exploit-DB raw data:

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=762

In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated.

The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow.

This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.

(b80.ad8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901            mov     dword ptr [rcx],eax ds:00000000`0c79a1f0=????????
0:009> u
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901            mov     dword ptr [rcx],eax
00000000`0ac5a4be 4d8bc8          mov     r9,r8
00000000`0ac5a4c1 49c1e905        shr     r9,5
00000000`0ac5a4c5 7550            jne     script!CreateInstance+0x17907 (00000000`0ac5a517)
00000000`0ac5a4c7 4d8bc8          mov     r9,r8
00000000`0ac5a4ca 49c1e903        shr     r9,3
00000000`0ac5a4ce 7414            je      script!CreateInstance+0x178d4 (00000000`0ac5a4e4)
00000000`0ac5a4d0 4883e908        sub     rcx,8
0:009> r
rax=00000000004e8400 rbx=000000000c782120 rcx=000000000c79a1f0
rdx=fffffffffffe99f8 rsi=000000000c7839f0 rdi=0000000000000017
rip=000000000ac5a4bc rsp=000000000d80e4b8 rbp=0000000000000bd6
 r8=00000000000001f8  r9=0000000000000000 r10=00000006ffffffff
r11=000000000c799ff8 r12=00000000000138a1 r13=000000000aea0000
r14=0000000000000000 r15=0000000000336b00
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901            mov     dword ptr [rcx],eax ds:00000000`0c79a1f0=????????


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39603.zip