Microsoft Word Arbitrary Free Vulnerability

Advisory ID Internal
CORE-2008-0228

1. Advisory Information

Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
Advisory ID: CORE-2008-0228
Advisory URL: https://www.coresecurity.com/core-labs/advisories/word-arbitrary-free
Date published: 2008-12-10
Date of last update: 2008-12-10
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Arbitrary free
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 32580
CVE Name: CVE-2008-4024

3. Vulnerability Description

A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the user running the MS Word application.

More specifically, a Word file with a specially crafted lcbPlcfBkfSdt field value (offset 0x4f0) inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions and enable an arbitrary free with controlled values.

4. Vulnerable Packages

  • Microsoft Word 2000 Service Pack 3
  • Microsoft Word 2002 Service Pack 3

5. Non-vulnerable Packages

  • Microsoft Word 2003 Service Pack 3
  • Microsoft Word 2007

6. Vendor Information, Solutions and Workarounds

Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008.

Microsoft recommends that customers apply the update immediately.

7. Credits

This vulnerability was discovered and researched by Ricardo Narvaja, from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.

8. Technical Description / Proof of Concept Code

A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted lcbPlcfBkfSdt field value (offset 0x4f0) inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application.

To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible .doc file, and then change the byte at offset 0x4f0, this is the lcbPlcfBkfSdt field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing.

In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function __MsoPvFree. If the lcbPlcfBkfSdt value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program.

The execution of __MsoPvFree is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function.

The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before free is called. However this scenario is complex due to the limitations of the __MsoPvFree API, including checks that make the exploitation difficult.

The vendor's analysis indicates that the root cause of this vulnerability is the processing of a PlfLfo structure that is read in from the file. It contains an array of Lfo objects. If any of those Lfo objects has a clfolvl value of 0 and a plfolvl (the previous 4 bytes) value that is non-zero, Word will attempt to free memory at plfolvl. This is because plfolvl is supposed to be overwritten with a valid pointer to allocated memory, but if clfolvl is 0 this initialization step is skipped. Later on cleanup code will check if plfolvl has a non-zero value and if so, attempt to free the memory chunk it points to.

A Proof of Concept .doc file which makes Word 2000 and Word 2002 crash (WINWORD.EXE, main thread, module MS09).

9. Report Timeline

  • 2008-03-13: Core notifies the vendor of the vulnerability and sends the advisory draft. The advisory's publication is preliminary set to April 14th, 2008.
  • 2008-03-13: Vendor acknowledges notification.
  • 2008-03-31: Core requests information concerning Microsoft's plans to fix the vulnerability (no reply received).
  • 2008-04-16: Core requests again information concerning Microsoft's schedule to produce a fix. The advisory publication is rescheduled for May 12th, 2008.
  • 2008-04-25: Vendor informs that they are wrapping up the investigation and threat model analysis and that fixes will not be included in the Word Security Bulletin of May. Vendor estimates that it will take a few months to produce and test a fix for the vulnerability. Vendor promises an update on May 23th.
  • 2008-04-25: Core sends additional information with low level details of the vulnerability.
  • 2008-04-28: Core requests the vendor details about the schedule for the vulnerability fix in order to coordinate the publication of the advisory (no reply received).
  • 2008-05-28: Core requests again details about the vulnerability fix schedule (no reply received).
  • 2008-06-02: Core requests again details about the vulnerability fix schedule, root cause of the problem and confirmation of vulnerable versions. Core reschedules the publication of the advisory for June 11th, 2008 as "user release" (no reply received).
  • 2008-06-13: In another attempt to coordinate the publication of the advisory with the release of a fixed version, Core reschedules publication for the second Wednesday of July, under "user release" mode. The latest advisory version is sent to the vendor.
  • 2008-06-17: Vendor apologies for having mistakenly marked this issue as "no action until 6/23". Vendor informs that they are working on a fix plan and promises more information to be sent on Monday June 23rd.
  • 2008-06-27: Core requests the vendor the expected details on the vulnerability fix schedule.
  • 2008-07-03: Vendor thanks Core for holding on the publication of this vulnerability, and informs that the issue described in advisory CORE-2008-0228 is marked to be addressed in October 2008. It also informs that they don't have reports of the vulnerability being exploited in the wild.
  • 2008-07-08: Vendor informs that they have binaries available to pre-test the potential fixes.
  • 2008-07-08: Core asks for the patches to pre-test and informs the vendor that publication date of the advisory will be revisited.
  • 2008-07-23: Core sends the vendor an updated version of the advisory and PoC files.
  • 2008-08-26: Core requests the vendor a more precise date for the release of fixes in October.
  • 2008-08-29: Vendor informs that they are tentatively targeting October 14th, and that patches will be sent to Core for inspection the following week.
  • 2008-08-29: Core acknowledges reception of the previous mail.
  • 2008-09-30: Vendor informs that the planned release of the fix for this vulnerability has slipped out to December 11th. Vendor supplies Core a draft of their own security bulletin and a copy of the Office 2000 update fixing the bug.
  • 2008-10-01: Core confirms the vendor that after private discussions the advisory will be published in December 9th (second Tuesday of the month).
  • 2008-10-01: Vendor confirms that the release date of fixes is December 9th and supplies Core with a copy of their own security bulletin and a copy of the Office XP update fixing the bug.
  • 2008-10-20: Core confirms that it intends to publish the advisory CORE-2008-0228 on December 9th as previously established.
  • 2008-11-11: Vendor confirms it is still on track to publish this fix for December 9th.
  • 2008-11-11: Core informs the vendor that the patch was tested and works on Office XP (i.e. the crash avoided) and confirms that it intends to publish advisory CORE-2008-0228 on December 9th as previously established by both parties.
  • 2008-12-04: Core sends the final draft of the advisory to the vendor.
  • 2008-12-09: Microsoft Security Bulletin MS08-072 is released.
  • 2008-12-10: Advisory CORE-2008-0228 is published.

10. References

[1] Word 97-2007 Binary File Format (*.doc) Specification
http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf
 

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at https://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.