Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability

Advisory ID Internal
CORE-2009-0827

1. Advisory Information

Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability
Advisory Id: CORE-2009-0827
Date published: 2010-02-09
Date of last update: 2010-02-08
Vendors contacted: Microsoft
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 38073
CVE Name: CVE-2010-0243

3. Vulnerability Description

A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.

4. Vulnerable packages

  • Microsoft Office XP Service Pack 3
  • Microsoft Office 2004 for Mac

5. Non-vulnerable packages

  • Microsoft Office 2003 Service Pack 3
  • 2007 Microsoft Office System Service Pack 1
  • 2007 Microsoft Office System Service Pack 2
  • Microsoft Office 2008 for Mac
  • Open XML File Format Converter for Mac
  • Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
  • Microsoft Office Word Viewer
  • PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2
  • Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2
  • Microsoft Works 8.5
  • Microsoft Works 9

6. Vendor Information, Solutions and Workarounds

Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp

7. Credits

This vulnerability was discovered and researched by Damián Frizza from Core Security during Bugweek 2009.

8. Technical Description / Proof of Concept Code

8.1. Excel / Word - OfficeArtSpgr container - invalid recType value leads to attacker controlled pointer usage [MSRC 9368]

A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.

The precise affected executable version we tested is Excel.exe v10.0.6854 and the DLL is mso.dll v10.0.6845

Likely attack vectors include:

  • Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment.
  • Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment.

The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file.

A disassembly of the vulnerable code follows:

30BDE405 CMP ECX,0F003 30BDE40B JB mso.30EFD183 30BDE411 CMP ECX,0F004 30BDE417 JA mso.30BDE4C8 30BDE41D XOR ESI,ESI 30BDE41F LEA EAX,DWORD PTR SS:[EBP-8] 30BDE422 PUSH ESI 30BDE423 PUSH EAX 30BDE424 PUSH EDI 30BDE425 MOV ECX,EBX 30BDE427 CALL mso.30BDEC18 30BDE42C TEST EAX,EAX 30BDE42E JE mso.30EFD21A 30BDE434 MOV EDX,DWORD PTR SS:[EBP-8] 30BDE437 MOV EAX,DWORD PTR DS:[EDX+50] 30BDE43A TEST AL,10 30BDE43C JE mso.30BDE356 30BDE442 TEST AL,4 30BDE444 JE mso.30EFD21A 30BDE44A CMP WORD PTR DS:[EDX+24],SI 30BDE44E JNZ mso.30EFD21A 30BDE454 PUSH 23 30BDE456 LEA EDI,DWORD PTR DS:[EBX+90] 30BDE45C POP ECX 30BDE45D MOV ESI,EDX 30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0] 30BDE465 ADD EDX,58 30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 30BDE46A CMP DWORD PTR DS:[EAX],EDX 30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX 30BDE472 JE mso.30EFD12E 30BDE478 MOV ECX,DWORD PTR DS:[EAX] 30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write* registers eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4 edi=017f06b8 eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

8.2. Memory Corruption related to Graphic Description [MSRC case 9562]

Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs.

9. Report Timeline

  • 2009-09-04: Core Security Technologies notifies the Microsoft team of the vulnerability #1 and sends a Proof of Concept malformed file.
  • 2009-09-04: Microsoft acknowledges receipt of the vulnerability report, and opens MSRC case 9368 to track this issue.
  • 2009-09-07: Core sends a second Proof of Concept malformed file triggering vulnerability #2 in Excel 2000/2002.
  • 2009-09-08: The Microsoft team acknowledges receipt of the information and estimates that they will have more detailed information in two weeks.
  • 2009-09-11: The Microsoft team confirms that vulnerability #1 is exploitable. They inform us that they will send updated information on the fix release date as the investigation progresses.
  • 2009-09-14: Core acknowledges receipt of the previous mail from the Microsoft team and reminds them that the publication date proposed by Core is November 24th, 2009.
  • 2009-09-14: Core requests Microsoft's analysis of the second reported bug.
  • 2009-09-14: Microsoft confirms that the first bug reported on Excel is exploitable and that they are working on defining a ship date. Microsoft also states that the bug reported as MSRC case 9154 / CORE-2009-0504 is not exploitable and no security bulletin will be issued for that case.
  • 2009-09-16: Core notifies the Microsoft team that there has been a misunderstanding, and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not exploitable in July 2009. Core sends again the Proof of Concepts for the two bugs reported as CORE-2009-0827.
  • 2009-09-17: Microsoft requests Core to hold off the publication of the advisory CORE-2009-0827 until Microsoft comes up with a plan to fix the vulnerability.
  • 2009-09-21: Core notifies the Microsoft team that it had made a mistake in the names of the Proof of Concept files that lead to further confusion. Core confirms that two new bugs were reported and that the third non-exploitable bug belongs to another previous case/advisory. The Excel Proof of Concept files are sent again including identifier CORE-2009-0827.
  • 2009-09-22: The Microsoft team acknowledges the clarification sent by Core and estimates that they will have a deeper analysis of the proof of concept #2 sent by Core in a few days.
  • 2009-10-26: Core sends a summary of the status of the reported vulnerabilities, and requests from Microsoft additional information about its technical analysis of the reported bugs (in particular concerning exploitability of the second bug) and about its schedule to produce fixes.
  • 2009-10-27: Microsoft confirms that they have reproduced the reported bugs, and communicates that they will be unable to release updates for these issues until February 9th, 2010.
  • 2009-10-28: Core communicates that it is willing to reschedule the publication of its advisory provided that Microsoft gives technical information that justifies this decision.
  • 2009-11-02: Microsoft explains that in general both the product team (in this case within Office) as well as MSRC Engineering team look for potential variant bugs for each vulnerability that is reported to them. This is followed by the development of a fix, and the testing of the fix. Microsoft states that it will be able to share additional technical information (requested by Core) about 3-4 weeks before release.
  • 2009-11-02: Core confirms that it will reschedule publication of its advisory to February 9th, 2010, and that it looks forward to receiving technical information about the vulnerabilities.
  • 2009-11-02: Microsoft acknowledges receipt of the previous communication.
  • 2009-11-03: Core asks whether Microsoft considers the two bugs that have been reported as variants of the same problem, or as different issues.
  • 2009-11-06: Microsoft replies that the vulnerability #2 has been lost in the mix, explains how MSRC triage officers assign MSRC tracking case numbers. The vulnerability #2 is assigned MSRC case 9562.
  • 2009-11-06: Core confirms that it considers the second bug (MSRC 9562) to be a different bug than MSRC 9368.
  • 2009-11-18: Microsoft sends a technical analysis of bug MSRC 9562, indicating that this bug causes Excel to crash safely.
  • 2009-12-02: Microsoft sends technical information about bug MSRC 9368, including the root cause of the problem and the list of affected versions.
  • 2009-12-16: Microsoft sends further analysis of bug MSRC 9562, which has been analyzed in conjunction with the reported bug MSRC case 9326 in Virtual PC. MSRC indicates that it has been unable to reproduce an exploitable condition using the Excel bug (MSRC 9562).
  • 2009-12-22: Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees with the technical analysis.
  • 2009-12-18: Microsoft sends a spreadsheet summarising Core cases, which indicates that fixes are confirmed to be released on March 9th 2010.
  • 2009-12-21: Core acknowledges receipt of the technical information, and asks Microsoft whether the release of a fixed version has moved to March 9th 2010.
  • 2009-12-21: Microsoft replies that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error).
  • 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory.
  • 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software.
  • 2010-02-09: The advisory CORE-2009-0827 is published.

10. References

[1] Microsoft Security Bulletin MS10-003
http://www.microsoft.com/technet/security/bulletin/MS10-003.msp

11. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: www.coresecurity.com/core-labs.

12. About Core Security 

Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. 

13. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.