Recently the McAfee IPS Research Team informed Microsoft about a potential remote code execution vulnerability in Office 2016 that McAfee discovered in March. Microsoft released a patch for this vulnerability this week with CVE-2017-8630. In this post, we will briefly discuss the vulnerability and its exploitability.
While auditing PowerPoint, we came across an interesting application crash. The stack trace looked like this:
When we disassembled the crash point we noticed something interesting.
We saw the access violation occurred at address 0x6631508d. And at address 0x66315090 we noticed a call instruction. From these instructions it appeared the code was trying to call a virtual function from the vtable of an object. To make sure, we quickly enabled a page heap for PowerPoint and tried to reproduce the issue.
The page heap made it clear that the issue was a dangling pointer, a “use after free” case. The preceding screenshot shows that the object being accessed was already free. Although we identified the issue while examining PowerPoint, digging further reveals the issue lies in some Office 2016 shared functionality. The problem affects not only PowerPoint, but other applications as well. On September 12 Microsoft published a patch confirming that Office 2016 (32-bit and 64-bit editions) is affected by this problem.
Triggering the Condition
This use-after-free condition is not easy to trigger. When we open the proof-of-concept file in PowerPoint, several pop-up windows appear. We need to choose a specific set of options to exploit the vulnerability. The time gap between choosing the options also matters.
After several trials, we noticed the object is freed when we suppress the first pop-up and select OK. The object reuse happens when selecting the Repair option in the second window. This sequence is very helpful when we move to exploit this vulnerability.
Our exploitation strategy was the same as for any other use-after-free vulnerability. However, due to the absence of an interactive engine in Office, preparing the memory layout for the exploitation was challenging. In this case we used an ActiveX object to spray office memory and set up the desired memory layout. Two excellent papers explain how to prepare a desired memory layout to exploit Office.
- Spraying the heap in seconds using ActiveX controls in Microsoft Office, by Parvez
- Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability, by Dominic Wang
These papers discuss the technique mostly with Word. However, we ported the same technique to PowerPoint. The following diagram shows the exploitation strategy at a glance:
Preparing the Memory Layout
Our first step in preparing the memory layout is to make sure that controlled data is present at known addresses, such as 0x0a0a0a0a and 0x0c0c0c0c.
The preceding screen shows how to use heap spray to place our controlled data at a predictable address. Address 0x0a0a0a0a has the data 0xdebadeba and some no-operation slides. To be more specific, for exploitation we need an address that we control at 0x0a0a0a0a + 0x8.
The next challenge is to create a fake object in a PowerPoint process of the same size as our object. To make sure we can claim the same freed heap block for our fake object, we must spray the memory several times so that the heap manager forcefully places the fake object where the real object was situated. We must spray the memory with same size multiple times using the pattern 0x0a0a0a0a. Thus when the virtual function is called using the object under our control, it will dereference the value from our heap spray (as we performed in last section) at the address 0x0a0a0a0a + 0x8.
So far, we have not done anything to the PowerPoint file that triggers the use-after-free vulnerability. We have just set the stage on which we will perform the exploitation. Once we have everything in place, we carefully port the heap-spraying code to the open XML file, which triggers the use after free.
The preceding screen shows, once everything is in right place, the register ecx pointing to the fake object. When it is dereferenced, we get a pointer to the fake vtable in eax.
McAfee highly recommends that Office 2016 users apply the patch shipped by Microsoft this month. This vulnerability resides in some shared features and can be exploited through different Office 2016 products. McAfee Network Security Platform IPS can catch some exploits with the help of Signature 0x45217b00.
The author thanks Bing Sun for his help with this post.