Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1
The following access violation was observed in Microsoft Office 2007
(Word document):
(8c0.e68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal7799+0x2fc:
32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d038 328a0a4e mso!Ordinal7799+0x2fc
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
0012dde4 320c337c mso!Ordinal4388+0x19a
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
0012df1c 312dadf8 wwlib!FMain+0x96d7c
0012df84 312da84c wwlib!FMain+0x96849
0012e074 6be51b27 wwlib!FMain+0x9629d
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209
Notes:
- Reproduce on Windows Server 2003 and Windows 7.
- The crash occurs due to an invalid read dereference of a bad object
pointer. If the word value read is controlled and set to a value other
than 0xFFFF, then a controlled value is used as an indirect call
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).
- The bad object pointer is passed in to MSO.dll from wwlib.dll
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).
- The test-case reduces to a 50-bit difference from the original
sample document.
- The affected bits lie in the OneTableDocumentStream's data section,
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.
- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
source buffer from the OneTableDocumentStream's data section, and
copies this invalid data into a stack buffer. The bad object pointer
comes from this stack-based structure.
- Attached files: 037542f7_crash.rtf (crashing file),
037542f7_orig.doc (original file). A test case with full control of
the crashing register value (0xAAAAAAAA) is also attached
(037542f7_full.doc)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip