Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
Platform: Microsoft Office 2010 on Windows 7 x86
Class: heap memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
2581805226.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
riched20.dll: 14.0.7155.5000
msptls.dll: 14.0.7164.5000
((7ac.a64): Access violation - code c0000005 (first chance)
eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal5429+0x376:
66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122
66a1993f 03c7 add eax,edi
=> 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a19944 894dfc mov dword ptr [ebp-4],ecx
66a19947 8a55fd mov dl,byte ptr [ebp-3]
66a1994a 8855fc mov byte ptr [ebp-4],dl
66a1994d 884dfd mov byte ptr [ebp-3],cl
66a19950 66837dfc04 cmp word ptr [ebp-4],4
66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b)
66a1995b 8a08 mov cl,byte ptr [eax]
66a1995d 8a5001 mov dl,byte ptr [eax+1]
66a19960 8810 mov byte ptr [eax],dl
66a19962 884801 mov byte ptr [eax+1],cl
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
0:000> !heap -p -a 0x1febce18
address 1febce18 found in
_DPH_HEAP_ROOT @ 71000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1feb171c: 1febce18 1e2 - 1febc000 2000
6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
77d05920 ntdll!RtlAllocateHeap+0x0000023a
6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
6fc816ac vfbasics+0x000116ac
67080c59 mso!Ordinal9770+0x000078e2
66a19527 mso!Ordinal10199+0x00002138
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41417.zip