117 - Microsoft Office 2007 MsoDrawingGroup rgChildRec invalid GlobalFree - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Dec 2014
Cc:	project-...@google.com
Deadline-90 MSRC-20539 Reported-2014-Sep-29 CVE-2014-6360 Finder-hawkes Fixed-2014-Dec-9 CCProjectZeroMembers Severity-High Product-Office-2007 Vendor-Microsoft

Microsoft Office 2007 MsoDrawingGroup rgChildRec invalid GlobalFree

Project Member Reported by hawkes@google.com, Sep 29 2014

Back to list

The following access violation was observed in Microsoft Office 2007:

(b14.afc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=b50506e9 ecx=7ffdd000 edx=00160608 esi=00160000 edi=b50506e1
eip=7c87c9e1 esp=00135294 ebp=001352e8 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlDebugFreeHeap+0x82:
7c87c9e1 0fb707           movzx   eax,word ptr [edi]    ds:0023:b50506e1=????
0:000> k
ChildEBP RetAddr
001352e8 7c85567a ntdll!RtlDebugFreeHeap+0x82
001353c0 7c83e448 ntdll!RtlFreeHeapSlowly+0x37
001354a4 77e5cc9a ntdll!RtlFreeHeap+0x11a
001354ec 30791b21 kernel32!GlobalFree+0x3b
0013550c 302d5fec Excel!Ordinal40+0x791b21
0013577c 302950a4 Excel!Ordinal40+0x2d5fec
00135790 302d5f4b Excel!Ordinal40+0x2950a4
001357c4 302d3469 Excel!Ordinal40+0x2d5f4b
001357fc 3043f21c Excel!Ordinal40+0x2d3469
00135a78 302b816f Excel!Ordinal40+0x43f21c
00135aa4 3013e745 Excel!Ordinal40+0x2b816f
00135b30 3013ce22 Excel!Ordinal40+0x13e745
00135d6c 3013dfeb Excel!Ordinal40+0x13ce22
0013bc4c 301284cb Excel!Ordinal40+0x13dfeb
0013e244 30127d70 Excel!Ordinal40+0x1284cb
0013e518 30128830 Excel!Ordinal40+0x127d70
0013e7d4 301aa633 Excel!Ordinal40+0x128830
0013faa4 301aa8a3 Excel!Ordinal40+0x1aa633
0013fab8 30030ae1 Excel!Ordinal40+0x1aa8a3
0013fd08 303da450 Excel!Ordinal40+0x30ae1

Notes:

- Reproduces on Windows Server 2003 and Windows 7.
- An invalid global memory object is being freed. This could be used
to free an otherwise allocated global memory object, which could then
be reallocated over an in-use chunk, resulting in memory corruption.
- The minimized sample commonly triggers a crash on IsBadReadPtr in an
earlier GlobalLock that is called just prior to the GlobalFree seen
above.
- The test-case reduces to a 1-bit difference from the original sample document.
- The affected bit is in the “remainingData” field of the “rgChildRec”
structure belonging to an MSODrawingGroup.
- Attached samples: c1efe67d_crash.xls (crashing file),
c1efe67d_orig.xls (original file)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

c1efe67d_orig.xls
129 KB Download

c1efe67d_crash.xls
129 KB Download

Project Member Comment 1 by hawkes@google.com, Sep 30 2014

Labels: MSRC-20539

Project Member Comment 2 by forshaw@google.com, Dec 29 2014

Labels: -Restrict-View-Commit CVE-2014-6360 Fixed-2014-Dec-9
Status: Fixed

Fixed in https://technet.microsoft.com/library/security/ms14-083

Project Member Comment 3 by scvitti@google.com, Jan 13 2015

Labels: -Reported-2014-September-29 Reported-2014-Sep-29

Comment 4 by yuhongba...@hotmail.com, Jan 16 2015

Excel Viewer 2007 is also affected, but they did not issue a fix.

► Sign in to add a comment