The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled for testing and reproduction. This sample also reproduced in Office 2010 running on Windows 7 x86. There may be difficulties triggering this crash multiple times if Office attempts to repair the document. You can rename the crashing file to a unique name with each open to prevent this.

The attached minimized PoC that produces the crash is a 1 bit change from the original file at offset 0x744C. Standard office document parsers did not reveal any significance about this location.

Attached files:

Fuzzed minimized PoC: 4180222857_crash.doc
Fuzzed non-minimized PoC: 4180222857_fuzz.doc
Original non-fuzzed file: 4180222857_orig.doc

DLL Versions:
fm20.dll: 12.0.6718.5000
wwlib.dll: 12.0.6720.5000
vbe6.dll: 6.5.10.54
vfbasics.dll: 4.0.665.0

There were four difference crashes observed with this sample. The crash observed depends on the layout of the heap. In three of the four crash cases values were being dereferenced from an invalid heap location to be used with a call instruction. Running winword.exe with application verifier enabled helped to stabilize the crashing condition and showed clear picture of what was happening:

Observed application verifier crash:

(af4.a50): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1347cfb0 ebx=00000000 ecx=0189ff18 edx=00000020 esi=0fab4f60 edi=13440fa0
eip=31f156f6 esp=00128814 ebp=00128820 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202

31f156f2 3bc3            cmp     eax,ebx
31f156f4 740d            je      wwlib!DllCanUnloadNow+0x348fce (31f15703)
=> 31f156f6 8b08            mov     ecx,dword ptr [eax]  ds:0023:1347cfb0=????????
31f156f8 50              push    eax
31f156f9 ff5108          call    dword ptr [ecx+8]

 0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00128820 31f0e3a2 wwlib!DllCanUnloadNow+0x348fc1
00128838 31f0e37b wwlib!DllCanUnloadNow+0x341c6d
0012884c 318d6958 wwlib!DllCanUnloadNow+0x341c46
00128860 318d6921 wwlib!wdCommandDispatch+0x203800
00128878 318d68dd wwlib!wdCommandDispatch+0x2037c9
00128924 315e08d5 wwlib!wdCommandDispatch+0x203785
0012894c 31292ff7 wwlib!DllGetLCID+0x16bfff

Digging into the the value used in eax shows that this is a free-ed allocation:

0:000> !heap -p -a 0x1347cfb0
    address 1347cfb0 found in
    _DPH_HEAP_ROOT @ 1151000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   12f61340:         1347c000             2000
    7c83e330 ntdll!RtlFreeHeap+0x0000011a
    0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8
    6003065d FM20!DllGetClassObject+0x0000d2ca
    31f0e3a2 wwlib!DllCanUnloadNow+0x00341c6d
    31f0e37b wwlib!DllCanUnloadNow+0x00341c46
    318d6958 wwlib!wdCommandDispatch+0x00203800
    318d6921 wwlib!wdCommandDispatch+0x002037c9
    318d68dd wwlib!wdCommandDispatch+0x00203785
    315e08d5 wwlib!DllGetLCID+0x0016bfff
    31292ff7 wwlib!FMain+0x0004ea40

This bug is a use after free vulnerability that can lead to arbitrary code execution.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.