CORE-2008-0228: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Word Malformed FIB Arbitrary Free Vulnerability
1. *Advisory Information*
Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability
Advisory ID: CORE-2008-0228
Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free
Date published: 2008-12-10
Date of last update: 2008-12-10
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Arbitrary free
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: 29633
CVE Name: CVE-2008-4024
3. *Vulnerability Description*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. The vulnerability could allow remote code
execution if a user opens a specially crafted Word file that includes a
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the
user running the MS Word application.
More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt'
field value (offset '0x4f0') inside the File Information Block (FIB) can
corrupt the heap structure on vulnerable Word versions and enable an
arbitrary free with controlled values.
4. *Vulnerable packages*
. Microsoft Word 2000 Service Pack 3
. Microsoft Word 2002 Service Pack 3
5. *Non-vulnerable packages*
. Microsoft Word 2003 Service Pack 3
. Microsoft Word 2007
6. *Vendor Information, Solutions and Workarounds*
Microsoft has released patches for this vulnerability. For more
information refer to the Microsoft Security Bulletin MS08-072 released
on December 9th, 2008, available at
http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx
Microsoft recommends that customers apply the update immediately.
7. *Credits*
This vulnerability was discovered and researched by Ricardo Narvaja,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. A Word file with a specially crafted
'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information
Block (FIB) can corrupt the heap structure on vulnerable Word versions,
and enable an arbitrary free with controlled values. If successfully
exploited, this vulnerability could allow an attacker to execute
arbitrary code on vulnerable systems with the privileges of the user
running the MS Word application.
To construct a PoC file that demonstrates this bug it is sufficient to
use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc'
file, and then change the byte at offset 0x4f0, this is the
'lcbPlcfBkfSdt' field value located inside the File Information Block
(FIB). By simply changing this byte from 0 to 1, we obtain a file that
will make vulnerable Word versions crash when closing the file. This can
be improved to make Word crash when opening the file by changing some
other values. This fact was detected using automated fuzzing.
In location 0x2b80, there is an arbitrary pointer that can be controlled
to choose the address that will be used as parameter of a call to the
free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0,
modifying this pointer has no effect. But if this value is 1, then
modifying this arbitrary pointer will cause the free function to close
the program.
The execution of '__MsoPvFree' is reached with two controlled values,
the pointer that was directly changed in the .doc file and the contents
of the memory position that it points to. That is, both of them are
controlled, one directly and the other in an indirect manner, we can
thus fully control the effect of the free function.
The exploitation of this bug depends on the construction of a file such
that different arbitrary blocks are allocated when closing the file
before 'free' is called. However this scenario is complex due to the
limitations of the '__MsoPvFree' API, including checks that make the
exploitation difficult.
The vendor's analysis indicates that the root cause of this
vulnerability is the processing of a 'PlfLfo' structure that is read in
from the file. It contains an array of 'Lfo' objects. If any of those
'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4
bytes) value that is non-zero, Word will attempt to free memory at
'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with
a valid pointer to allocated memory, but if 'clfolvl' is 0 this
initialization step is skipped. Later on cleanup code will check if
'plfolvl' has a non-zero value and if so, attempt to free the memory
chunk it points to.
A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash
('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An
illustrated explanation can be downloaded from Core's website (see
reference [3]).
9. *Report Timeline*
. 2008-03-13: Core notifies the vendor of the vulnerability and sends
the advisory draft. The advisory's publication is preliminary set to
April 14th, 2008.
. 2008-03-13: Vendor acknowledges notification.
. 2008-03-31: Core requests information concerning Microsoft's plans to
fix the vulnerability (no reply received).
. 2008-04-16: Core requests again information concerning Microsoft's
schedule to produce a fix. The advisory publication is rescheduled for
May 12th, 2008.
. 2008-04-25: Vendor informs that they are wrapping up the investigation
and threat model analysis and that fixes will not be included in the
Word Security Bulletin of May. Vendor estimates that it will take a few
months to produce and test a fix for the vulnerability. Vendor promises
an update on May 23th.
. 2008-04-25: Core sends additional information with low level details
of the vulnerability.
. 2008-04-28: Core requests the vendor details about the schedule for
the vulnerability fix in order to coordinate the publication of the
advisory (no reply received).
. 2008-05-28: Core requests again details about the vulnerability fix
schedule (no reply received).
. 2008-06-02: Core requests again details about the vulnerability fix
schedule, root cause of the problem and confirmation of vulnerable
versions. Core reschedules the publication of the advisory for June
11th, 2008 as "user release" (no reply received).
. 2008-06-13: In another attempt to coordinate the publication of the
advisory with the release of a fixed version, Core reschedules
publication for the second Wednesday of July, under "user release" mode.
The latest advisory version is sent to the vendor.
. 2008-06-17: Vendor apologies for having mistakenly marked this issue
as "no action until 6/23". Vendor informs that they are working on a fix
plan and promises more information to be sent on Monday June 23rd.
. 2008-06-27: Core requests the vendor the expected details on the
vulnerability fix schedule.
. 2008-07-03: Vendor thanks Core for holding on the publication of this
vulnerability, and informs that the issue described in advisory
CORE-2008-0228 is marked to be addressed in October 2008. It also
informs that they don't have reports of the vulnerability being
exploited in the wild.
. 2008-07-08: Vendor informs that they have binaries available to
pre-test the potential fixes.
. 2008-07-08: Core asks for the patches to pre-test and informs the
vendor that publication date of the advisory will be revisited.
. 2008-07-23: Core sends the vendor an updated version of the advisory
and PoC files.
. 2008-08-26: Core requests the vendor a more precise date for the
release of fixes in October.
. 2008-08-29: Vendor informs that they are tentatively targeting October
14th, and that patches will be sent to Core for inspection the following
week.
. 2008-08-29: Core acknowledges reception of the previous mail.
. 2008-09-30: Vendor informs that the planned release of the fix for
this vulnerability has slipped out to December 11th. Vendor supplies
Core a draft of their own security bulletin and a copy of the Office
2000 update fixing the bug.
. 2008-10-01: Core confirms the vendor that after private discussions
the advisory will be published in December 9th (second Tuesday of the
month).
. 2008-10-01: Vendor confirms that the release date of fixes is December
9th and supplies Core with a copy of their own security bulletin and a
copy of the Office XP update fixing the bug.
. 2008-10-20: Core confirms that it intends to publish the advisory
CORE-2008-0228 on December 9th as previously established.
. 2008-11-11: Vendor confirms it is still on track to publish this fix
for December 9th.
. 2008-11-11: Core informs the vendor that the patch was tested and
works on Office XP (i.e. the crash avoided) and confirms that it intends
to publish advisory CORE-2008-0228 on December 9th as previously
established by both parties.
. 2008-12-04: Core sends the final draft of the advisory to the vendor.
. 2008-12-09: Microsoft Security Bulletin MS08-072 is released.
. 2008-12-10: Advisory CORE-2008-0228 is published.
10. *References*
[1] Word 97-2007 Binary File Format (*.doc) Specification
http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf
[2] Microsoft Word Arbitrary Free Vulnerability PoC
http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc
[3] Microsoft Word Arbitrary Free Vulnerability Explained
http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6
QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs
=hR/7
-----END PGP SIGNATURE-----