Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949 Platform: Microsoft Office 2010 on Windows 7 x86 Class: heap memory corruption The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability. Attached files: 2581805226.ppt: fuzzed crashing file File versions: mso.dll: 14.0.7173.5000 gfx.dll: 14.0.7104.5000 oart.dll: 14.0.7169.5000 riched20.dll: 14.0.7155.5000 msptls.dll: 14.0.7164.5000 ((7ac.a64): Access violation - code c0000005 (first chance) eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18 eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 mso!Ordinal5429+0x376: 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=???? 66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122 66a1993f 03c7 add eax,edi => 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=???? 66a19944 894dfc mov dword ptr [ebp-4],ecx 66a19947 8a55fd mov dl,byte ptr [ebp-3] 66a1994a 8855fc mov byte ptr [ebp-4],dl 66a1994d 884dfd mov byte ptr [ebp-3],cl 66a19950 66837dfc04 cmp word ptr [ebp-4],4 66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b) 66a1995b 8a08 mov cl,byte ptr [eax] 66a1995d 8a5001 mov dl,byte ptr [eax+1] 66a19960 8810 mov byte ptr [eax],dl 66a19962 884801 mov byte ptr [eax+1],cl 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376 002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138 002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59 00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba 00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843 00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6 002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2 00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306 002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42 0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c 00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546 002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3 00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da 002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804 002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f 002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888 00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269 00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef 00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23 00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1 00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727 In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from: 0:000> !heap -p -a 0x1febce18 address 1febce18 found in _DPH_HEAP_ROOT @ 71000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1feb171c: 1febce18 1e2 - 1febc000 2000 6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 77d7616e ntdll!RtlDebugAllocateHeap+0x00000030 77d3a08b ntdll!RtlpAllocateHeap+0x000000c4 77d05920 ntdll!RtlAllocateHeap+0x0000023a 6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa 6fc816ac vfbasics+0x000116ac 67080c59 mso!Ordinal9770+0x000078e2 66a19527 mso!Ordinal10199+0x00002138 Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41417.zip # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-22]