[NT] Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072)
------------------------------------------------------------------------


SUMMARY

A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. The vulnerability could allow remote code
execution if a user opens a specially crafted Word file that includes a
malformed record value. An attacker who successfully exploited this
vulnerability could execute arbitrary code with the privileges of the user
running the MS Word application.

More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt'
field value (offset '0x4f0') inside the File Information Block (FIB) can
corrupt the heap structure on vulnerable Word versions and enable an
arbitrary free with controlled values.

DETAILS

Vulnerable Systems:
* Microsoft Word 2000 Service Pack 3
* Microsoft Word 2002 Service Pack 3

Immune Systems:
* Microsoft Word 2003 Service Pack 3
* Microsoft Word 2007

Vendor Information, Solutions and Workarounds:
Microsoft has released patches for this vulnerability. For more
information refer to the Microsoft Security Bulletin MS08-072 released on
December 9th, 2008, available at
<http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx>
http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx

Microsoft recommends that customers apply the update immediately.

Technical Description / Proof of Concept Code:
A vulnerability has been found in the way that Microsoft Word handles
specially crafted Word files. A Word file with a specially crafted
'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information
Block (FIB) can corrupt the heap structure on vulnerable Word versions,
and enable an arbitrary free with controlled values. If successfully
exploited, this vulnerability could allow an attacker to execute arbitrary
code on vulnerable systems with the privileges of the user running the MS
Word application.

To construct a PoC file that demonstrates this bug it is sufficient to use
Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc' file, and
then change the byte at offset 0x4f0, this is the 'lcbPlcfBkfSdt' field
value located inside the File Information Block (FIB). By simply changing
this byte from 0 to 1, we obtain a file that will make vulnerable Word
versions crash when closing the file. This can be improved to make Word
crash when opening the file by changing some other values. This fact was
detected using automated fuzzing.

In location 0x2b80, there is an arbitrary pointer that can be controlled
to choose the address that will be used as parameter of a call to the free
function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0, modifying this
pointer has no effect. But if this value is 1, then modifying this
arbitrary pointer will cause the free function to close the program.

The execution of '__MsoPvFree' is reached with two controlled values, the
pointer that was directly changed in the .doc file and the contents of the
memory position that it points to. That is, both of them are controlled,
one directly and the other in an indirect manner, we can thus fully
control the effect of the free function.

The exploitation of this bug depends on the construction of a file such
that different arbitrary blocks are allocated when closing the file before
'free' is called. However this scenario is complex due to the limitations
of the '__MsoPvFree' API, including checks that make the exploitation
difficult.

The vendor's analysis indicates that the root cause of this vulnerability
is the processing of a 'PlfLfo' structure that is read in from the file.
It contains an array of 'Lfo' objects. If any of those 'Lfo' objects has a
'clfolvl' value of 0 and a 'plfolvl' (the previous 4 bytes) value that is
non-zero, Word will attempt to free memory at 'plfolvl'. This is because
'plfolvl' is supposed to be overwritten with a valid pointer to allocated
memory, but if 'clfolvl' is 0 this initialization step is skipped. Later
on cleanup code will check if 'plfolvl' has a non-zero value and if so,
attempt to free the memory chunk it points to.

A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash
('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An
illustrated explanation can be downloaded from Core's website (see
reference [3]).

Report Timeline:
2008-03-13: Core notifies the vendor of the vulnerability and sends the
advisory draft. The advisory's publication is preliminary set to April
14th, 2008.
2008-03-13: Vendor acknowledges notification.
2008-03-31: Core requests information concerning Microsoft's plans to fix
the vulnerability (no reply received).
2008-04-16: Core requests again information concerning Microsoft's
schedule to produce a fix. The advisory publication is rescheduled for May
12th, 2008.
2008-04-25: Vendor informs that they are wrapping up the investigation and
threat model analysis and that fixes will not be included in the Word
Security Bulletin of May. Vendor estimates that it will take a few months
to produce and test a fix for the vulnerability. Vendor promises an update
on May 23th.
2008-04-25: Core sends additional information with low level details of
the vulnerability.
2008-04-28: Core requests the vendor details about the schedule for the
vulnerability fix in order to coordinate the publication of the advisory
(no reply received).
2008-05-28: Core requests again details about the vulnerability fix
schedule (no reply received).
2008-06-02: Core requests again details about the vulnerability fix
schedule, root cause of the problem and confirmation of vulnerable
versions. Core reschedules the publication of the advisory for June 11th,
2008 as "user release" (no reply received).
2008-06-13: In another attempt to coordinate the publication of the
advisory with the release of a fixed version, Core reschedules publication
for the second Wednesday of July, under "user release" mode. The latest
advisory version is sent to the vendor.
2008-06-17: Vendor apologies for having mistakenly marked this issue as
"no action until 6/23". Vendor informs that they are working on a fix plan
and promises more information to be sent on Monday June 23rd.
2008-06-27: Core requests the vendor the expected details on the
vulnerability fix schedule.
2008-07-03: Vendor thanks Core for holding on the publication of this
vulnerability, and informs that the issue described in advisory
CORE-2008-0228 is marked to be addressed in October 2008. It also informs
that they don't have reports of the vulnerability being exploited in the
wild.
2008-07-08: Vendor informs that they have binaries available to pre-test
the potential fixes.
2008-07-08: Core asks for the patches to pre-test and informs the vendor
that publication date of the advisory will be revisited.
2008-07-23: Core sends the vendor an updated version of the advisory and
PoC files.
2008-08-26: Core requests the vendor a more precise date for the release
of fixes in October.
2008-08-29: Vendor informs that they are tentatively targeting October
14th, and that patches will be sent to Core for inspection the following
week.
2008-08-29: Core acknowledges reception of the previous mail.
2008-09-30: Vendor informs that the planned release of the fix for this
vulnerability has slipped out to December 11th. Vendor supplies Core a
draft of their own security bulletin and a copy of the Office 2000 update
fixing the bug.
2008-10-01: Core confirms the vendor that after private discussions the
advisory will be published in December 9th (second Tuesday of the month).
2008-10-01: Vendor confirms that the release date of fixes is December 9th
and supplies Core with a copy of their own security bulletin and a copy of
the Office XP update fixing the bug.
2008-10-20: Core confirms that it intends to publish the advisory
CORE-2008-0228 on December 9th as previously established.
2008-11-11: Vendor confirms it is still on track to publish this fix for
December 9th.
2008-11-11: Core informs the vendor that the patch was tested and works on
Office XP (i.e. the crash avoided) and confirms that it intends to publish
advisory CORE-2008-0228 on December 9th as previously established by both
parties.
2008-12-04: Core sends the final draft of the advisory to the vendor.
2008-12-09: Microsoft Security Bulletin MS08-072 is released.
2008-12-10: Advisory CORE-2008-0228 is published.

References:
[1] Word 97-2007 Binary File Format (*.doc) Specification

<http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf> http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf
[2] Microsoft Word Arbitrary Free Vulnerability PoC

<http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc> http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc
[3] Microsoft Word Arbitrary Free Vulnerability Explained
<http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf>
http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4024>
CVE-2008-4024


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxxxxx>
CORE Security Technologies Advisories.
The original article can be found at:
<http://www.coresecurity.com/content/word-arbitrary-free>
http://www.coresecurity.com/content/word-arbitrary-free



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages