\x01 Preface
CVE-2017-11826
It is said that 360 discovered a vulnerability in XML format parsing at the end of September 2017. Microsoft later10
releasedCVE-2017-11826
a patch in September. The patch address is: https://portal.msrc.microsoft.com/en-US/security- guidance/advisory/CVE-2017-11826
- The cause of this vulnerability is that when parsing a closed element, the integrity of the element is not judged, resulting in the nesting relationship of the current element being added
1
. In this case,wwlib
when the module processes the closing tag, it will mistakenly use the address of the parent element 'sw:name
attribute+44
to make a virtual function call. By modifying the attribute, the attackerw:name
can make any address call. - Affected
Office
versions.
\x02 Debugging environment
- Operating system: Windows 7 + VMware
- Debugging tool: x64dbg
- Vulnerability sample: POC (extraction code: lxx6)
\x03 Debugging analysis
GitHub
Download the folder about the vulnerability fromCVE-2017-11826
, and after decompressing it, it is found that it contains decompresseddocx
files,README
documents, and Russian documents. I did not read the Russian document carefully, but it seems to be about exploiting the vulnerability.
XML
The file containing the vulnerability isdocument.xml
, and the file isword
under the path. Opendocument.xml
the file, and after analysis, it is found that the tag is closed<w:font>
using the tag, and the tag's attribute is a bit strange, and may be used to control the value of a certain address.</o:idmap>
<w:font>
w:name
- Recompress the decompressed
docx
file, and then use the registry to attach the debugger to prepare for debugging.
- After the attachment is completed, open the document containing the vulnerability and trigger an exception after running. The
call [ecx+4]
instruction is to use the virtual function table to call the virtual function, andecx
is the virtual function table pointer, which iswwlib.41249DA0
returned by the function.
- View the stack call and find the module used to process
XML
the formatmsxml
. The module assists in parsing the formatmsxml
by indirectly calling the module . For the time being, the function is designated as a vulnerable function.wwlib
XML
wwlib.3161309E
- Record a breakpoint on the vulnerable function and check the log content. It is found that the vulnerable function has been called
6
times. Based ondocument.xml
the analysis of the tag elements in the file, the vulnerable function is most likely used to parse element tags. As for what is parsed, it is still unclear. .
- Select the lower conditional breakpoint of the last call to the vulnerable function
esp
and analyze the vulnerability function processing flow.
- After the function is disconnected, it can be found from the parameters passed in that
esi
it may be a data structure that stores tag information.
- Step into this function, and the nesting relationship of the elements will be taken out at the position shown in the figure. At this time,
<o:idmap>
the label has been insertedw:font
after the label (with":"
the symbol as the separator). The tag is<w:font>
inserted when it is not closed<o:idmap>
, indicating that the nested relationship has been incorrectly parsed.
- When debugging to the address , it was found that the function
0x31613084
will be called. After analysis, it was found that the return value of the function is related to the virtual function table call at the exception, so enter this function to take a look.wwlib.31249DA0
- Through analysis, it is found that the function does some simple calculations for
ecx
and , the algorithm is , and the calculation result is ; and is passed in by and is equal to , so the algorithm becomes , controlled by the passed in . After subsequent analysis, it can be concluded that actually The nesting level of the current element.edx
[[ecx]+8]*edx + [[ecx]+C] + [ecx]
0x0751D140
ecx
esi
edx
[[esi]]
[[esi]+8]*([[esi]]-2) + [[esi]+C] + [esi]
esi
[[esi]]
- After the call is completed, the value of the address
wwlib.31249DA0
will be used as a virtual function table pointer to call the virtual function, thereby triggering an exception.[[0x0751D140+44]+44]
As shown in the figure, it can be seen that[0x0751D140+44]
the address is overwritten into the attribute<w:font>
of the elementw:name
, so the attacker can call any address by modifying the attribute<w:font>
of the tag .w:name
- Next, change the file in the sample
document.xml
and manually add</w:font>
the closing tag to see if the exception will be triggered.
- Break at the vulnerable function, and the nesting level at this time is 5.
- Then
wwlib.31249DA0
calculate the virtual function call address as0x075098F4
. Since the nesting level is5
, the calculated result isF4
(4C*(5 - 2) + 10
), and the previous one is140
(4C*(6 - 2) + 10
).
- The program did not trigger an exception after the virtual function was called.
\x04 Analyze msxml module processing steps
- In order to quickly understand the processing flow of the module, record breakpoints on
msxml
all module functions in the call stack and view the logs.msxml
- It can be found from the log that the calls to the vulnerable functions are all implemented through the instructions
sub_78887830
in the functioncall [ebx+200]
, but the call to the penultimate vulnerable function does not go throughcall [ebx+200]
and jumps directly toMSO
the module.
- Set a breakpoint on the penultimate vulnerable function. After disconnecting, we analyzed the stack calls and found that the instructions
msxml.78887830
in the functioncall [ecx+20]
will also call the vulnerable function.
- In this case, the function call flow chart can be analyzed. The function call flow is shown in the figure below:
- Below is a brief analysis of the function chain calls under based on
msxml.78887830
the last call of the function .call [ebx+200]
- At
msxml.78887830
the beginning of the function, the element tag object will be stored inebx
. The element tag object stores the information of the currently parsed element, mainly the nesting relationship and nesting level of the element.
- After debugging downwards, I found that
msxml.788872F7
the function will obtain the pointer of the attribute character<w:font>
of the elementw:name
.
- The following
msxml.78887335
function will obtaino:idmap
the pointer of the element character
- After obtaining
o:idmap
the element character pointer, callmsxml.788872F7
the function to parseo:idmap
the element. You can see in the memory window that the character pointer has pointed toincer
the position, indicating thatidmap
the tag has been parsed.
- After calling
msxml.788873F0
Calculate the nesting level of the element, you can see that the nesting level of the element is calculated as6
, but at this time the nesting level of the element is still5
, and has not been updated to6
.
- After
[ebx+1e8]
assigning toeax
, a jump occurs, skippingcall [ecx+20]
the call to and proceeding tocall [ebx+200]
the call to .
- The function called is
mso.32751CAA
, in fact,MSO
the function call of the module does not have much effect, it justwwlib
provides indirect processing for subsequent modules.
- After reaching
0x32751D5C
the position, executecall [ecx+20]
the instruction to callsub_3277FAC0
the function, at this timeesi = [esi+60]
.
- Then the instruction call
sub_3277FAC0
will be executed in the function .call [eax+10]
wwlib.3127D3FB
- After entering
wwlib.3127D3FB
the function, continue debugging downwards. At this time,[[esi+b14]]
the nesting relationship of the elements is stored in the address.
- After calling
wwlib.3127E6B3
the function, a judgment will be made, and if itebx
is equal to0x80004001
, it will jump.
- After the jump is completed, the vulnerable function is called. The following process has just been analyzed.
- Record breakpoints at several locations based on the results of the above debugging analysis. Looking at the log, you can find that
msxml.78887830
the function will parse the elements one by one. When<idmap>
the tag is parsed, the nesting relationship is5
.
- However, the nesting relationship at the exception is . Set a breakpoint on
6
the last function call to see when the nesting relationship changed .msxml.78887830
6
- After re-running, it will be disconnected. At this time, the nesting relationship is
5
.
- When debugging to the position
wwlib.3127D3FB
in the function0x3128E3AD
, the nesting relationship changes6
, indicating thatwwlib.312C6142
the function has updated the nesting relationship.
- Then analyze
w:name
when the attributes are copied. Through the analysis of the vulnerability exception, it is found thatw:name
the attributes are stored in the element object. Byw:name
writing a breakpoint under the storage location of the element object, it is found that the functionWWLIB.sub_3127D3FB
will be called in thewwlib.3127E773
function and copiedw:name
to the element object. After that,w:name
the attributes will be taken out and virtualized in the vulnerability function. Function table call.
- It should be noted that this jump is not implemented in the above analysis, which means that it
w:name
returns directly after copying the attributes. It is judged that the value of the jump iswwlib.3127E6B3
returned by , and after entering the function, it is found that at the end of the function, it will be0x80004001
assigned toeax
. Before that, it will be called0x3149BFA3
as the base address andeax * 4
as the offset address. Instead,eax
it will be[ebp-1c]
passed in Yes, record a breakpoint at this location and check the log.
- According to the log, it can be found that the vulnerable function will be called only when
[ebp+1c]
the value of is0xFFFF
. And<w:font>
it is called once before parsing the tag and<o:idmap>
once after parsing the tag.
- Then
<o:idmap>
delete the tag and compare the log information.
- It can be found that
<w:font>
this value is only set before the tag is parsed0xFFFF
, so this value may be used to determine whether the element is closed.
\x05 Summary
- When
msxml.78887830
the function parses<w:font>
the label, it will mistakenly think that the label has been closed, thereby adding<w:font>
the label'sw:name
attribute (if any) to the object, and at the same time updating the nesting relationship of the element (the nesting relationship becomes6
), resulting in the final usecall [ecx+4]
. When the virtual function table is called, the virtual table pointer is incorrectly overwritten intow:name
the data in the attribute, triggering an exception.
This concludes the vulnerability analysis of CVE-2017-11826 . If there are any errors, please correct them.