####################################################################### Luigi Auriemma Application: Microsoft OLE for Windows http://www.microsoft.com Versions: ole32.dll < 5.1.2600.6168 Platforms: Windows XP and 2003 before 13 Dec 2011 NOT vulnerable: any other OS from Windows Vista Bug: code execution Exploitation: remote and via file Date: found 16 May 2011 patched 13 Dec 2011 adv/PoC 20 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Additional references: http://technet.microsoft.com/en-us/security/bulletin/ms11-093 http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=966 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3400 ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the iDefense's advisory: "Many Windows applications that support the structured storage file format (Office applications for example) contain support for reading the SummaryInformation stream inside of the OLE document. This stream contains various properties that describe the document (the author for example). In addition to Office, Windows Explorer also supports parsing these streams when a file is clicked and viewed via the preview pane." ####################################################################### ====== 2) Bug ====== First a couple of links about the OLE compound format: http://poi.apache.org/hpsf/internals.html http://msdn.microsoft.com/en-us/library/aa380072%28v=vs.85%29.aspx Example of an HPSF header referred to the provided Visio proof-of-concept: offset bytes description 1200 2 0xfffe 1202 2 0 1204 4 operating system 1208 16 clsid:0 1218 4 1 121c 16 clsid:F29F85E0-4FF9-1068-AB91-08002B27B3D9 122c 4 offset from the 0xfffe header 1230 4 section size 1234 4 number of properties (0xb) 1238 4 property type (for example 2 for title, 4 author and so on) 123c 4 property offset (relative to 0x1230) ... 1288 4 property type 0x11 (VT_CF) used for PID_THUMBNAIL 128c 4 the original was located at offset 1358, now 13da For exploiting the vulnerability it's necessary to use the VT property VT_VERSIONED_STREAM (0x49) which is the cause of the type confusion vulnerability leading to a trivial to exploit code execution. From ole32!CoWaitForMultipleHandles: 7756edcc 8b4708 mov eax,dword ptr [edi+8] 7756edcf 8b4010 mov eax,dword ptr [eax+10h] 7756edd2 8b08 mov ecx,dword ptr [eax] 7756edd4 50 push eax 7756edd5 ff5108 call dword ptr [ecx+8] ; code execution The vulnerability has been tested with PPT, XLS and VSD files with the same effects: - remote exploitation via Internet Explorer, for example if there are Office Viewers installed - automatic exploiting of explorer.exe if the thumbnails previewing of the folder is enabled (if I'm not in error Windows XP has it activated by default) immediately with the opening of the folder where is located the modified PPT file - if the preview mode is not enabled it's necessary to view the properties of the file (right mouse button -> Properties) - the exploitation via the opening of the file may be possible only in some cases (Visio Viewer confirmed) The proof-of-concept should be able to execute calc.exe via Internet Explorer and Visio Viewer, the bug is so trivial to exploit that it's even possible to not use heap spray with some additional work. ####################################################################### =========== 3) The Code =========== Proof-of-concept for Visio Viewer exploitable remotely via Internet Explorer: http://aluigi.org/poc/ole32_1.zip ####################################################################### ====== 4) Fix ====== http://technet.microsoft.com/en-us/security/bulletin/ms11-093 #######################################################################