最近,思科的 Talos 情报小组揭露了Microsoft Excel(一种普遍存在的数据管理和分析工具)中的一个严重漏洞。
该漏洞编号为 CVE-2023-36041,CVSS 评分为 7.8,存在于 Microsoft Office Professional Plus 2019 Excel 中 ElementType 属性的处理过程中。该漏洞由 Cisco Talos 的 Marcin“Icewall”Noga 发现,攻击者可以利用该漏洞在目标计算机上执行任意代码。
要利用此漏洞,攻击者需要诱骗目标用户打开特制的 Excel 电子表格。打开恶意文件后,攻击者可以获得对用户系统的控制,可能导致数据盗窃、恶意软件安装,甚至系统受损。
微软已警告成功利用此漏洞可以授予攻击者很高的权限,包括读取、写入和删除受影响系统上的数据的能力。这种级别的访问对组织和个人都构成了重大威胁。
思科 Talos 研究人员解释了该缺陷的技术细节,指出,“由于 ElementType 元素格式错误,与 HtmlPivotTableInfo 相关的结构被取消分配。发生这种取消分配的原因是 ElementType 元素包含的 AttributeType 与文件格式文档中定义的 ElementType 子元素不一致。通过策略性堆清理,攻击者可以完全控制此漏洞,从而导致进一步的内存损坏,并最终导致任意代码执行。
概括
Microsoft Office Professional Plus 2019 Excel 版本 2307 Build 16626.20170 中的 ElementType 属性解析中存在释放后使用漏洞。特制的Excel电子表格文档可以利用此漏洞实现任意代码执行。攻击者需要诱骗用户打开恶意文件才能触发此漏洞。
已确认的易受攻击版本
以下版本已被 Talos 测试或验证为易受攻击,或被供应商确认为易受攻击。
Microsoft Office Professional Plus 2019 Excel 版本 2307 内部版本 16626.20170
产品网址
Office 专业增强版 2019 - https://www.microsoft.com/pl-pl/microsoft-365/
细节
Microsoft Office 是一套用于提高企业环境和最终用户生产力的工具。它提供了一系列可用于各种目的的工具。例如用于电子表格的 Excel、用于文档编辑的 Word、用于电子邮件的 Outlook、用于演示文稿的 PowerPoint 等。
PivotCache元素直接相关,PivotTable cache因为它保存有关表模式和记录的所有信息。因此,Excel 正在解析PivotCache元素以向HtmlPivotTableInfo相关结构添加适当的信息。
跟踪这个对象的生命周期,我们可以看到这里进行的分配:
0:000> !heap -p -a 62300f68address 62300f68 found in_DPH_HEAP_ROOT @ 6381000in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)5b6f2bc8: 62300f68 94 - 62300000 2000unknown!fillpattern6f11a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240779ef22e ntdll!RtlDebugAllocateHeap+0x0000003977957100 ntdll!RtlpAllocateHeap+0x000000f077956e5c ntdll!RtlpAllocateHeapInternal+0x0000104c77955dfe ntdll!RtlAllocateHeap+0x0000003e6e72baa5 mso20win32client!Mso::Memory::AllocateEx+0x0000002500518459 Excel!FHpAllocCore+0x0000002c00538648 Excel!PplAllocCore+0x0000003d00552a62 Excel!HrAllocPl_+0x0000001a0175ad9d Excel!FCommitHtmlPivotTableInfo+0x0000008f0175ab18 Excel!FCommitHtmlPivotCacheElement+0x0000003801f9cb66 Excel!FProcessXmlItem+0x00000a7700b6431b Excel!OHIU::FProcessXmlItem+0x0000001069f7f534 mso!FDispatchXmlItem+0x0000019169f1df25 mso!FProcessCloseXmlTag+0x000001c869f193aa mso!TkLexHtml+0x0000108169f17ffe mso!HI::FDoImportCopyContent+0x000001cf69f17e1c mso!HI::FDoImport+0x0000001900b5b68a Excel!HrLoadSheetHtml+0x0000043501725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c201f9e837 Excel!HrLoadBookHtml+0x000000e4007030a6 Excel!HrFileLoadEx+0x00006b1b006fc274 Excel!HrFileLoadWithCoauth+0x0000006c0194963b Excel!HrFileLoadWithCoauth+0x00000047015179b2 Excel!_HrLoadInternal+0x000001a501517705 Excel!_HrLoad+0x000000d1005420d5 Excel!FStartupFilename+0x00001a0700540793 Excel!FLoadCmdLine+0x00000099022d2374 Excel!MergeInstance::ExecuteMergeInstance+0x000000dd00586acd Excel!DelayedMergeInstance::FProcessRequest+0x0000010a0057b937 Excel!FDoIdleHardRejectUi+0x00001cc200579d19 Excel!FDoIdle+0x0000009d
接下来,由于格式错误的ElementType元素,与相关的结构HtmlPivotTableInfo被取消分配。ElementType元素格式错误,因为它包含AttributeType不属于ElementType文件格式文档指定的子元素的 。我们可以在调试器中观察这块内存的释放情况:
eax=4f5a4f74 ebx=00000005 ecx=00000000 edx=0000008c esi=62300f68 edi=03ade7a0eip=0053cb48 esp=03ade768 ebp=03ade790 iopl=0 nv up ei pl nz ac pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216Excel!FAddPl+0x109:0053cb48 ff152ceef302 call dword ptr [Excel!_imp_?FreeMemoryMsoYGXPAXZ (02f3ee2c)] ds:002b:02f3ee2c={mso20win32client!Mso::Memory::Free (6e73d8a5)}
上述调用后同一内存块的堆状态:
0:000> !heap -p -a 62300f68address 62300f68 found in_DPH_HEAP_ROOT @ 6381000in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)5b6f2bc8: 62300000 20006f11ab02 verifier!AVrfDebugPageHeapFree+0x000000c2779efa86 ntdll!RtlDebugFreeHeap+0x0000003e77953d66 ntdll!RtlpFreeHeap+0x000000d677997acd ntdll!RtlpFreeHeapInternal+0x0000078377953c36 ntdll!RtlFreeHeap+0x000000466e73d8e8 mso20win32client!Mso::Memory::Free+0x000000430053cb4e Excel!FAddPl+0x0000010f0053ca1a Excel!HrIAddPl_+0x0000001a0056bb9f Excel!IAddNewPl+0x000000820056badf Excel!IAddNewPlPos+0x0000005b01fbe5cf Excel!IAddPlSort+0x000000340175adc2 Excel!FCommitHtmlPivotTableInfo+0x000000b40175ab18 Excel!FCommitHtmlPivotCacheElement+0x0000003801f9cb66 Excel!FProcessXmlItem+0x00000a7700b6431b Excel!OHIU::FProcessXmlItem+0x0000001069f7f534 mso!FDispatchXmlItem+0x000001916a1f910a mso!FFlushXmlStack+0x000000d769f7fa2b mso!FDispatchXmlItem+0x0000068869f1df25 mso!FProcessCloseXmlTag+0x000001c869f193aa mso!TkLexHtml+0x0000108169f17ffe mso!HI::FDoImportCopyContent+0x000001cf69f17e1c mso!HI::FDoImport+0x0000001900b5b68a Excel!HrLoadSheetHtml+0x0000043501725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c201f9e837 Excel!HrLoadBookHtml+0x000000e4007030a6 Excel!HrFileLoadEx+0x00006b1b006fc274 Excel!HrFileLoadWithCoauth+0x0000006c0194963b Excel!HrFileLoadWithCoauth+0x00000047015179b2 Excel!_HrLoadInternal+0x000001a501517705 Excel!_HrLoad+0x000000d1005420d5 Excel!FStartupFilename+0x00001a0700540793 Excel!FLoadCmdLine+0x00000099
即使内存被释放,指向该对象的相关指针也不会重置为 NULL。由于存在悬空引用,防止重复使用该对象的检查将失败,并且该对象将在以下函数内重新使用:
0:000> g(1fe0.70): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246Excel!FCommitHtmlPivotCacheElement+0x17:0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????
这构成了释放后使用条件。通过精确的堆整理,攻击者可以完全控制此释放后使用漏洞,这可能导致进一步的内存损坏并最终导致任意代码执行。
0:000> g(1fe0.70): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nccs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246Excel!FCommitHtmlPivotCacheElement+0x17:0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????0:000> !analyze -v******************************************************************************** ** Exception Analysis ** ********************************************************************************KEY_VALUES_STRING: 1Key : AV.FaultValue: ReadKey : Analysis.CPU.SecValue: 14Key : Analysis.DebugAnalysisProvider.CPPValue: Create: 8007007e on DESKTOP-IQDGM2JKey : Analysis.DebugDataValue: CreateObjectKey : Analysis.DebugModelValue: CreateObjectKey : Analysis.Elapsed.SecValue: 408Key : Analysis.Memory.CommitPeak.MbValue: 438Key : Analysis.SystemValue: CreateObjectKey : Timeline.OS.Boot.DeltaSecValue: 191065Key : Timeline.Process.Start.DeltaSecValue: 163NTGLOBALFLAG: 2000000PROCESS_BAM_CURRENT_THROTTLED: 0PROCESS_BAM_PREVIOUS_THROTTLED: 0APPLICATION_VERIFIER_FLAGS: 0APPLICATION_VERIFIER_LOADED: 1EXCEPTION_RECORD: (.exr -1)ExceptionAddress: 0175aaf7 (Excel!FCommitHtmlPivotCacheElement+0x00000017)ExceptionCode: c0000005 (Access violation)ExceptionFlags: 00000000NumberParameters: 2Parameter[0]: 00000000Parameter[1]: 62300f7cAttempt to read from address 62300f7cFAULTING_THREAD: 00000070PROCESS_NAME: Excel.exeREAD_ADDRESS: 62300f7cERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.EXCEPTION_CODE_STR: c0000005EXCEPTION_PARAMETER1: 00000000EXCEPTION_PARAMETER2: 62300f7cSTACK_TEXT:03ade998 0172719d 03adf044 6359e998 00000000 Excel!FCommitHtmlPivotCacheElement+0x1703ade9b0 01f9cb66 03adea2c 6359e998 00000001 Excel!HrCommitBookXml+0xca03adea80 00b6431b 00000000 03adeaec 69f7f534 Excel!FProcessXmlItem+0xa7703adea8c 69f7f534 02fde194 03adeff0 6359e998 Excel!OHIU::FProcessXmlItem+0x1003adeaec 69f1df25 0159e998 fd1d5943 57ff8d14 mso!FDispatchXmlItem+0x19103adeb60 69f193aa 6359e998 64f06f48 fd1d5fbb mso!FProcessCloseXmlTag+0x1c803aded98 69f17ffe fd1d5fe3 03adeff0 063b6fd8 mso!TkLexHtml+0x108103adedc0 69f17e1c 57ff8d14 00000000 063b6fd8 mso!HI::FDoImportCopyContent+0x1cf03adedd4 00b5b68a 6359e918 063b6fd8 00000000 mso!HI::FDoImport+0x1903adef00 01725e74 00000100 54d48fa8 00000003 Excel!HrLoadSheetHtml+0x43503ae9864 01f9e837 00000000 00000000 00000000 Excel!HrBookLoadHtmlSinglePly+0x4c203ae98a8 007030a6 03af8f3c 54d48fa8 00000002 Excel!HrLoadBookHtml+0xe403af9370 006fc274 00000000 00000000 00000002 Excel!HrFileLoadEx+0x6b1b03af940c 0194963b 00000000 00000000 00000002 Excel!HrFileLoadWithCoauth+0x6c03af9460 015179b2 00000000 03af95c0 02823042 Excel!HrFileLoadWithCoauth+0x4703af9568 01517705 00000001 00001008 00000001 Excel!_HrLoadInternal+0x1a503af9610 005420d5 00000001 00001008 00000001 Excel!_HrLoad+0xd103afe388 00540793 0000000f 47092fb0 00000825 Excel!FStartupFilename+0x1a0703afe42c 022d2374 0000000f 47092fb0 00000825 Excel!FLoadCmdLine+0x9903afefa4 00586acd 00000825 00000000 00000001 Excel!MergeInstance::ExecuteMergeInstance+0xdd03aff050 0057b937 063b6fd8 063b6fd8 00000000 Excel!DelayedMergeInstance::FProcessRequest+0x10a03aff5b0 00579d19 063b6fd8 02fa355c 00000001 Excel!FDoIdleHardRejectUi+0x1cc203aff630 00576bf1 6e73a38d 02fa3790 00000000 Excel!FDoIdle+0x9d03affa30 00517895 00000000 0000000a 0394c000 Excel!MainLoop+0x132603affc60 005011c3 00500000 00000000 063d8fc2 Excel!WinMain+0x6c403affcac 75a800c9 0394c000 75a800b0 03affd18 Excel!_imp_load__RmGetList+0x1c703affcbc 77977b1e 0394c000 84105314 00000000 KERNEL32!BaseThreadInitThunk+0x1903affd18 77977aee ffffffff 77998c03 00000000 ntdll!__RtlUserThreadStart+0x2f03affd28 00000000 00501079 0394c000 00000000 ntdll!_RtlUserThreadStart+0x1bSTACK_COMMAND: ~0s ; .cxr ; kbSYMBOL_NAME: Excel!FCommitHtmlPivotCacheElement+17MODULE_NAME: ExcelIMAGE_NAME: Excel.exeFAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!FCommitHtmlPivotCacheElementOS_VERSION: 10.0.19041.1BUILDLAB_STR: vb_releaseOSPLATFORM_TYPE: x86OSNAME: Windows 10FAILURE_ID_HASH: {a768443e-18ec-dc72-511b-87f1949b0ed3}Followup: MachineOwner---------0:000> lmva excelBrowse full module liststart end module name00500000 03717000 Excel (pdb symbols) c:toolsx86symexcel.pdbFD60CCBC644B4FD0889179BD554363D12excel.pdbLoaded symbol image file: c:Program Files (x86)Microsoft OfficerootOffice16EXCEL.EXEImage path: Excel.exeImage name: Excel.exeBrowse all global symbols functions dataTimestamp: Fri Aug 4 05:00:26 2023 (64CC69CA)CheckSum: 0321C631ImageSize: 03217000File version: 16.0.16626.20170Product version: 16.0.16626.20170File flags: 0 (Mask 3F)File OS: 40004 NT Win32File type: 1.0 AppFile date: 00000000.00000000Translations: 0000.04e4Information from resource tables:CompanyName: Microsoft CorporationProductName: Microsoft OfficeInternalName: ExcelOriginalFilename: Excel.exeProductVersion: 16.0.16626.20170FileVersion: 16.0.16626.20170
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里
原文始发于微信公众号(Ots安全):分析 - Microsoft Excel 远程代码执行漏洞 CVE-2023-36041
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论