分析 – Microsoft Excel 远程代码执行漏洞 CVE-2023-36041
分析 – Microsoft Excel 远程代码执行漏洞 CVE-2023-36041
Ots安全 2023-11-25 09:21
最近,思科的 Talos 情报小组揭露了Microsoft Excel(一种普遍存在的数据管理和分析工具)中的一个严重漏洞。
该漏洞编号为 CVE-2023-36041,CVSS 评分为 7.8,存在于 Microsoft Office Professional Plus 2019 Excel 中 ElementType 属性的处理过程中。该漏洞由 Cisco Talos 的 Marcin“Icewall”Noga 发现,攻击者可以利用该漏洞在目标计算机上执行任意代码。
要利用此漏洞,攻击者需要诱骗目标用户打开特制的 Excel 电子表格。打开恶意文件后,攻击者可以获得对用户系统的控制,可能导致数据盗窃、恶意软件安装,甚至系统受损。
微软已警告成功利用此漏洞可以授予攻击者很高的权限,包括读取、写入和删除受影响系统上的数据的能力。这种级别的访问对组织和个人都构成了重大威胁。
思科 Talos 研究人员解释了该缺陷的技术细节,指出,“由于 ElementType 元素格式错误,与 HtmlPivotTableInfo 相关的结构被取消分配。发生这种取消分配的原因是 ElementType 元素包含的 AttributeType 与文件格式文档中定义的 ElementType 子元素不一致。通过策略性堆清理,攻击者可以完全控制此漏洞,从而导致进一步的内存损坏,并最终导致任意代码执行。
概括
Microsoft Office Professional Plus 2019 Excel 版本 2307 Build 16626.20170 中的 ElementType 属性解析中存在释放后使用漏洞。特制的Excel电子表格文档可以利用此漏洞实现任意代码执行。攻击者需要诱骗用户打开恶意文件才能触发此漏洞。
已确认的易受攻击版本
以下版本已被 Talos 测试或验证为易受攻击,或被供应商确认为易受攻击。
Microsoft Office Professional Plus 2019 Excel 版本 2307 内部版本 16626.20170
产品网址
Office 专业增强版 2019 – https://www.microsoft.com/pl-pl/microsoft-365/
细节
Microsoft Office 是一套用于提高企业环境和最终用户生产力的工具。它提供了一系列可用于各种目的的工具。例如用于电子表格的 Excel、用于文档编辑的 Word、用于电子邮件的 Outlook、用于演示文稿的 PowerPoint 等。
PivotCache
元素直接相关,
PivotTable cache因为它保存有关表模式和记录的所有信息。因此,Excel 正在解析
PivotCache元素以向
HtmlPivotTableInfo相关结构添加适当的信息。
跟踪这个对象的生命周期,我们可以看到这里进行的分配:
0:000> !heap -p -a 62300f68
address 62300f68 found in
_DPH_HEAP_ROOT @ 6381000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
5b6f2bc8: 62300f68 94 - 62300000 2000
unknown!fillpattern
6f11a8b0 verifier!AVrfDebugPageHeapAllocate+0x00000240
779ef22e ntdll!RtlDebugAllocateHeap+0x00000039
77957100 ntdll!RtlpAllocateHeap+0x000000f0
77956e5c ntdll!RtlpAllocateHeapInternal+0x0000104c
77955dfe ntdll!RtlAllocateHeap+0x0000003e
6e72baa5 mso20win32client!Mso::Memory::AllocateEx+0x00000025
00518459 Excel!FHpAllocCore+0x0000002c
00538648 Excel!PplAllocCore+0x0000003d
00552a62 Excel!HrAllocPl_+0x0000001a
0175ad9d Excel!FCommitHtmlPivotTableInfo+0x0000008f
0175ab18 Excel!FCommitHtmlPivotCacheElement+0x00000038
01f9cb66 Excel!FProcessXmlItem+0x00000a77
00b6431b Excel!OHIU::FProcessXmlItem+0x00000010
69f7f534 mso!FDispatchXmlItem+0x00000191
69f1df25 mso!FProcessCloseXmlTag+0x000001c8
69f193aa mso!TkLexHtml+0x00001081
69f17ffe mso!HI::FDoImportCopyContent+0x000001cf
69f17e1c mso!HI::FDoImport+0x00000019
00b5b68a Excel!HrLoadSheetHtml+0x00000435
01725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c2
01f9e837 Excel!HrLoadBookHtml+0x000000e4
007030a6 Excel!HrFileLoadEx+0x00006b1b
006fc274 Excel!HrFileLoadWithCoauth+0x0000006c
0194963b Excel!HrFileLoadWithCoauth+0x00000047
015179b2 Excel!_HrLoadInternal+0x000001a5
01517705 Excel!_HrLoad+0x000000d1
005420d5 Excel!FStartupFilename+0x00001a07
00540793 Excel!FLoadCmdLine+0x00000099
022d2374 Excel!MergeInstance::ExecuteMergeInstance+0x000000dd
00586acd Excel!DelayedMergeInstance::FProcessRequest+0x0000010a
0057b937 Excel!FDoIdleHardRejectUi+0x00001cc2
00579d19 Excel!FDoIdle+0x0000009d
接下来,由于格式错误的
ElementType元素,与相关的结构
HtmlPivotTableInfo被取消分配。
ElementType元素格式错误,因为它包含
AttributeType不属于
ElementType文件格式文档指定的子元素的 。我们可以在调试器中观察这块内存的释放情况:
eax=4f5a4f74 ebx=00000005 ecx=00000000 edx=0000008c esi=62300f68 edi=03ade7a0
eip=0053cb48 esp=03ade768 ebp=03ade790 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
Excel!FAddPl+0x109:
0053cb48 ff152ceef302 call dword ptr [Excel!_imp_?FreeMemoryMsoYGXPAXZ (02f3ee2c)] ds:002b:02f3ee2c={mso20win32client!Mso::Memory::Free (6e73d8a5)}
上述调用后同一内存块的堆状态:
0:000> !heap -p -a 62300f68
address 62300f68 found in
_DPH_HEAP_ROOT @ 6381000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
5b6f2bc8: 62300000 2000
6f11ab02 verifier!AVrfDebugPageHeapFree+0x000000c2
779efa86 ntdll!RtlDebugFreeHeap+0x0000003e
77953d66 ntdll!RtlpFreeHeap+0x000000d6
77997acd ntdll!RtlpFreeHeapInternal+0x00000783
77953c36 ntdll!RtlFreeHeap+0x00000046
6e73d8e8 mso20win32client!Mso::Memory::Free+0x00000043
0053cb4e Excel!FAddPl+0x0000010f
0053ca1a Excel!HrIAddPl_+0x0000001a
0056bb9f Excel!IAddNewPl+0x00000082
0056badf Excel!IAddNewPlPos+0x0000005b
01fbe5cf Excel!IAddPlSort+0x00000034
0175adc2 Excel!FCommitHtmlPivotTableInfo+0x000000b4
0175ab18 Excel!FCommitHtmlPivotCacheElement+0x00000038
01f9cb66 Excel!FProcessXmlItem+0x00000a77
00b6431b Excel!OHIU::FProcessXmlItem+0x00000010
69f7f534 mso!FDispatchXmlItem+0x00000191
6a1f910a mso!FFlushXmlStack+0x000000d7
69f7fa2b mso!FDispatchXmlItem+0x00000688
69f1df25 mso!FProcessCloseXmlTag+0x000001c8
69f193aa mso!TkLexHtml+0x00001081
69f17ffe mso!HI::FDoImportCopyContent+0x000001cf
69f17e1c mso!HI::FDoImport+0x00000019
00b5b68a Excel!HrLoadSheetHtml+0x00000435
01725e74 Excel!HrBookLoadHtmlSinglePly+0x000004c2
01f9e837 Excel!HrLoadBookHtml+0x000000e4
007030a6 Excel!HrFileLoadEx+0x00006b1b
006fc274 Excel!HrFileLoadWithCoauth+0x0000006c
0194963b Excel!HrFileLoadWithCoauth+0x00000047
015179b2 Excel!_HrLoadInternal+0x000001a5
01517705 Excel!_HrLoad+0x000000d1
005420d5 Excel!FStartupFilename+0x00001a07
00540793 Excel!FLoadCmdLine+0x00000099
即使内存被释放,指向该对象的相关指针也不会重置为 NULL。由于存在悬空引用,防止重复使用该对象的检查将失败,并且该对象将在以下函数内重新使用:
0:000> g
(1fe0.70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000
eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
Excel!FCommitHtmlPivotCacheElement+0x17:
0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????
这构成了释放后使用条件。通过精确的堆整理,攻击者可以完全控制此释放后使用漏洞,这可能导致进一步的内存损坏并最终导致任意代码执行。
0:000> g
(1fe0.70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=000000c2 ecx=62300f70 edx=653b4fc8 esi=653b4fdc edi=00000000
eip=0175aaf7 esp=03ade994 ebp=03ade9b0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
Excel!FCommitHtmlPivotCacheElement+0x17:
0175aaf7 39790c cmp dword ptr [ecx+0Ch],edi ds:002b:62300f7c=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Read
Key : Analysis.CPU.Sec
Value: 14
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on DESKTOP-IQDGM2J
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 408
Key : Analysis.Memory.CommitPeak.Mb
Value: 438
Key : Analysis.System
Value: CreateObject
Key : Timeline.OS.Boot.DeltaSec
Value: 191065
Key : Timeline.Process.Start.DeltaSec
Value: 163
NTGLOBALFLAG: 2000000
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
APPLICATION_VERIFIER_LOADED: 1
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0175aaf7 (Excel!FCommitHtmlPivotCacheElement+0x00000017)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 62300f7c
Attempt to read from address 62300f7c
FAULTING_THREAD: 00000070
PROCESS_NAME: Excel.exe
READ_ADDRESS: 62300f7c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 62300f7c
STACK_TEXT:
03ade998 0172719d 03adf044 6359e998 00000000 Excel!FCommitHtmlPivotCacheElement+0x17
03ade9b0 01f9cb66 03adea2c 6359e998 00000001 Excel!HrCommitBookXml+0xca
03adea80 00b6431b 00000000 03adeaec 69f7f534 Excel!FProcessXmlItem+0xa77
03adea8c 69f7f534 02fde194 03adeff0 6359e998 Excel!OHIU::FProcessXmlItem+0x10
03adeaec 69f1df25 0159e998 fd1d5943 57ff8d14 mso!FDispatchXmlItem+0x191
03adeb60 69f193aa 6359e998 64f06f48 fd1d5fbb mso!FProcessCloseXmlTag+0x1c8
03aded98 69f17ffe fd1d5fe3 03adeff0 063b6fd8 mso!TkLexHtml+0x1081
03adedc0 69f17e1c 57ff8d14 00000000 063b6fd8 mso!HI::FDoImportCopyContent+0x1cf
03adedd4 00b5b68a 6359e918 063b6fd8 00000000 mso!HI::FDoImport+0x19
03adef00 01725e74 00000100 54d48fa8 00000003 Excel!HrLoadSheetHtml+0x435
03ae9864 01f9e837 00000000 00000000 00000000 Excel!HrBookLoadHtmlSinglePly+0x4c2
03ae98a8 007030a6 03af8f3c 54d48fa8 00000002 Excel!HrLoadBookHtml+0xe4
03af9370 006fc274 00000000 00000000 00000002 Excel!HrFileLoadEx+0x6b1b
03af940c 0194963b 00000000 00000000 00000002 Excel!HrFileLoadWithCoauth+0x6c
03af9460 015179b2 00000000 03af95c0 02823042 Excel!HrFileLoadWithCoauth+0x47
03af9568 01517705 00000001 00001008 00000001 Excel!_HrLoadInternal+0x1a5
03af9610 005420d5 00000001 00001008 00000001 Excel!_HrLoad+0xd1
03afe388 00540793 0000000f 47092fb0 00000825 Excel!FStartupFilename+0x1a07
03afe42c 022d2374 0000000f 47092fb0 00000825 Excel!FLoadCmdLine+0x99
03afefa4 00586acd 00000825 00000000 00000001 Excel!MergeInstance::ExecuteMergeInstance+0xdd
03aff050 0057b937 063b6fd8 063b6fd8 00000000 Excel!DelayedMergeInstance::FProcessRequest+0x10a
03aff5b0 00579d19 063b6fd8 02fa355c 00000001 Excel!FDoIdleHardRejectUi+0x1cc2
03aff630 00576bf1 6e73a38d 02fa3790 00000000 Excel!FDoIdle+0x9d
03affa30 00517895 00000000 0000000a 0394c000 Excel!MainLoop+0x1326
03affc60 005011c3 00500000 00000000 063d8fc2 Excel!WinMain+0x6c4
03affcac 75a800c9 0394c000 75a800b0 03affd18 Excel!_imp_load__RmGetList+0x1c7
03affcbc 77977b1e 0394c000 84105314 00000000 KERNEL32!BaseThreadInitThunk+0x19
03affd18 77977aee ffffffff 77998c03 00000000 ntdll!__RtlUserThreadStart+0x2f
03affd28 00000000 00501079 0394c000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: Excel!FCommitHtmlPivotCacheElement+17
MODULE_NAME: Excel
IMAGE_NAME: Excel.exe
FAILURE_BUCKET_ID: INVALID_POINTER_READ_AVRF_c0000005_Excel.exe!FCommitHtmlPivotCacheElement
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
FAILURE_ID_HASH: {a768443e-18ec-dc72-511b-87f1949b0ed3}
Followup: MachineOwner
---------
0:000> lmva excel
Browse full module list
start end module name
00500000 03717000 Excel (pdb symbols) c:\tools\x86\sym\excel.pdb\FD60CCBC644B4FD0889179BD554363D12\excel.pdb
Loaded symbol image file: c:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Image path: Excel.exe
Image name: Excel.exe
Browse all global symbols functions data
Timestamp: Fri Aug 4 05:00:26 2023 (64CC69CA)
CheckSum: 0321C631
ImageSize: 03217000
File version: 16.0.16626.20170
Product version: 16.0.16626.20170
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft Office
InternalName: Excel
OriginalFilename: Excel.exe
ProductVersion: 16.0.16626.20170
FileVersion: 16.0.16626.20170
感谢您抽出
.
.
来阅读本文
点它,分享点赞在看都在这里