Hi everyone. Brian and Jonathan, software security engineers from the SWI team here. Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx).
The short story is that this issue turned out to not be exploitable for remote code execution. It was a PowerPoint crashing bug not a PowerPoint security vulnerability. The PowerPoint team has developed a fix for this bug and it will go into the next available ship vehicle for PowerPoint. The longer story is below.
The document produced by the published perl script generates a malformed PPT file. The file includes a container object with a ‘position’ value that is larger than the corresponding container’s record length. So, when parsing this container, PowerPoint attempts to use this attacker-supplied position value to find a node in a list but the position is out of the list’s bounds. The function that should be returning a legitimate object for later use by PowerPoint instead returns NULL due to the out-of-bounds position value. This return value is not checked for a NULL value before the address is operated on as an object. The reference of this NULL object pointer is what causes the exception.
Here’s what that sequence of events looks like from an assembly level:
0:000> u 3001cdbc
POWERPNT+0x1cdbc:
3001cdbc e8dfdfffff call POWERPNT+0x1ada0 (3001ada0) <—- This function returns NULL & the return value is not checked
3001cdc1 8b7610 mov esi,dword ptr [esi+10h]
3001cdc4 2b7514 sub esi,dword ptr [ebp+14h]
3001cdc7 8bf8 mov edi,eax <— eax is NULL
3001cdc9 8d45e0 lea eax,[ebp-20h]
3001cdcc 8bcf mov ecx,edi <— ecx is NULL
3001cdce 50 push eax
3001cdcf e8e8e1ffff call POWERPNT+0x1afbc (3001afbc) <—- call into the function that will cause the NULL deref
3001cdd4 3b7d18 cmp edi,dword ptr [ebp+18h]
3001cdd7 0f848fddffff je POWERPNT+0x1ab6c (3001ab6c)
0:000> u 3001afbc
POWERPNT+0x1afbc:
3001afbc 8b01 mov eax,dword ptr [ecx] <— This is the actual instruction that causes the exception
0:000> lmvm powerpnt
start end module name
30000000 3061d000 POWERPNT (export symbols) POWERPNT.EXE
Loaded symbol image file: POWERPNT.EXE
Image path: c:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
Image name: POWERPNT.EXE
Timestamp: Tue Sep 26 17:15:28 2006 (4519C2A0)
CheckSum: 00624FE1
ImageSize: 0061D000
File version: 11.0.8110.0
Product version: 11.0.8110.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0000.04e4
CompanyName: Microsoft Corporation
ProductName: Microsoft Office 2003
InternalName: POWERPNT
OriginalFilename: POWERPNT.EXE
ProductVersion: 11.0.8110
FileVersion: 11.0.8110
FileDescription: Microsoft Office PowerPoint
LegalCopyright: Copyright ¬ 1987-2003 Microsoft Corporation. All rights reserved.
We hope this additional details clear up any questions our customers may have had about why the MSRC does not consider this a product security vulnerability
Thanks,
Brian and Jonathan
*This posting is provided “AS IS” with no warranties, and confers no rights.*