# Summary
OS: Window 7/10/11
TARGET: msoffice winword.exe / window
TYPE: Windows OLE Remote Code Execution Vulnerability
# Description
- This vulnerability can occur in M365 product lines that support OleObject insertion .
- This vulnerability allows the same object to be released twice, potentially invoking a function at an arbitrary address.
# Analysis
- Below is an excerpt of the code at the time the vulnerability was discovered.
__int64 __fastcall UtOlePresStmToContentsStm(IStorage *pstg, wchar_t *puiStatus, int a3, unsigned int *lpszPresStm)
{
IStorage_vtbl *v5; // rax
int v7; // r14d
int v9; // ebx
HRESULT v10; // eax
IStream *pstmContents; // [rsp+40h] [rbp-19h] BYREF
IStream *pstmOlePres; // [rsp+48h] [rbp-11h] BYREF
tagFORMATETC foretc; // [rsp+50h] [rbp-9h] BYREF
tagHDIBFILEHDR hdfh; // [rsp+70h] [rbp+17h] BYREF
*lpszPresStm = 0;
v5 = pstg->__vftable;
pstmContents = 0i64;
v7 = 1;
if ( v5->CreateStream(pstg, L"CONTENTS", 18u, 0, 0, &pstmContents) )
return 0i64;
pstmContents->Release(pstmContents); // need to initialize pstmContents
pstg->DestroyElement(pstg, L"CONTENTS");
v9 = pstg->OpenStream(pstg, &word_F40E0, 0i64, 16u, 0, &pstmOlePres); // this line make pstmOlePres == pstmContents
if ( !v9 )
{
foretc.ptd = 0i64;
v9 = UtReadOlePresStmHeader(pstmOlePres, &foretc, 0i64, 0i64);
if ( v9 < 0 )
goto $errRtn_199;
v9 = ((__int64 (__fastcall *)(IStream *, tagHDIBFILEHDR *, __int64))pstmOlePres->Read)(pstmOlePres, &hdfh, 16i64);
if ( v9 < 0 )
goto $errRtn_199;
v9 = OpenOrCreateStream(pstg, L"CONTENTS", &pstmContents);
if ( v9 >= 0 )
{
...
}
$errRtn_199:
if ( pstmOlePres )
pstmOlePres->Release(pstmOlePres); // first release
if ( pstmContents )
pstmContents->Release(pstmContents); // second release & crash trigger
if ( foretc.ptd )
...
}- It has now been patched by adding some lines:
+ IsEnabled = wil::details::FeatureImpl<__WilFeatureTraits_Feature_3047977275>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_3047977275>::GetImpl'::`2'::impl);
+ v10 = pstmContents;
+ v11 = !IsEnabled;
v12 = pstg->lpVtbl;
+ if ( !v11 )
+ v10 = 0LL;
+ pstmContents = v10;- As a result of this vulnerability, the IP register can be controlled
# Exploitablility
- I consider that this vulnerability could be utilized as part of an attack scenario.
- For research purposes, I disabled the DEP protection to demonstrate the feasibility of using an exploit chain gadget and prove its malicious potential.
- Additionally, an extra scenario is needed for a complete ASLR bypass.
(In this video, ASLR mitigation was circumvented probabilistically) - Also, this vulnerability can also occur in the Preview Pane feature supported by M365 products.
- Below is the PoC demo recorded on 2024-07-23(@Jmini)
# Reference
'CVE Diary' 카테고리의 다른 글
| CVE-2025-21363 (0) | 2025.03.04 |
|---|---|
| CVE-2023-30738 (0) | 2025.03.04 |
| CVE-2023-27471 (0) | 2025.03.04 |
