CVE-2025-21298

# Summary

OS: Window 7/10/11

TARGET: msoffice winword.exe / window

TYPE: Windows OLE Remote Code Execution Vulnerability

 

 

# Description

• This vulnerability can occur in M365 product lines that support OleObject insertion .
• This vulnerability allows the same object to be released twice, potentially invoking a function at an arbitrary address.

 

# Analysis

• Below is an excerpt of the code at the time the vulnerability was discovered.

__int64 __fastcall UtOlePresStmToContentsStm(IStorage *pstg, wchar_t *puiStatus, int a3, unsigned int *lpszPresStm)
{
  IStorage_vtbl *v5; // rax
  int v7; // r14d
  int v9; // ebx
  HRESULT v10; // eax
  IStream *pstmContents; // [rsp+40h] [rbp-19h] BYREF
  IStream *pstmOlePres; // [rsp+48h] [rbp-11h] BYREF
  tagFORMATETC foretc; // [rsp+50h] [rbp-9h] BYREF
  tagHDIBFILEHDR hdfh; // [rsp+70h] [rbp+17h] BYREF

  *lpszPresStm = 0;
  v5 = pstg->__vftable;
  pstmContents = 0i64;
  v7 = 1;
  if ( v5->CreateStream(pstg, L"CONTENTS", 18u, 0, 0, &pstmContents) )
    return 0i64;
  pstmContents->Release(pstmContents); // need to initialize pstmContents
  pstg->DestroyElement(pstg, L"CONTENTS");
  v9 = pstg->OpenStream(pstg, &word_F40E0, 0i64, 16u, 0, &pstmOlePres); // this line make pstmOlePres == pstmContents
  if ( !v9 )
  {
    foretc.ptd = 0i64;
    v9 = UtReadOlePresStmHeader(pstmOlePres, &foretc, 0i64, 0i64);
    if ( v9 < 0 )
      goto $errRtn_199;
    v9 = ((__int64 (__fastcall *)(IStream *, tagHDIBFILEHDR *, __int64))pstmOlePres->Read)(pstmOlePres, &hdfh, 16i64);
    if ( v9 < 0 )
      goto $errRtn_199;
    v9 = OpenOrCreateStream(pstg, L"CONTENTS", &pstmContents);
    if ( v9 >= 0 )
    {
        ...
    }
$errRtn_199:
    if ( pstmOlePres )
      pstmOlePres->Release(pstmOlePres); // first release 
    if ( pstmContents )
      pstmContents->Release(pstmContents); // second release & crash trigger
    if ( foretc.ptd )
    ...
  }

• It has now been patched by adding some lines:

+ IsEnabled = wil::details::FeatureImpl<__WilFeatureTraits_Feature_3047977275>::__private_IsEnabled(&`wil::Feature<__WilFeatureTraits_Feature_3047977275>::GetImpl'::`2'::impl);
+ v10 = pstmContents;
+ v11 = !IsEnabled;
  v12 = pstg->lpVtbl;
+ if ( !v11 )
+   v10 = 0LL;
+ pstmContents = v10;

• As a result of this vulnerability, the IP register can be controlled

windbg debugging

 

# Exploitablility

1. I consider that this vulnerability could be utilized as part of an attack scenario.
2. For research purposes, I disabled the DEP protection to demonstrate the feasibility of using an exploit chain gadget and prove its malicious potential.
3. Additionally, an extra scenario is needed for a complete ASLR bypass.
   (In this video, ASLR mitigation was circumvented probabilistically)
4. Also, this vulnerability can also occur in the Preview Pane feature supported by M365 products.
5. Below is the PoC demo recorded on 2024-07-23(@Jmini)

 

 

# Reference

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21298  
• https://shell-storm.org/shellcode/index.html  
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1642