Microsoft Office Excel 2007, 2010, 2013 - BIFFRecord Use-After-Free

<p>CVE-ID：CVE-2015-2523<br></p><p>受影响版本：</p><p>Microsoft Office 2007</p><p>Microsoft Office 2010</p><p>Microsoft Office 2013</p><p>Microsoft Office 2013 RT</p><p>漏洞详情：</p><p>The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord. </p><p> </p><p>File versions:</p><p>Excel.exe: 12.0.6718.5000</p><p>MSO.dll: 12.0.6721.5000</p><p> </p><p>Observed Crash:</p><p> </p><p>eax=00000000 ebx=00000000 ecx=0ce119f8 edx=00003fff esi=0e98de10 edi=0013c82c</p><p>eip=30037cc5 esp=00137180 ebp=00137188 iopl=0         nv up ei pl nz na po nc</p><p>cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202</p><p>*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Excel.exe - </p><p>Excel!Ordinal40+0x37cc5:</p><p>30037cc5 0fb64604        movzx   eax,byte ptr [esi+4]       ds:0023:0e98de14=jQuery21405955476451199502_1442475720819</p><p> </p><p>0:000> kb L8</p><p>ChildEBP RetAddr  Args to Child              </p><p>WARNING: Stack unwind information not available. Following frames may be wrong.</p><p>00137188 303df098 0e98de10 00000000 00000102 Excel!Ordinal40+0x37cc5</p><p>0013d068 30528190 0013d0a8 00000102 00000000 Excel!Ordinal40+0x3df098</p><p>0013d2bc 305280b1 00000000 00000001 00000008 Excel!Ordinal40+0x528190</p><p>0013d330 3038d46d 0013ddf2 00000000 00000001 Excel!Ordinal40+0x5280b1</p><p>0013e000 300084a4 0013e104 00000001 0013f568 Excel!Ordinal40+0x38d46d</p><p>0013fbb0 30005e9a 02270fd7 00000003 30f61708 Excel!Ordinal40+0x84a4</p><p>0013feb8 30003b3a 00000000 02270fd7 00000003 Excel!Ordinal40+0x5e9a</p><p>0013ff30 30003884 30000000 00000000 02270fd7 Excel!Ordinal40+0x3b3a</p><p> </p><p>In this crash esi is a heap address. We can see that this is a free chunk:</p><p> </p><p>0:000> !heap -p -a 0xe98de10</p><p>    address 0e98de10 found in</p><p>    _DPH_HEAP_ROOT @ 1161000</p><p>    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)</p><p>                                    e7f0fc0:          e98d000             2000</p><p>    7c83e330 ntdll!RtlFreeHeap+0x0000011a</p><p>    018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8</p><p>    331039d5 mso!Ordinal1743+0x00002d4d</p><p>    329c91d1 mso!MsoFreePv+0x0000003f</p><p>    30298310 Excel!Ordinal40+0x00298310</p><p>    30300ac3 Excel!Ordinal40+0x00300ac3</p><p>    305f1899 Excel!Ordinal40+0x005f1899 </p><p> </p><p>This is a use after free vulnerability affecting all currently supported versions of Microsoft Excel. </p>