CVE-2021-31939
Information
The graph.exe parses TLV records, and when given the following sequence of records/markers, there is a use-after-after:
- 0x005D - Add buffer in work array
- 0x00EC - Free
- 0x000A - Use
As can be seen below, the crash is when trying to invoke a virtual function pointer..text:00000001401D4D9B mov rax, [rax] ; <--- crash here .text:00000001401D4D9E lea r9, [rsp+38h+arg_0] .text:00000001401D4DA3 mov r8d, 3BEh .text:00000001401D4DA9 mov [rsp+38h+var_18], 4 .text:00000001401D4DB2 mov rdx, rbx .text:00000001401D4DB5 mov rax, [rax+280h] .text:00000001401D4DBC call cs:__guard_dispatch_icall_fptr ; <--- Virtual method invocation here .text:00000001401D4DC2 mov eax, [rsp+38h+arg_0]
Stack trace:
0:030> bp graph+A01A4 "r eax; r $t0 = poi(graph+51AB70) & ffff; db graph+516B70+$t0 - 2; g;"
0:030> g
ModLoad: 00007ff9`cb940000 00007ff9`cbc3b000 C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL
ModLoad: 00007ffa`2db10000 00007ffa`2db86000 C:\Windows\System32\coml2.dll
eax=5d
00007ff7`08956dbe 5d 00 00 00 ec 00 02 00-b0 04 0a 00 00 00 09 08 ]...............
00007ff7`08956dce 10 00 80 06 00 80 66 32-cd 07 c1 00 02 00 06 08 ......f2........
00007ff7`08956dde 00 00 60 10 0a 00 4a 10-aa 0a a0 00 00 00 00 00 ..`...J.........
00007ff7`08956dee 60 10 0a 00 4a 10 aa 0a-a0 00 01 00 01 00 ac 02 `...J...........
00007ff7`08956dfe 02 00 38 00 92 00 e2 00-38 00 00 00 00 00 ff ff ..8.....8.......
00007ff7`08956e0e ff 00 ff 00 00 00 00 ff-00 00 00 00 ff 00 ff ff ................
00007ff7`08956e1e 00 00 ff 00 ff 00 00 ff-ff 00 80 00 dd 0e c6 c5 ................
00007ff7`08956e2e f7 66 bf 76 d3 94 6b 43-07 76 c6 69 3d 95 06 fe .f.v..kC.v.i=...
ModLoad: 00007ff9`fa110000 00007ff9`fa381000 C:\Windows\SYSTEM32\UIAutomationCore.DLL
eax=ec
00007ff7`08956dc2 ec 00 02 00 b0 04 0a 00-00 00 09 08 10 00 80 06 ................
00007ff7`08956dd2 00 80 66 32 cd 07 c1 00-02 00 06 08 00 00 60 10 ..f2..........`.
00007ff7`08956de2 0a 00 4a 10 aa 0a a0 00-00 00 00 00 60 10 0a 00 ..J.........`...
00007ff7`08956df2 4a 10 aa 0a a0 00 01 00-01 00 ac 02 02 00 38 00 J.............8.
00007ff7`08956e02 92 00 e2 00 38 00 00 00-00 00 ff ff ff 00 ff 00 ....8...........
00007ff7`08956e12 00 00 00 ff 00 00 00 00-ff 00 ff ff 00 00 ff 00 ................
00007ff7`08956e22 ff 00 00 ff ff 00 80 00-dd 0e c6 c5 f7 66 bf 76 .............f.v
00007ff7`08956e32 d3 94 6b 43 07 76 c6 69-3d 95 06 fe 88 5d 76 2b ..kC.v.i=....]v+
eax=a
00007ff7`08956dc8 0a 00 00 00 09 08 10 00-80 06 00 80 66 32 cd 07 ............f2..
00007ff7`08956dd8 c1 00 02 00 06 08 00 00-60 10 0a 00 4a 10 aa 0a ........`...J...
00007ff7`08956de8 a0 00 00 00 00 00 60 10-0a 00 4a 10 aa 0a a0 00 ......`...J.....
00007ff7`08956df8 01 00 01 00 ac 02 02 00-38 00 92 00 e2 00 38 00 ........8.....8.
00007ff7`08956e08 00 00 00 00 ff ff ff 00-ff 00 00 00 00 ff 00 00 ................
00007ff7`08956e18 00 00 ff 00 ff ff 00 00-ff 00 ff 00 00 ff ff 00 ................
00007ff7`08956e28 80 00 dd 0e c6 c5 f7 66-bf 76 d3 94 6b 43 07 76 .......f.v..kC.v
00007ff7`08956e38 c6 69 3d 95 06 fe 88 5d-76 2b a0 00 85 4f cd 71 .i=....]v+...O.q
(2608.4e4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
graph+0x1d4d9b:
00007ff7`08614d9b 488b00 mov rax,qword ptr [rax] ds:0000021a`a0546ce0=????????????????
0:000> k
# Child-SP RetAddr Call Site
00 000000cc`97bc3790 00007ff7`0860f721 graph+0x1d4d9b
01 000000cc`97bc37d0 00007ff7`0860f8e7 graph+0x1cf721
02 000000cc`97bc3800 00007ff7`0861af06 graph+0x1cf8e7
03 000000cc`97bc3830 00007ff7`084e858f graph+0x1daf06
04 000000cc`97bc3860 00007ff7`084e8ae4 graph+0xa858f
05 000000cc`97bc7dc0 00007ff7`0844d730 graph+0xa8ae4
06 000000cc`97bc7fa0 00007ff7`08441eb1 graph+0xd730
07 000000cc`97bcae80 00007ff7`085daeea graph+0x1eb1
08 000000cc`97bcb750 00007ffa`2d1cf3cf graph+0x19aeea
09 000000cc`97bcb810 00007ffa`2d1b90e6 OLEAUT32!DispCallFuncAmd64+0x7f
0a 000000cc`97bcb880 00007ffa`2d1b96e4 OLEAUT32!DispCallFunc+0x226
0b 000000cc`97bcb9d0 00007ffa`2d1b9fe1 OLEAUT32!CTypeInfo2::Invoke+0x554
0c 000000cc`97bcbd80 00007ff7`085e661e OLEAUT32!CTypeInfo2::Invoke+0xe51
0d 000000cc`97bcc130 00007ffa`2d23bb04 graph+0x1a661e
0e 000000cc`97bce680 00007ffa`2d23acb0 OLEAUT32!IDispatch_Invoke_Stub+0xd4
0f 000000cc`97bce710 00007ffa`2ddb1a3f OLEAUT32!IDispatch_RemoteInvoke_Thunk+0x60
10 000000cc`97bce780 00007ffa`2e018422 RPCRT4!NdrStubCall2+0x92f
11 000000cc`97bcede0 00007ffa`2d1b2f60 combase!CStdStubBuffer_Invoke+0xa2 [onecore\com\combase\ndr\ndrole\stub.cxx @ 1524]
12 000000cc`97bcee20 00007ffa`2dfa4313 OLEAUT32!CStubWrapper::Invoke+0x90
13 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0x18 [onecore\com\combase\dcomrem\channelb.cxx @ 1385]
14 000000cc`97bcee60 00007ffa`2dfa4103 combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x43 [onecore\com\combase\dcomrem\excepn.hxx @ 87]
15 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0xa8 [onecore\com\combase\dcomrem\channelb.cxx @ 1383]
16 000000cc`97bceec0 00007ffa`2e01b036 combase!DefaultStubInvoke+0x1c3 [onecore\com\combase\dcomrem\channelb.cxx @ 1452]
17 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x22 [onecore\com\combase\dcomrem\channelb.cxx @ 1509]
18 000000cc`97bcf010 00007ffa`2dfa82da combase!SyncServerCall::StubInvoke+0x26 [onecore\com\combase\dcomrem\servercall.hpp @ 826]
19 (Inline Function) --------`-------- combase!StubInvoke+0x259 [onecore\com\combase\dcomrem\channelb.cxx @ 1734]
1a 000000cc`97bcf050 00007ffa`2dfa550d combase!ServerCall::ContextInvoke+0x42a [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1418]
1b (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x79 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1327]
1c (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x92 [onecore\com\combase\dcomrem\callctrl.cxx @ 3352]
1d 000000cc`97bcf450 00007ffa`2dfc579c combase!ReentrantSTAInvokeInApartment+0x19d [onecore\com\combase\dcomrem\reentrantsta.cpp @ 112]
1e 000000cc`97bcf4d0 00007ffa`2dfc6001 combase!AppInvoke+0x1ec [onecore\com\combase\dcomrem\channelb.cxx @ 1182]
1f 000000cc`97bcf560 00007ffa`2dfe7c6d combase!ComInvokeWithLockAndIPID+0x681 [onecore\com\combase\dcomrem\channelb.cxx @ 2290]
20 (Inline Function) --------`-------- combase!ComInvoke+0x1ab [onecore\com\combase\dcomrem\channelb.cxx @ 1803]
21 (Inline Function) --------`-------- combase!ThreadDispatch+0x20a [onecore\com\combase\dcomrem\chancont.cxx @ 416]
22 000000cc`97bcf890 00007ffa`2d025c1d combase!ThreadWndProc+0x3ad [onecore\com\combase\dcomrem\chancont.cxx @ 744]
23 000000cc`97bcf9c0 00007ffa`2d025612 USER32!UserCallWinProcCheckWow+0x2bd
24 000000cc`97bcfb50 00007ff7`0865f681 USER32!DispatchMessageWorker+0x1e2
25 000000cc`97bcfbd0 00007ff7`084692d7 graph+0x21f681
26 000000cc`97bcfc00 00007ff7`08652dd6 graph+0x292d7
27 000000cc`97bcfdf0 00007ff7`087bf602 graph+0x212dd6
28 000000cc`97bcfef0 00007ffa`2cd27c24 graph+0x37f602
29 000000cc`97bcff30 00007ffa`2e52d721 KERNEL32!BaseThreadInitThunk+0x14
2a 000000cc`97bcff60 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> r
rax=0000021aa0546ce0 rbx=0000021aa9f1eef0 rcx=0000021aa0546ce0
rdx=000000000000fffa rsi=0000021aa0c20fd8 rdi=0000021aa9f1eef0
rip=00007ff708614d9b rsp=000000cc97bc3790 rbp=000000cc97bc58c0
r8=0000000000000001 r9=0000000000000000 r10=00000fff348de62a
r11=1555554151551555 r12=000000000000efff r13=0000000000000000
r14=0000000000000001 r15=00000000000006d0
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
graph+0x1d4d9b:
00007ff7`08614d9b 488b00 mov rax,qword ptr [rax] ds:0000021a`a0546ce0=????????????????
0:000> !heap -p -a @rax
address 0000021aa0546ce0 found in
_DPH_HEAP_ROOT @ 21af3361000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
21aa07a5e38: 21aa0546000 2000
00007ffa2e5c502c ntdll!RtlDebugFreeHeap+0x000000000000003c
00007ffa2e501b6d ntdll!RtlpFreeHeap+0x00000000000000bd
00007ffa2e5012e0 ntdll!RtlpFreeHeapInternal+0x0000000000000790
00007ffa2e5006e1 ntdll!RtlFreeHeap+0x0000000000000051
00007ff9ba875613 mso20win32client!Ordinal1110+0x0000000000000053
00007ff9a47533eb mso!Ordinal2242+0x0000000000000b0b
00007ff708603787 graph+0x00000000001c3787
00007ff708607cb0 graph+0x00000000001c7cb0
00007ff7084e087d graph+0x00000000000a087d
00007ff7084e8ae4 graph+0x00000000000a8ae4
00007ff70844d730 graph+0x000000000000d730
00007ff708441eb1 graph+0x0000000000001eb1
00007ff7085daeea graph+0x000000000019aeea
00007ffa2d1cf3cf OLEAUT32!DispCallFuncAmd64+0x000000000000007f
00007ffa2d1b90e6 OLEAUT32!DispCallFunc+0x0000000000000226
00007ffa2d1b96e4 OLEAUT32!CTypeInfo2::Invoke+0x0000000000000554
00007ffa2d1b9fe1 OLEAUT32!CTypeInfo2::Invoke+0x0000000000000e51
00007ff7085e661e graph+0x00000000001a661e
00007ffa2d23bb04 OLEAUT32!IDispatch_Invoke_Stub+0x00000000000000d4
00007ffa2d23acb0 OLEAUT32!IDispatch_RemoteInvoke_Thunk+0x0000000000000060
00007ffa2ddb1a3f RPCRT4!NdrStubCall2+0x000000000000092f
00007ffa2e018422 combase!CStdStubBuffer_Invoke+0x00000000000000a2 [onecore\com\combase\ndr\ndrole\stub.cxx @ 1524]
00007ffa2d1b2f60 OLEAUT32!CStubWrapper::Invoke+0x0000000000000090
00007ffa2dfa4313 combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x0000000000000043 [onecore\com\combase\dcomrem\excepn.hxx @ 87]
00007ffa2dfa4103 combase!DefaultStubInvoke+0x00000000000001c3 [onecore\com\combase\dcomrem\channelb.cxx @ 1452]
00007ffa2e01b036 combase!SyncServerCall::StubInvoke+0x0000000000000026 [onecore\com\combase\dcomrem\servercall.hpp @ 826]
00007ffa2dfa82da combase!ServerCall::ContextInvoke+0x000000000000042a [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1418]
00007ffa2dfa550d combase!ReentrantSTAInvokeInApartment+0x000000000000019d [onecore\com\combase\dcomrem\reentrantsta.cpp @ 112]
00007ffa2dfc579c combase!AppInvoke+0x00000000000001ec [onecore\com\combase\dcomrem\channelb.cxx @ 1182]
00007ffa2dfc6001 combase!ComInvokeWithLockAndIPID+0x0000000000000681 [onecore\com\combase\dcomrem\channelb.cxx @ 2290]
00007ffa2dfe7c6d combase!ThreadWndProc+0x00000000000003ad [onecore\com\combase\dcomrem\chancont.cxx @ 744]
00007ffa2d025c1d USER32!UserCallWinProcCheckWow+0x00000000000002bd
Steps to reproduce:
Steps to reproduce - Outlook:
0. activate full GFlags for graph.exe
1. open WinDBG for the following process: C:\Program Files\Microsoft Office\root\Office16\graph.exe /automation -Embedding
2. open crash.eml using outlook
3. double-click the image inside the eml file
4. observe the crash in WinDBG
** Please note that if you have Microsoft Office installed, excelcnv.exe may cause your outlook to hang, so we recommend changing its name for testing purposes.
Steps to reproduce - Graph:
0. activate full GFlags for graph.exe
1. open WinDBG for the following process: C:\Program Files\Microsoft Office\root\Office16\graph.exe /automation -Embedding
2. run the attached vbscript file - test.vbs with crash as an argument (use the full path)
3. observe the crash in WinDBG
Attachments:
crash
crash.eml
test.vbs
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31939
https://research.checkpoint.com/2021/fuzzing-the-office-ecosystem/