Information

The graph.exe parses TLV records, and when given the following sequence of records/markers, there is a use-after-after:

  1. 0x005D - Add buffer in work array
  2. 0x00EC - Free
  3. 0x000A - Use
    As can be seen below, the crash is when trying to invoke a virtual function pointer.
    .text:00000001401D4D9B mov     rax, [rax] ; <--- crash here
    .text:00000001401D4D9E lea     r9, [rsp+38h+arg_0]
    .text:00000001401D4DA3 mov     r8d, 3BEh
    .text:00000001401D4DA9 mov     [rsp+38h+var_18], 4
    .text:00000001401D4DB2 mov     rdx, rbx
    .text:00000001401D4DB5 mov     rax, [rax+280h]
    .text:00000001401D4DBC call    cs:__guard_dispatch_icall_fptr ; <--- Virtual method invocation here
    .text:00000001401D4DC2 mov     eax, [rsp+38h+arg_0]
    

Stack trace:

0:030> bp graph+A01A4 "r eax; r $t0 = poi(graph+51AB70) & ffff; db graph+516B70+$t0 - 2; g;"
0:030> g
ModLoad: 00007ff9`cb940000 00007ff9`cbc3b000   C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL
ModLoad: 00007ffa`2db10000 00007ffa`2db86000   C:\Windows\System32\coml2.dll
eax=5d
00007ff7`08956dbe  5d 00 00 00 ec 00 02 00-b0 04 0a 00 00 00 09 08  ]...............
00007ff7`08956dce  10 00 80 06 00 80 66 32-cd 07 c1 00 02 00 06 08  ......f2........
00007ff7`08956dde  00 00 60 10 0a 00 4a 10-aa 0a a0 00 00 00 00 00  ..`...J.........
00007ff7`08956dee  60 10 0a 00 4a 10 aa 0a-a0 00 01 00 01 00 ac 02  `...J...........
00007ff7`08956dfe  02 00 38 00 92 00 e2 00-38 00 00 00 00 00 ff ff  ..8.....8.......
00007ff7`08956e0e  ff 00 ff 00 00 00 00 ff-00 00 00 00 ff 00 ff ff  ................
00007ff7`08956e1e  00 00 ff 00 ff 00 00 ff-ff 00 80 00 dd 0e c6 c5  ................
00007ff7`08956e2e  f7 66 bf 76 d3 94 6b 43-07 76 c6 69 3d 95 06 fe  .f.v..kC.v.i=...
ModLoad: 00007ff9`fa110000 00007ff9`fa381000   C:\Windows\SYSTEM32\UIAutomationCore.DLL
eax=ec
00007ff7`08956dc2  ec 00 02 00 b0 04 0a 00-00 00 09 08 10 00 80 06  ................
00007ff7`08956dd2  00 80 66 32 cd 07 c1 00-02 00 06 08 00 00 60 10  ..f2..........`.
00007ff7`08956de2  0a 00 4a 10 aa 0a a0 00-00 00 00 00 60 10 0a 00  ..J.........`...
00007ff7`08956df2  4a 10 aa 0a a0 00 01 00-01 00 ac 02 02 00 38 00  J.............8.
00007ff7`08956e02  92 00 e2 00 38 00 00 00-00 00 ff ff ff 00 ff 00  ....8...........
00007ff7`08956e12  00 00 00 ff 00 00 00 00-ff 00 ff ff 00 00 ff 00  ................
00007ff7`08956e22  ff 00 00 ff ff 00 80 00-dd 0e c6 c5 f7 66 bf 76  .............f.v
00007ff7`08956e32  d3 94 6b 43 07 76 c6 69-3d 95 06 fe 88 5d 76 2b  ..kC.v.i=....]v+
eax=a
00007ff7`08956dc8  0a 00 00 00 09 08 10 00-80 06 00 80 66 32 cd 07  ............f2..
00007ff7`08956dd8  c1 00 02 00 06 08 00 00-60 10 0a 00 4a 10 aa 0a  ........`...J...
00007ff7`08956de8  a0 00 00 00 00 00 60 10-0a 00 4a 10 aa 0a a0 00  ......`...J.....
00007ff7`08956df8  01 00 01 00 ac 02 02 00-38 00 92 00 e2 00 38 00  ........8.....8.
00007ff7`08956e08  00 00 00 00 ff ff ff 00-ff 00 00 00 00 ff 00 00  ................
00007ff7`08956e18  00 00 ff 00 ff ff 00 00-ff 00 ff 00 00 ff ff 00  ................
00007ff7`08956e28  80 00 dd 0e c6 c5 f7 66-bf 76 d3 94 6b 43 07 76  .......f.v..kC.v
00007ff7`08956e38  c6 69 3d 95 06 fe 88 5d-76 2b a0 00 85 4f cd 71  .i=....]v+...O.q
(2608.4e4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
graph+0x1d4d9b:
00007ff7`08614d9b 488b00          mov     rax,qword ptr [rax] ds:0000021a`a0546ce0=????????????????
0:000> k
 # Child-SP          RetAddr               Call Site
00 000000cc`97bc3790 00007ff7`0860f721     graph+0x1d4d9b
01 000000cc`97bc37d0 00007ff7`0860f8e7     graph+0x1cf721
02 000000cc`97bc3800 00007ff7`0861af06     graph+0x1cf8e7
03 000000cc`97bc3830 00007ff7`084e858f     graph+0x1daf06
04 000000cc`97bc3860 00007ff7`084e8ae4     graph+0xa858f
05 000000cc`97bc7dc0 00007ff7`0844d730     graph+0xa8ae4
06 000000cc`97bc7fa0 00007ff7`08441eb1     graph+0xd730
07 000000cc`97bcae80 00007ff7`085daeea     graph+0x1eb1
08 000000cc`97bcb750 00007ffa`2d1cf3cf     graph+0x19aeea
09 000000cc`97bcb810 00007ffa`2d1b90e6     OLEAUT32!DispCallFuncAmd64+0x7f
0a 000000cc`97bcb880 00007ffa`2d1b96e4     OLEAUT32!DispCallFunc+0x226
0b 000000cc`97bcb9d0 00007ffa`2d1b9fe1     OLEAUT32!CTypeInfo2::Invoke+0x554
0c 000000cc`97bcbd80 00007ff7`085e661e     OLEAUT32!CTypeInfo2::Invoke+0xe51
0d 000000cc`97bcc130 00007ffa`2d23bb04     graph+0x1a661e
0e 000000cc`97bce680 00007ffa`2d23acb0     OLEAUT32!IDispatch_Invoke_Stub+0xd4
0f 000000cc`97bce710 00007ffa`2ddb1a3f     OLEAUT32!IDispatch_RemoteInvoke_Thunk+0x60
10 000000cc`97bce780 00007ffa`2e018422     RPCRT4!NdrStubCall2+0x92f
11 000000cc`97bcede0 00007ffa`2d1b2f60     combase!CStdStubBuffer_Invoke+0xa2 [onecore\com\combase\ndr\ndrole\stub.cxx @ 1524] 
12 000000cc`97bcee20 00007ffa`2dfa4313     OLEAUT32!CStubWrapper::Invoke+0x90
13 (Inline Function) --------`--------     combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0x18 [onecore\com\combase\dcomrem\channelb.cxx @ 1385] 
14 000000cc`97bcee60 00007ffa`2dfa4103     combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x43 [onecore\com\combase\dcomrem\excepn.hxx @ 87] 
15 (Inline Function) --------`--------     combase!InvokeStubWithExceptionPolicyAndTracing+0xa8 [onecore\com\combase\dcomrem\channelb.cxx @ 1383] 
16 000000cc`97bceec0 00007ffa`2e01b036     combase!DefaultStubInvoke+0x1c3 [onecore\com\combase\dcomrem\channelb.cxx @ 1452] 
17 (Inline Function) --------`--------     combase!SyncStubCall::Invoke+0x22 [onecore\com\combase\dcomrem\channelb.cxx @ 1509] 
18 000000cc`97bcf010 00007ffa`2dfa82da     combase!SyncServerCall::StubInvoke+0x26 [onecore\com\combase\dcomrem\servercall.hpp @ 826] 
19 (Inline Function) --------`--------     combase!StubInvoke+0x259 [onecore\com\combase\dcomrem\channelb.cxx @ 1734] 
1a 000000cc`97bcf050 00007ffa`2dfa550d     combase!ServerCall::ContextInvoke+0x42a [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1418] 
1b (Inline Function) --------`--------     combase!CServerChannel::ContextInvoke+0x79 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1327] 
1c (Inline Function) --------`--------     combase!DefaultInvokeInApartment+0x92 [onecore\com\combase\dcomrem\callctrl.cxx @ 3352] 
1d 000000cc`97bcf450 00007ffa`2dfc579c     combase!ReentrantSTAInvokeInApartment+0x19d [onecore\com\combase\dcomrem\reentrantsta.cpp @ 112] 
1e 000000cc`97bcf4d0 00007ffa`2dfc6001     combase!AppInvoke+0x1ec [onecore\com\combase\dcomrem\channelb.cxx @ 1182] 
1f 000000cc`97bcf560 00007ffa`2dfe7c6d     combase!ComInvokeWithLockAndIPID+0x681 [onecore\com\combase\dcomrem\channelb.cxx @ 2290] 
20 (Inline Function) --------`--------     combase!ComInvoke+0x1ab [onecore\com\combase\dcomrem\channelb.cxx @ 1803] 
21 (Inline Function) --------`--------     combase!ThreadDispatch+0x20a [onecore\com\combase\dcomrem\chancont.cxx @ 416] 
22 000000cc`97bcf890 00007ffa`2d025c1d     combase!ThreadWndProc+0x3ad [onecore\com\combase\dcomrem\chancont.cxx @ 744] 
23 000000cc`97bcf9c0 00007ffa`2d025612     USER32!UserCallWinProcCheckWow+0x2bd
24 000000cc`97bcfb50 00007ff7`0865f681     USER32!DispatchMessageWorker+0x1e2
25 000000cc`97bcfbd0 00007ff7`084692d7     graph+0x21f681
26 000000cc`97bcfc00 00007ff7`08652dd6     graph+0x292d7
27 000000cc`97bcfdf0 00007ff7`087bf602     graph+0x212dd6
28 000000cc`97bcfef0 00007ffa`2cd27c24     graph+0x37f602
29 000000cc`97bcff30 00007ffa`2e52d721     KERNEL32!BaseThreadInitThunk+0x14
2a 000000cc`97bcff60 00000000`00000000     ntdll!RtlUserThreadStart+0x21
0:000> r
rax=0000021aa0546ce0 rbx=0000021aa9f1eef0 rcx=0000021aa0546ce0
rdx=000000000000fffa rsi=0000021aa0c20fd8 rdi=0000021aa9f1eef0
rip=00007ff708614d9b rsp=000000cc97bc3790 rbp=000000cc97bc58c0
 r8=0000000000000001  r9=0000000000000000 r10=00000fff348de62a
r11=1555554151551555 r12=000000000000efff r13=0000000000000000
r14=0000000000000001 r15=00000000000006d0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
graph+0x1d4d9b:
00007ff7`08614d9b 488b00          mov     rax,qword ptr [rax] ds:0000021a`a0546ce0=????????????????
0:000> !heap -p -a @rax
    address 0000021aa0546ce0 found in
    _DPH_HEAP_ROOT @ 21af3361000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                21aa07a5e38:      21aa0546000             2000
    00007ffa2e5c502c ntdll!RtlDebugFreeHeap+0x000000000000003c
    00007ffa2e501b6d ntdll!RtlpFreeHeap+0x00000000000000bd
    00007ffa2e5012e0 ntdll!RtlpFreeHeapInternal+0x0000000000000790
    00007ffa2e5006e1 ntdll!RtlFreeHeap+0x0000000000000051
    00007ff9ba875613 mso20win32client!Ordinal1110+0x0000000000000053
    00007ff9a47533eb mso!Ordinal2242+0x0000000000000b0b
    00007ff708603787 graph+0x00000000001c3787
    00007ff708607cb0 graph+0x00000000001c7cb0
    00007ff7084e087d graph+0x00000000000a087d
    00007ff7084e8ae4 graph+0x00000000000a8ae4
    00007ff70844d730 graph+0x000000000000d730
    00007ff708441eb1 graph+0x0000000000001eb1
    00007ff7085daeea graph+0x000000000019aeea
    00007ffa2d1cf3cf OLEAUT32!DispCallFuncAmd64+0x000000000000007f
    00007ffa2d1b90e6 OLEAUT32!DispCallFunc+0x0000000000000226
    00007ffa2d1b96e4 OLEAUT32!CTypeInfo2::Invoke+0x0000000000000554
    00007ffa2d1b9fe1 OLEAUT32!CTypeInfo2::Invoke+0x0000000000000e51
    00007ff7085e661e graph+0x00000000001a661e
    00007ffa2d23bb04 OLEAUT32!IDispatch_Invoke_Stub+0x00000000000000d4
    00007ffa2d23acb0 OLEAUT32!IDispatch_RemoteInvoke_Thunk+0x0000000000000060
    00007ffa2ddb1a3f RPCRT4!NdrStubCall2+0x000000000000092f
    00007ffa2e018422 combase!CStdStubBuffer_Invoke+0x00000000000000a2 [onecore\com\combase\ndr\ndrole\stub.cxx @ 1524]
    00007ffa2d1b2f60 OLEAUT32!CStubWrapper::Invoke+0x0000000000000090
    00007ffa2dfa4313 combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x0000000000000043 [onecore\com\combase\dcomrem\excepn.hxx @ 87]
    00007ffa2dfa4103 combase!DefaultStubInvoke+0x00000000000001c3 [onecore\com\combase\dcomrem\channelb.cxx @ 1452]
    00007ffa2e01b036 combase!SyncServerCall::StubInvoke+0x0000000000000026 [onecore\com\combase\dcomrem\servercall.hpp @ 826]
    00007ffa2dfa82da combase!ServerCall::ContextInvoke+0x000000000000042a [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1418]
    00007ffa2dfa550d combase!ReentrantSTAInvokeInApartment+0x000000000000019d [onecore\com\combase\dcomrem\reentrantsta.cpp @ 112]
    00007ffa2dfc579c combase!AppInvoke+0x00000000000001ec [onecore\com\combase\dcomrem\channelb.cxx @ 1182]
    00007ffa2dfc6001 combase!ComInvokeWithLockAndIPID+0x0000000000000681 [onecore\com\combase\dcomrem\channelb.cxx @ 2290]
    00007ffa2dfe7c6d combase!ThreadWndProc+0x00000000000003ad [onecore\com\combase\dcomrem\chancont.cxx @ 744]
    00007ffa2d025c1d USER32!UserCallWinProcCheckWow+0x00000000000002bd

Steps to reproduce:

Steps to reproduce - Outlook:
0. activate full GFlags for graph.exe
1. open WinDBG for the following process: C:\Program Files\Microsoft Office\root\Office16\graph.exe /automation -Embedding
2. open crash.eml using outlook
3. double-click the image inside the eml file
4. observe the crash in WinDBG
** Please note that if you have Microsoft Office installed, excelcnv.exe may cause your outlook to hang, so we recommend changing its name for testing purposes.
Steps to reproduce - Graph:
0. activate full GFlags for graph.exe
1. open WinDBG for the following process: C:\Program Files\Microsoft Office\root\Office16\graph.exe /automation -Embedding
2. run the attached vbscript file - test.vbs with crash as an argument (use the full path)
3. observe the crash in WinDBG

References:
https://research.checkpoint.com/2021/fuzzing-the-office-ecosystem/


Attachments:
crash
crash.eml
test.vbs

References:
xxx