CPR-Zero: CVE-2024-43504

Information

When opening a crafted Excel file using the ‘Moniker Link’ method, it is possible to trigger a use-after-free vulnerability in Microsoft Excel. Successful exploitation could cause remote code execution on the victim’s machine.

The ‘Moniker Link’ attack vector is described at https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/. Please note that although this specific method in Outlook is now patched, there are many other disclosed and undisclosed methods that could open the targeted app (in this case, Excel) in a similar way. The essence here is the vulnerability itself, not the attack vector.

Stack trace:

eax=6c4c3a78 ebx=03ef6e68 ecx=00004000 edx=00100000 esi=03ef5a64 edi=03ef6d48
eip=00c9a545 esp=03ef5a28 ebp=03ef5a48 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
Excel!OldEval::RestoreEvalState+0xa2:
00c9a545 8b4804          mov     ecx,dword ptr [eax+4] ds:002b:6c4c3a7c=????????
0:000> ub eip
Excel!OldEval::RestoreEvalState+0x85:
00c9a528 e8a0020000      call    Excel!OldEval::FreePv (00c9a7cd)
00c9a52d c7436400000000  mov     dword ptr [ebx+64h],0
00c9a534 ff7344          push    dword ptr [ebx+44h]
00c9a537 8bce            mov     ecx,esi
00c9a539 e8d37ef3ff      call    Excel!EvalGlobals::CurPshDesktopOnly (00bd2411)
00c9a53e 8b4318          mov     eax,dword ptr [ebx+18h]
00c9a541 85c0            test    eax,eax
00c9a543 7426            je      Excel!OldEval::RestoreEvalState+0xc8 (00c9a56b)
0:000> u eip
Excel!OldEval::RestoreEvalState+0xa2:
00c9a545 8b4804          mov     ecx,dword ptr [eax+4]
00c9a548 85c9            test    ecx,ecx
00c9a54a 7409            je      Excel!OldEval::RestoreEvalState+0xb2 (00c9a555)
00c9a54c 83f901          cmp     ecx,1
00c9a54f 7404            je      Excel!OldEval::RestoreEvalState+0xb2 (00c9a555)
00c9a551 32c9            xor     cl,cl
00c9a553 eb02            jmp     Excel!OldEval::RestoreEvalState+0xb4 (00c9a557)
00c9a555 b101            mov     cl,1
0:000> k
 # ChildEBP RetAddr
00 03ef5a48 00c9a460 Excel!OldEval::RestoreEvalState+0xa2
01 03ef6d34 0214c69a Excel!RestoreEvalState+0xaa
02 03efe644 02132075 Excel!RunMacro+0x5e6
03 03efeb88 021317c8 Excel!Run+0x943
04 03efec14 00c1f636 Excel!Run+0x96
05 03eff0a4 00c1d7b5 Excel!ActionAdapter::CeDoActionFromIcetab+0x2dc
06 03eff2e8 011458b7 Excel!CeDoMenu+0x1a91
07 03eff350 00b8145c Excel!HrChkAutoexecMacro+0x2a3
08 03eff380 00b7f527 Excel!HrDispatchCleanup+0x93c
09 03effab0 00b17c7c Excel!MainLoop+0x2437
0a 03effce0 00b0123b Excel!WinMain+0x6bf
0b 03effd2c 768efcc9 Excel!_imp_load__RmGetList+0x1c7
0c 03effd3c 77637c5e KERNEL32!BaseThreadInitThunk+0x19
0d 03effd98 77637c2e ntdll!__RtlUserThreadStart+0x2f
0e 03effda8 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !heap -p -a eax
    address 6c4c3a78 found in
    _DPH_HEAP_ROOT @ 8951000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                   6c5109f4:         6c4c3000             2000
    722aab02 verifier!AVrfDebugPageHeapFree+0x000000c2
    776afa16 ntdll!RtlDebugFreeHeap+0x0000003e
    77613d76 ntdll!RtlpFreeHeap+0x000000d6
    77657add ntdll!RtlpFreeHeapInternal+0x00000783
    77613c46 ntdll!RtlFreeHeap+0x00000046
    77053c9b ucrtbase!_free_base+0x0000001b
    77053c68 ucrtbase!free+0x00000018
    6bd2cda7 mso20win32client!Mso::Experiment::ABConfigsCollection::GetConfig+0x00000149
    6bd2efba mso20win32client!Mso::Experiment::ABConfigsCollection::GetOptimizedValue<bool>+0x000000b9
    6bd2ed8b mso20win32client!Mso::AB::Optimized::GetValue<bool>+0x0000017c
    6bd2ec05 mso20win32client!Mso::AB::Optimized::ChangeGate::Evaluate+0x0000002d
    01219092 Excel!FGetOOUIEnabled+0x00000021
    01f44f48 Excel!SavePreferences+0x00000437
    0145c3eb Excel!DestroyFinal+0x000001af
    00c2c658 Excel!HrCxoRelease+0x00000210
    00c2c3f7 Excel!CXO::Release+0x00000014
    76b8250f combase!<lambda_59f7b8acab183cdd0bcc7c9cde5da55a>::operator()+0x000000ab [onecore\com\combase\dcomrem\stdid.cxx @ 1409]
    76b3f5d1 combase!ObjectMethodExceptionHandlingAction<<lambda_59f7b8acab183cdd0bcc7c9cde5da55a> >+0x0000001b [onecore\com\combase\dcomrem\excepn.hxx @ 148]
    76b3f5a3 combase!CStdIdentity::ReleaseCtrlUnk+0x00000077 [onecore\com\combase\dcomrem\stdid.cxx @ 1412]
    76b81f57 combase!CStdMarshal::DisconnectWorker_ReleasesLock+0x0000041d [onecore\com\combase\dcomrem\marshal.cxx @ 4782]
    76adf0bc combase!CStdMarshal::Disconnect+0x000000bc [onecore\com\combase\dcomrem\marshal.cxx @ 4484]
    76aef431 combase!CRemoteUnknown::RemReleaseWorker+0x000007e1 [onecore\com\combase\dcomrem\remoteu.cxx @ 1307]
    76b66835 combase!CRemoteUnknown::RemRelease+0x00000015 [onecore\com\combase\dcomrem\remoteu.cxx @ 1038]
    7675e4e8 RPCRT4!Invoke+0x00000034
    7672554b RPCRT4!NdrStubCall2+0x0000032b
    76b39e72 combase!CStdStubBuffer_Invoke+0x00000092 [onecore\com\combase\ndr\ndrole\stub.cxx @ 1531]
    76b39c63 combase!ObjectMethodExceptionHandlingAction<<lambda_ee1df801181086a03fa4f8f75bd5617f> >+0x0000006f [onecore\com\combase\dcomrem\excepn.hxx @ 87]
    76b39716 combase!DefaultStubInvoke+0x000002b6 [onecore\com\combase\dcomrem\channelb.cxx @ 1346]
    76ae6601 combase!ServerCall::ContextInvoke+0x00000471 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1423]
    76b3de1a combase!ReentrantSTAInvokeInApartment+0x0000016a [onecore\com\combase\dcomrem\reentrantsta.cpp @ 113]
    76ae8e7d combase!ComInvokeWithLockAndIPID+0x0000191d [onecore\com\combase\dcomrem\channelb.cxx @ 2210]
    76b195f2 combase!ThreadWndProc+0x00000452 [onecore\com\combase\dcomrem\chancont.cxx @ 740]

References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43504
https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/

Share this: