Follow up information on weblog posting about PoC published for MS Office 2003 PowerPoint


Hi everyone.  Brian and Jonathan, software security engineers from the SWI team here.  Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx).


 


The short story is that this issue turned out to not be exploitable for remote code execution.  It was a PowerPoint crashing bug not a  PowerPoint security vulnerability.  The PowerPoint team has developed a fix for this bug and it will go into the next available ship vehicle for PowerPoint.  The longer story  is below.


 


The document produced by the published perl script generates a malformed PPT file.  The file includes a container object with a ‘position’ value that is larger than the corresponding container’s record length.  So, when parsing this container, PowerPoint attempts to use this attacker-supplied position value to find a node in a list but the position is out of the list’s bounds.  The function that should be returning a legitimate object for later use by PowerPoint instead returns NULL due to the out-of-bounds position value.  This return value is not checked for a NULL value before the address is operated on as an object.  The reference of this NULL object pointer is what causes the exception. 


 


Here’s what that sequence of events looks like from an assembly level:


 


0:000> u 3001cdbc


POWERPNT+0x1cdbc:


3001cdbc e8dfdfffff      call    POWERPNT+0x1ada0 (3001ada0)  <—- This function returns NULL & the return value is not checked


3001cdc1 8b7610          mov     esi,dword ptr [esi+10h]


3001cdc4 2b7514          sub     esi,dword ptr [ebp+14h]


3001cdc7 8bf8            mov     edi,eax     <— eax is NULL


3001cdc9 8d45e0          lea     eax,[ebp-20h]


3001cdcc 8bcf            mov     ecx,edi     <— ecx is NULL


3001cdce 50              push    eax


3001cdcf e8e8e1ffff      call    POWERPNT+0x1afbc (3001afbc)  <—- call into the function that will cause the NULL deref


3001cdd4 3b7d18          cmp     edi,dword ptr [ebp+18h]


3001cdd7 0f848fddffff    je      POWERPNT+0x1ab6c (3001ab6c)


 


0:000> u 3001afbc


POWERPNT+0x1afbc:


3001afbc 8b01            mov     eax,dword ptr [ecx]   <— This is the actual instruction that causes the exception


 


0:000> lmvm powerpnt


start    end        module name


30000000 3061d000   POWERPNT   (export symbols)       POWERPNT.EXE


    Loaded symbol image file: POWERPNT.EXE


    Image path: c:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE


    Image name: POWERPNT.EXE


    Timestamp:        Tue Sep 26 17:15:28 2006 (4519C2A0)


    CheckSum:         00624FE1


    ImageSize:        0061D000


    File version:     11.0.8110.0


    Product version:  11.0.8110.0


    File flags:       0 (Mask 3F)


    File OS:          40004 NT Win32


    File type:        1.0 App


    File date:        00000000.00000000


    Translations:     0000.04e4


    CompanyName:      Microsoft Corporation


    ProductName:      Microsoft Office 2003


    InternalName:     POWERPNT


    OriginalFilename: POWERPNT.EXE


    ProductVersion:   11.0.8110


    FileVersion:      11.0.8110


    FileDescription:  Microsoft Office PowerPoint


    LegalCopyright:   Copyright ¬ 1987-2003 Microsoft Corporation.  All rights reserved.


 


We hope this additional details clear up any questions our customers may have had about why the MSRC does not consider this a product security vulnerability


 


Thanks,


Brian and Jonathan


 


*This posting is provided “AS IS” with no warranties, and confers no rights.*


Comments (5)

  1. Anonymous says:

    Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx)

  2. Anonymous says:

    The missing Microsoft patches (NEW) Published: 2007-01-05, Last Updated: 2007-01-05 06:03:08 UTC by Swa

  3. Anonymous says:

    Hello everyone, This is Christopher Budd. We’ve gotten some questions from customers around the security

  4. Anonymous says:

    Update on Microsoft Security Advisory 935423 Hello everyone, This is Christopher Budd. We’ve gotten some

  5. Anonymous says:

    The missing Microsoft patches Published: 2007-01-05, Last Updated: 2007-04-10 18:04:11 UTC by Swa Frantzen