Hi everyone.  Brian and Jonathan, software security engineers from the SWI team here.  Alexandra Huft from the MSRC team asked us to write a guest blog entry giving an update into the technical investigation of the PowerPoint 2003 proof-of-concept code published a few weeks ago which was previously blogged about here (http://blogs.technet.com/msrc/archive/2006/10/12/poc-published-for-ms-office-2003-powerpoint.aspx).

 

The short story is that this issue turned out to not be exploitable for remote code execution.  It was a PowerPoint crashing bug not a  PowerPoint security vulnerability.  The PowerPoint team has developed a fix for this bug and it will go into the next available ship vehicle for PowerPoint.  The longer story  is below.

 

The document produced by the published perl script generates a malformed PPT file.  The file includes a container object with a 'position' value that is larger than the corresponding container's record length.  So, when parsing this container, PowerPoint attempts to use this attacker-supplied position value to find a node in a list but the position is out of the list's bounds.  The function that should be returning a legitimate object for later use by PowerPoint instead returns NULL due to the out-of-bounds position value.  This return value is not checked for a NULL value before the address is operated on as an object.  The reference of this NULL object pointer is what causes the exception. 

 

Here's what that sequence of events looks like from an assembly level:

 

0:000> u 3001cdbc

POWERPNT+0x1cdbc:

3001cdbc e8dfdfffff      call    POWERPNT+0x1ada0 (3001ada0)  <---- This function returns NULL & the return value is not checked

3001cdc1 8b7610          mov     esi,dword ptr [esi+10h]

3001cdc4 2b7514          sub     esi,dword ptr [ebp+14h]

3001cdc7 8bf8            mov     edi,eax     <--- eax is NULL

3001cdc9 8d45e0          lea     eax,[ebp-20h]

3001cdcc 8bcf            mov     ecx,edi     <--- ecx is NULL

3001cdce 50              push    eax

3001cdcf e8e8e1ffff      call    POWERPNT+0x1afbc (3001afbc)  <---- call into the function that will cause the NULL deref

3001cdd4 3b7d18          cmp     edi,dword ptr [ebp+18h]

3001cdd7 0f848fddffff    je      POWERPNT+0x1ab6c (3001ab6c)

 

0:000> u 3001afbc

POWERPNT+0x1afbc:

3001afbc 8b01            mov     eax,dword ptr [ecx]   <--- This is the actual instruction that causes the exception

 

0:000> lmvm powerpnt

start    end        module name

30000000 3061d000   POWERPNT   (export symbols)       POWERPNT.EXE

    Loaded symbol image file: POWERPNT.EXE

    Image path: c:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE

    Image name: POWERPNT.EXE

    Timestamp:        Tue Sep 26 17:15:28 2006 (4519C2A0)

    CheckSum:         00624FE1

    ImageSize:        0061D000

    File version:     11.0.8110.0

    Product version:  11.0.8110.0

    File flags:       0 (Mask 3F)

    File OS:          40004 NT Win32

    File type:        1.0 App

    File date:        00000000.00000000

    Translations:     0000.04e4

    CompanyName:      Microsoft Corporation

    ProductName:      Microsoft Office 2003

    InternalName:     POWERPNT

    OriginalFilename: POWERPNT.EXE

    ProductVersion:   11.0.8110

    FileVersion:      11.0.8110

    FileDescription:  Microsoft Office PowerPoint

    LegalCopyright:   Copyright ¬ 1987-2003 Microsoft Corporation.  All rights reserved.

 

We hope this additional details clear up any questions our customers may have had about why the MSRC does not consider this a product security vulnerability

 

Thanks,

Brian and Jonathan

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*