MS Excel PtgExtraArray Parsing Memory Corruption (Nov 5th, 2010)
Microsoft Excel is a spreadsheet application released as a component of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulas, and various data sources. The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF).
In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams. These streams contain meta-data information about the document, such as the author name, subject, and in case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is shown below:
Offset Size Contents ------- ------- ------------------------------------------ 0x0000 int16 Identifier (Type) 0x0002 int16 Size of the following data (n) 0x0004 char[n] Record Data
The Formula record (type 0x06) describes a cell that contains a formula in the Excel file. The Formula record structure is shown below:
Offset Size Contents ------- ------- ------------------------------------------ 0x0000 int16 type (0x6) 0x0002 int16 length of the Formula record data 0x0004 int16 row 0x0006 int16 column 0x0008 int16 index to XF record 0x000A char[8] current value of the formula 0x0012 int16 option flags 0x0014 int32 chn 0x0018 int16 cce length of the expression (n) 0x001A char[n] rgce parsed expression
Within the Formula record, the rgce field contains the formula in its parsed format which is the internal tokenized representation of an Excel formula. A parsed expression contains a sequence of tokens, each of which consists of a token type and a token value.
When an rgce contains one or more tokens that rquire extra data, the containing formula structure includes an RgbExtra section containing the data for those records. A structure, PtgExtraArray, is contained within the RgbExtra section. The structure is defined as shown:
Offset Size Contents ------- ------- ------------------------------------------ 0x0000 char cols 0x0001 int16 rows 0x0003 n SerAr[n]
A memory corruption vulnerability exists in Microsoft Office Excel. The vulnerability is due to improper processing of the PtgExtraArray structure within the Formula record of Excel files. The vulnerable code uses the values provided in the cols and rows fields of the PtgExtraArray structure to calculate the number of the elements in the SerAr[] array. The result of this calculation is not verified. This value is then used as the counter in a loop that copies SerAr structures sequentially into a memory buffer.
If the total size of the SerAr structures is large enough then the memory copy loop may write past the boundary specified for the Formula record, overwriting potentially critical data.
Exploitation of this flaw may result in arbitrary code execution. Remote attackers could exploit this vulnerability by persuading unsuspecting users to open a crafted Excel file. Successful exploitation would allow arbitrary code injection and execution in the security context of the logged in user.
SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:
- 5915 – MS Excel PtgExtraArray Parsing Memory Corruption PoC 2 (MS10-080)
This vulnerability has been assigned CVE-2010-3231 by mitre. The vendor has released an advisory regarding this issue.