Microsoft PowerPoint Memory Corruption

April 10, 2009

The Microsoft PowerPoint presentation application is capable of creating and playing complex presentations utilizing audio visual components. Files created by the application are typically assigned the file extension ppt. PowerPoint presentation files use the proprietary Compound Document Object format. Application specific data in this format is contained in data streams. The streams containing PowerPoint presentation data are comprised of a series of records that start with a generic header. The structure of this header is shown:

 Offset Size     Field ------ -------- ---------------- 0x0000 uint16   RecVersion 0x0002 uint16   RecType 0x0004 uint32   RecLength, n 0x0008 char[n]  Data

There are two categories of records, the Atom record and the Container record. The Atom record contains information about objects stored inside containers. The Container record stores atoms and other containers.

A memory corruption vulnerability has been identified in the PowerPoint application. Namely, the processing of two Atom records, the TextHeaderAtom (RecType=0xf9f) and OutlineTextRefAtom (RecType=0xf9a) records is flawed. When handling these two Atoms contained in the same container, the vulnerable code will attempt to free a block of allocated memory twice. This will result in corruption of memory which will consequently result in either the termination of the application or diversion of the process flow. It is conceivable that, with a carefully crafted malicious ppt document, the vulnerability can be exploited for code injection and execution. Successful code injection exploitation of this flaw is not a trivial task.

SonicWALL has released an IPS signature that will detect and block a specific exploit attempt. Detection of generic exploitation attempts of this flaw is not feasible as that would require a full PowerPoint presentation parser. The following IPS signature has been released to address this vulnerability:

  • 5460 - MS PowerPoint Invalid Object Reference Code Execution PoC

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0556.