MS Excel PtgExtraArray Parsing Memory Corruption

November 5, 2010

Microsoft Excel is a spreadsheet application released as a component of the Microsoft Office suite. The application can create complex spreadsheets with multiple workbooks, formulas, and various data sources. The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF).

In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams. These streams contain meta-data information about the document, such as the author name, subject, and in case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is shown below:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   Identifier (Type) 0x0002  int16   Size of the following data (n) 0x0004  char[n] Record Data

The Formula record (type 0x06) describes a cell that contains a formula in the Excel file. The Formula record structure is shown below:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  int16   type (0x6) 0x0002  int16   length of the Formula record data 0x0004  int16   row 0x0006  int16   column 0x0008  int16   index to XF record 0x000A  char[8] current value of the formula 0x0012  int16   option flags 0x0014  int32   chn 0x0018  int16   cce length of the expression (n) 0x001A  char[n] rgce parsed expression

Within the Formula record, the rgce field contains the formula in its parsed format which is the internal tokenized representation of an Excel formula. A parsed expression contains a sequence of tokens, each of which consists of a token type and a token value.
When an rgce contains one or more tokens that rquire extra data, the containing formula structure includes an RgbExtra section containing the data for those records. A structure, PtgExtraArray, is contained within the RgbExtra section. The structure is defined as shown:

Offset  Size    Contents ------- ------- ------------------------------------------ 0x0000  char    cols  0x0001  int16   rows 0x0003  n       SerAr[n]

A memory corruption vulnerability exists in Microsoft Office Excel. The vulnerability is due to improper processing of the PtgExtraArray structure within the Formula record of Excel files. The vulnerable code uses the values provided in the cols and rows fields of the PtgExtraArray structure to calculate the number of the elements in the SerAr[] array. The result of this calculation is not verified. This value is then used as the counter in a loop that copies SerAr structures sequentially into a memory buffer.

If the total size of the SerAr structures is large enough then the memory copy loop may write past the boundary specified for the Formula record, overwriting potentially critical data.

Exploitation of this flaw may result in arbitrary code execution. Remote attackers could exploit this vulnerability by persuading unsuspecting users to open a crafted Excel file. Successful exploitation would allow arbitrary code injection and execution in the security context of the logged in user.

SonicWall has released an IPS signature to address a known exploit targeting this vulnerability. The following signature was released:

  • 5915 - MS Excel PtgExtraArray Parsing Memory Corruption PoC 2 (MS10-080)

This vulnerability has been assigned CVE-2010-3231 by mitre. The vendor has released an advisory regarding this issue.