Advisories

Hancom Hcell Unspecified Memory Corruption

CVE ID

CVE-2019-16339

Tested Versions

  • HCell.exe 9.6.1.7363
  • SDSerialize 9.6.1.9403

Product URL(s)

  • https://www.hancom.com/cs_center/csDownload.do

Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. This vulnerability was discovered within the SDSerialize.dll when opening a specially crafted Office Open XML Workbook (.xlsx). This is part of the Hangul Office Suite.

Vulnerability

0:000> lmvm SDSerialize
start    end        module name
6eca0000 6ed36000   SDSerialize   (export symbols)       C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Loaded symbol image file: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image path: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image name: SDSerialize.dll
    Timestamp:        Thu Apr 12 17:20:43 2018 (5ACF24EB)
    CheckSum:         0005FF4F
    ImageSize:        00096000
    File version:     9.6.1.9403
    Product version:  9.6.1.9403
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Hancom Inc.
    ProductName:      Hancom, Inc.  Common Library 9.0
    InternalName:     SDSERIALIZE.DLL
    OriginalFilename: SDSerialize.dll
    ProductVersion:   9, 6, 1, 9403
    FileVersion:      9, 6, 1, 9403
    FileDescription:  Hancom Inc.  SDSerialize 9.0
    LegalCopyright:   Copyright 1989. Hancom Inc. All rights reserved.
    LegalTrademarks:  SDSERIALIZE is a registered trademark of Hancom Inc.

[NOTE]

​ 1. To trigger this corruption, please enable PageHeap and Application Verifier for the Hcell.exe

​ 2. The base address of SDSerialize.dll is 0x6eca0000 in my case.

The following is the Crash context:

(ea8.424): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6ece7250 ebx=00e4dd24 ecx=6ece587c edx=6a510077 esi=00e4deb8 edi=00056f0c
eip=6ecbf308 esp=00e4dcb4 ebp=00e4dd08 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
SDSerialize!CSDObject::IsMaintainObject+0x778:
6ecbf308 668b0f          mov     cx,word ptr [edi]        ds:002b:00056f0c=????
0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00e4dd08 6eca1610 00056f0c 0a9bc1c8 0a9bc1c8 SDSerialize!CSDObject::IsMaintainObject+0x778
00e4dd3c 6eca3f85 0a525110 00056f0c 0a9bc1c8 SDSerialize!CSDDefaultHandler::CSDDefaultHandler+0x290
00e4ddbc 6eca3981 6ece1b70 0b60509a 0b605175 SDSerialize!CSDObject::Delete+0x1895
00e4dde4 6eca6b69 0ac106f0 0b605000 0b605175 SDSerialize!CSDObject::Delete+0x1291
00e4de1c 6eca589d 0b605000 0b605175 00000001 SDSerialize!CSDObject::Delete+0x4479
00e4de58 6eca3696 0ac106f0 0b605000 0b605175 SDSerialize!CSDObject::Delete+0x31ad
00e4de7c 6eca24e6 00000001 0a540bf8 0a525618 SDSerialize!CSDObject::Delete+0xfa6
00e4de94 6eca25cb 0b605000 00000175 b6f675d6 SDSerialize!CSDCustomObject::ReadAttribute+0x386
00e4df50 6a507613 0a94d01c 0a525618 0a51d8c0 SDSerialize!CSDCustomObject::ReadAttribute+0x46b
00e4df8c 6a503610 0a94d01c 0a959570 6a518ea8 OOXMLDocument!OOXML::COOXMLPart::Parse+0x143
00e4dfec 6d7f690c 69637374 6e115378 00e4f71c OOXMLDocument!OOXML::PRESENTATION::CUserDefTagsRootPart::GetRootClass+0x10
00e4e23c 6d7e706d 69634ec4 6e115378 0487dbbc HCellApp!CHncAppShield::operator=+0x7dc
00e4e2f4 6d7d269c 0b5f0c08 00e4f71c 0a930ec0 HCellApp!NGLSetSurfaceMetal+0x3396d
00e4e778 6d47343c 0b602f9c 00e4f71c 00e4ead8 HCellApp!NGLSetSurfaceMetal+0x1ef9c
00e4ea00 6d472aa5 0b5f0c08 00e4f71c 00e4ead8 HCellApp!CHclDoc::Load+0x1cc
00e4ed58 6d471f72 0b5f0c08 00e4f71c 00000000 HCellApp!CHclDoc::Load+0x6e5
00e4f40c 6d3c099a 0b5f0c08 00e4f71c 00000000 HCellApp!CHclDoc::OpenDocument+0x3f2
00e4f428 00288880 0b602f9c 00e4f71c 00000000 HCellApp!CHclViewCon::operator IHclViewCon *+0x17a
00e4f934 00281c4e 0a6b3160 00000001 00000000 HCell!LPenHelper+0x30840
00e4f9cc 002aeed7 0a6b3160 00000001 00000000 HCell!LPenHelper+0x29c0e
00e4fc50 002af0cb 00e4fc64 00436d74 00ba2810 HCell!LPenHelper+0x56e97
00e4fc58 00436d74 00ba2810 00e4fcb0 00709cd3 HCell!LPenHelper+0x5708b
00e4fc64 00709cd3 00230000 00000000 05b81e5a HCell!LPenHelper+0x1ded34
00e4fcb0 75fb343d 7efde000 00e4fcfc 77639832 HCell!LPenHelper+0x4b1c93
00e4fcbc 77639832 7efde000 7791d7f0 00000000 kernel32!BaseThreadInitThunk+0x12
00e4fcfc 77639805 00709d51 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
00e4fd14 00000000 00709d51 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
0:000> ub
SDSerialize!CSDObject::IsMaintainObject+0x761:
6ecbf2f1 89467c          mov     dword ptr [esi+7Ch],eax
6ecbf2f4 51              push    ecx
6ecbf2f5 57              push    edi
6ecbf2f6 8bce            mov     ecx,esi
6ecbf2f8 e8530f0000      call    SDSerialize!CSDObject::IsMaintainObject+0x16c0 (6ecc0250)
6ecbf2fd eb04            jmp     SDSerialize!CSDObject::IsMaintainObject+0x773 (6ecbf303)
6ecbf2ff 8b5c2414        mov     ebx,dword ptr [esp+14h]
6ecbf303 b85072ce6e      mov     eax,offset SDSerialize!CSDCustomObject::`vftable'+0x16b4 (6ece7250)

Vendor Response

The vendor has silently released a fix for the issue some time after reporting.

Timeline

  • 2019-01-09 Vendor disclosure

Credit

Discovered by Shi Ji (@Puzzorsj)