Hancom Hcell Unspecified Memory Corruption



Tested Versions

  • HCell.exe
  • SDSerialize

Product URL(s)


Hangul Office is published by Hancom, Inc. and is considered one of the more popular Office suites used within South Korea. This vulnerability was discovered within the SDSerialize.dll when opening a specially crafted Office Open XML Workbook (.xlsx). This is part of the Hangul Office Suite.


0:000> lmvm SDSerialize
start    end        module name
6eca0000 6ed36000   SDSerialize   (export symbols)       C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Loaded symbol image file: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image path: C:\Program Files (x86)\Hnc\Office NEO\HOffice96\Bin\SDSerialize.dll
    Image name: SDSerialize.dll
    Timestamp:        Thu Apr 12 17:20:43 2018 (5ACF24EB)
    CheckSum:         0005FF4F
    ImageSize:        00096000
    File version:
    Product version:
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Hancom Inc.
    ProductName:      Hancom, Inc.  Common Library 9.0
    InternalName:     SDSERIALIZE.DLL
    OriginalFilename: SDSerialize.dll
    ProductVersion:   9, 6, 1, 9403
    FileVersion:      9, 6, 1, 9403
    FileDescription:  Hancom Inc.  SDSerialize 9.0
    LegalCopyright:   Copyright 1989. Hancom Inc. All rights reserved.
    LegalTrademarks:  SDSERIALIZE is a registered trademark of Hancom Inc.


​ 1. To trigger this corruption, please enable PageHeap and Application Verifier for the Hcell.exe

​ 2. The base address of SDSerialize.dll is 0x6eca0000 in my case.

The following is the Crash context:

(ea8.424): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=6ece7250 ebx=00e4dd24 ecx=6ece587c edx=6a510077 esi=00e4deb8 edi=00056f0c
eip=6ecbf308 esp=00e4dcb4 ebp=00e4dd08 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
6ecbf308 668b0f          mov     cx,word ptr [edi]        ds:002b:00056f0c=????
0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00e4dd08 6eca1610 00056f0c 0a9bc1c8 0a9bc1c8 SDSerialize!CSDObject::IsMaintainObject+0x778
00e4dd3c 6eca3f85 0a525110 00056f0c 0a9bc1c8 SDSerialize!CSDDefaultHandler::CSDDefaultHandler+0x290
00e4ddbc 6eca3981 6ece1b70 0b60509a 0b605175 SDSerialize!CSDObject::Delete+0x1895
00e4dde4 6eca6b69 0ac106f0 0b605000 0b605175 SDSerialize!CSDObject::Delete+0x1291
00e4de1c 6eca589d 0b605000 0b605175 00000001 SDSerialize!CSDObject::Delete+0x4479
00e4de58 6eca3696 0ac106f0 0b605000 0b605175 SDSerialize!CSDObject::Delete+0x31ad
00e4de7c 6eca24e6 00000001 0a540bf8 0a525618 SDSerialize!CSDObject::Delete+0xfa6
00e4de94 6eca25cb 0b605000 00000175 b6f675d6 SDSerialize!CSDCustomObject::ReadAttribute+0x386
00e4df50 6a507613 0a94d01c 0a525618 0a51d8c0 SDSerialize!CSDCustomObject::ReadAttribute+0x46b
00e4df8c 6a503610 0a94d01c 0a959570 6a518ea8 OOXMLDocument!OOXML::COOXMLPart::Parse+0x143
00e4dfec 6d7f690c 69637374 6e115378 00e4f71c OOXMLDocument!OOXML::PRESENTATION::CUserDefTagsRootPart::GetRootClass+0x10
00e4e23c 6d7e706d 69634ec4 6e115378 0487dbbc HCellApp!CHncAppShield::operator=+0x7dc
00e4e2f4 6d7d269c 0b5f0c08 00e4f71c 0a930ec0 HCellApp!NGLSetSurfaceMetal+0x3396d
00e4e778 6d47343c 0b602f9c 00e4f71c 00e4ead8 HCellApp!NGLSetSurfaceMetal+0x1ef9c
00e4ea00 6d472aa5 0b5f0c08 00e4f71c 00e4ead8 HCellApp!CHclDoc::Load+0x1cc
00e4ed58 6d471f72 0b5f0c08 00e4f71c 00000000 HCellApp!CHclDoc::Load+0x6e5
00e4f40c 6d3c099a 0b5f0c08 00e4f71c 00000000 HCellApp!CHclDoc::OpenDocument+0x3f2
00e4f428 00288880 0b602f9c 00e4f71c 00000000 HCellApp!CHclViewCon::operator IHclViewCon *+0x17a
00e4f934 00281c4e 0a6b3160 00000001 00000000 HCell!LPenHelper+0x30840
00e4f9cc 002aeed7 0a6b3160 00000001 00000000 HCell!LPenHelper+0x29c0e
00e4fc50 002af0cb 00e4fc64 00436d74 00ba2810 HCell!LPenHelper+0x56e97
00e4fc58 00436d74 00ba2810 00e4fcb0 00709cd3 HCell!LPenHelper+0x5708b
00e4fc64 00709cd3 00230000 00000000 05b81e5a HCell!LPenHelper+0x1ded34
00e4fcb0 75fb343d 7efde000 00e4fcfc 77639832 HCell!LPenHelper+0x4b1c93
00e4fcbc 77639832 7efde000 7791d7f0 00000000 kernel32!BaseThreadInitThunk+0x12
00e4fcfc 77639805 00709d51 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
00e4fd14 00000000 00709d51 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
0:000> ub
6ecbf2f1 89467c          mov     dword ptr [esi+7Ch],eax
6ecbf2f4 51              push    ecx
6ecbf2f5 57              push    edi
6ecbf2f6 8bce            mov     ecx,esi
6ecbf2f8 e8530f0000      call    SDSerialize!CSDObject::IsMaintainObject+0x16c0 (6ecc0250)
6ecbf2fd eb04            jmp     SDSerialize!CSDObject::IsMaintainObject+0x773 (6ecbf303)
6ecbf2ff 8b5c2414        mov     ebx,dword ptr [esp+14h]
6ecbf303 b85072ce6e      mov     eax,offset SDSerialize!CSDCustomObject::`vftable'+0x16b4 (6ece7250)

Vendor Response

The vendor has silently released a fix for the issue some time after reporting.


  • 2019-01-09 Vendor disclosure


Discovered by Shi Ji (@Puzzorsj)