Product: Hancom Office Hwp 2014 Vendor: Hancom - www.hancom.com Versions Affected (32 bits only): HanWord Viewer 2007 (Korean) HanWord Viewer 2010 ­ 8.5.6.1158 (English) HwpViewer 2014 VP- 9.1.0.2186 (English) Hwp 2014 VP - 9.0.0.1405 (English/Korean) Version Not vulnerable: Hwp 2014 VP - 9.1.0.2342 (English/Korean) Credits: Daniel Regalado, FireEye Dan Caselden, FireEye MITRE CVE: 2015-2810 Timeline: 03/03/2015: FireEye contacted Hancom letting them know about the vulnerability found. 03/05/2015: Hancom replied asking for the technical details. 03/06/2015: FireEye provides technical details and a PoC to Hancom to replicate the crash. Description: Hancom is an office suite developer in South Korea. The HanWord processor (also called Hangul a.k.a HWP) is vulnerable to an integer overflow when assigning a long paragraph size value. The Bug: HWP accepts a maximum paragraph size of 0x7fffffff, which is used to allocate memory for the content of a paragraph. Unchecked arithmetic on this value can overflow the 32bit integer, resulting in an unexpectedly small allocation. Subsequent accesses to the buffer disagree on the bufferıs size, and may access memory outside of the buffer. These accesses may corrupt the heap, allowing attackers to influence the programıs execution flow. The integer overflow happens inside the HwpApp::CHncSDS_Manager function. A sequence of arithmetic operations on the paragraph size value ends in a multiplication by four. In the case of a paragraph size value of 0x7fffffff, the multiplication results in 0x4000001b*4 = 0x10000006c, which causes the 32-bit register to overflow to 0x6c bytes: eax=00000002 ebx=00000019 ecx=00000001 edx=0000006c esi=03d0c0c8 edi=4000001b eip=048b163c esp=0d39ef88 ebp=40000000 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 HwpApp!CHncSDS_Manager::CHncSDS_Manager+0x4089ec: 048b163c 52 push edx 048b1641 ff15e0059504 call dword ptr[HwpApp!CHncSDS_Manager::CHncSDS_Manager+0x4a7990 (049505e0)]={MSVCR90!malloc)} The unexpected paragraph size may cause heap corruption when HWP writes the contents of the paragraph in memory. In the crash below, the instruction pointer has been overwritten: (1b4.d1c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00200020 ebx=01b10332 ecx=03cbefec edx=31f21817 esi=03cbefec edi=00000000 eip=31f21817 esp=0012da74 ebp=0012dad4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 31f21817 ?? ??? Impact: Attackers may cause either a Denial of Service or in some circumstances influence the programıs execution flow. Fix: Hancom released a patch to fix this bug in the following version: Hancom Hwp 2014 VP - 9.1.0.2342 (English/Korean) -- Daniel Regalado This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.