11/21/2023 | News release | Distributed by Public on 11/21/2023 10:18
Read the write-up
In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below.
Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344
First, let's explore the details of the patch for CVE-2023-29344.
The figure below shows the comparison of SketchUpModelReader::ReadModelbefore and after the patch.
Figure 2: The comparison of SketchUpModelReader::ReadModelbefore and after the patch.
This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.
Next, let's take a look at the process of bypassing the patch for CVE-2023-29344.
The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.
Figure 3: A PoC crafting template for SKP file with the VFF type
We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materialsfolder.
Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor
Craft a new PoC.
zlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)
Figure 5: The parsing result in 010 Editor
Figure 6: The specific algorithm responsible for computing this checksum in a VFF header
So far, we've elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146for this discovery which bypassed the original patch.
Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.
A screenshot of the Microsoft update