ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2

Read the write-up

In May of 2023, the patch for CVE-2023-29344 was released and was intended to fix all vulnerabilities located in FreeImage. The patched version of MSOSPECTRE.DLL is 16.0.16327.20240, as shown in the figure below.

_{Figure 1: The patched version of MSOSPECTRE.DLL for CVE-2023-29344}

First, let's explore the details of the patch for CVE-2023-29344.

The figure below shows the comparison of SketchUpModelReader::ReadModelbefore and after the patch.

_{Figure 2: The comparison of SketchUpModelReader::ReadModelbefore and after the patch.}

This patch introduced some code changes to disable support for SKP files with the MFC type. This is because all vulnerabilities in FreeImage were reported to Microsoft through the SKP files with the MFC type. Accordingly, Microsoft fixed these vulnerabilities by disabling support for SKP files with the MFC type, rather than fixing the underlying issues within the FreeImage library. As a result, this patch is incomplete, because these vulnerabilities in the FreeImage library could still be triggered using SKP files with the VFF type.

Next, let's take a look at the process of bypassing the patch for CVE-2023-29344.

The figure below shows a Proof-of-Concept (PoC) crafting template for an SKP file with the VFF type, which includes a SketchUp header, a VFF header, and an embedded zip file. All data related to SketchUp 3D models are stored within a zip file.

_{Figure 3: A PoC crafting template for SKP file with the VFF type}

We extract the part of the zip file within an SKP file and then analyze it using the zip template in 010 Editor. The result of the parsing operation reveals an image stored within the materialsfolder.

_{Figure 4: Analyzing the zip file embedded in the SKP file using the ZIP template in 010 Editor}

Craft a new PoC.

1. Compress the abnormal image file using the Deflate algorithm.

   zlib.compressobj(compresslevel, zlib.DEFLATED, -zlib.MAX_WBITS, zlib.DEF_MEM_LEVEL, 0).compress(data)
   

2. Calculate the new CRC32 for the uncompressed image data. We can use 010 Editor's CRC32 tool or Windows built-in CRC utility.
3. Update the fields frCrc, frCompressSize, frUncompressSize, and frData (compressed image data)
4. Update the field deHeaderOffset for each dirEntry, and also update the fields deCrc, deCompressSize, and deUncompress in struct ZIPDIRENTRY dirEntry[4] materials/_1/E70785.tif. Update the field erDirectoryOffset in the struct ZIPENDLOCATORendLocator
5. Combine the SketchUp header, VFF header, and the modified zip file into a complete SKP file.
6. Finally, we need to re-calculate the checksum in the VFF header. We uncovered a specific algorithm responsible for computing this checksum. Figure 6 shows a pseudo-code representation of this algorithm.

_{Figure 5: The parsing result in 010 Editor}

_{Figure 6: The specific algorithm responsible for computing this checksum in a VFF header}

So far, we've elaborated on the steps of crafting the new PoC to bypass the patch for CVE-2023-29344. With this approach, we reproduced 97 unique vulnerabilities in Microsoft 365 apps updating to the patch of CVE-2023-29344. Microsoft assigned CVE-2023-33146for this discovery which bypassed the original patch.

Finally, Microsoft disabled the ability to insert SketchUp files in Office documents in the patch for CVE-2023-33146.

_{A screenshot of the Microsoft update}

Public link

Please use the above public link if you want to share this noodl on another website.