Full Report
Hancom Office is an alternative version of Office used in South Korea. Docx files are mostly just XML documents. Instead of sharing the bug then the crash, the authors show the crash with the malicious file. When the application crashes, after subtracting 4 from a pointer and dereferencing this, the code crashes. After finding the crash, they noticed this came from parsing the XML tag. This was caused by not including a starting tag to denote the start of a paragraph. The parsing code appears to make the assumption that if the ending tag is there then the starting one is there as well. The deferencing is making an indirect call for a virtual function table. This means, that with proper heap feng shui an attacker could control the pointer being dereferenced and execute code. Overall, pretty straight forward bug with a simple write up!
Analysis Summary
# Vulnerability: Hancom Office Hword Docx XML Parsing Heap Underflow
## CVE Details
- CVE ID: CVE-2022-33896
- CVSS Score: 7.8 (High)
- CWE: CWE-124 - Buffer Underwrite (‘Buffer Underflow’)
## Affected Systems
- Products: Hancom Office 2020 (Hword component)
- Versions: Version 11.0.0.5357
- Configurations: Opening a specially-crafted, malicious DOCX file.
## Vulnerability Description
This vulnerability is a buffer underflow occurring during the XML parsing of DOCX files by Hancom Office Hword. The flaw is triggered by a malformed XML structure, specifically the absence of a starting tag (e.g., `<p>`) when an ending tag (e.g., `</p>`) is present. The parsing logic incorrectly assumes the presence of a preceding element, causing the code to subtract 4 from a valid heap pointer. This results in a dereference of memory located just before the intended allocation boundary (likely pointing to heap metadata, such as the `EndStamp` in PageHeap debugging). This dereferenced pointer is subsequently used in an indirect call, typical of a virtual function table invocation.
## Exploitation
- Status: PoC available (demonstrated via crash analysis and heap spraying discussion)
- Complexity: Medium (Requires heap feng shui to control the dereferenced pointer)
- Attack Vector: Local (Victim must open the malicious file)
## Impact
- Confidentiality: High (Potential information disclosure via controlled memory read if exploitation succeeds)
- Integrity: High (Potential code execution allows for modification of system state)
- Availability: High (Application crash/denial of service)
## Remediation
### Patches
- Specific patch information or version containing the fix is not explicitly detailed beyond the vendor patch release date. Users should update to the latest version of Hancom Office 2020 released on or after September 30, 2022.
### Workarounds
- Do not open untrusted or unverified DOCX files created by external sources.
## Detection
- **Indicators of Compromise:** Application crashes or access violations (C0000005) specifically occurring within the Hword component when processing DOCX files. Monitoring for suspicious heap allocations and subsequent memory writes/reads near heap metadata boundaries.
- **Detection Methods and Tools:** Static and dynamic analysis of document processing engines; EDR/antivirus solutions capable of detecting memory corruption primitives in document parsers.
## References
- Vendor Advisory/Disclosure: TALOS-2022-1574
- Relevant links - defanged: hxxps://talosintelligence.com/vulnerability_reports/TALOS-2022-1574