Bugtraqmailing list archives

By Date

By Thread

Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability - CVE-2010-1903

Dear List,I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.Check Point Software Technologies - Vulnerability Discovery Team (VDT)http://www.checkpoint.com/defense/Microsoft Office Word HTML Linked Objects Memory Corruption VulnerabilityCVE-2010-1903 - MS10-056INTRODUCTIONThere exists a vulnerability within the way Word handles html linked objects, which leads to attacker controlled memory write and code execution.There is a poc.doc file that demonstrates the vulnerability and is available to interestedparts.This problem was confirmed in the following versions of Word and Windows, other versions may be also affected.Microsoft Office XP Service Pack 3 and olderMicrosoft Office 2003 Service Pack 3 and older2007 Microsoft Office System Service Pack 2 and olderMicrosoft Office 2004 for MacMicrosoft Office 2008 for MacOpen XML file format converter for MacMicrosoft Office Word ViewerMicrosoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2Microsoft Works 9CVSS Scoring SystemThe CVSS score is: 8.6        Base Score: 10        Temporal Score: 8.6We used the following values to calculate the scores:        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C        Temporal score is: E:POC/RL:U/RC:UR        TRIGGERING THE PROBLEMThe problem is triggered by a PoC available only to interested parts which causes invalid memory write inall the referred versions.DETAILSOpening the attached poc.doc file and breaking in the following call, we see:eax=00126c5c ebx=00126c40 ecx=00000000 edx=00000001 esi=00944001 edi=00000000eip=3179fd74 esp=00126b9c ebp=00126bc0 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246wwlib!DllGetClassObject+0x7fe9e:3179fd74 e87bf9ffff      call    wwlib!DllGetClassObject+0x7f81e (3179f6f4)Disassembling the code:0:000> uwwlib!DllGetClassObject+0x7fe9e:3179fd74 e87bf9ffff      call    wwlib!DllGetClassObject+0x7f81e (3179f6f4)3179fd79 3bf7            cmp     esi,edi3179fd7b 8b4310          mov     eax,dword ptr [ebx+10h]3179fd7e 894508          mov     dword ptr [ebp+8],eax3179fd81 7404            je      wwlib!DllGetClassObject+0x7feb1 (3179fd87)3179fd83 66893c46        mov     word ptr [esi+eax*2],di3179fd87 397b2c          cmp     dword ptr [ebx+2Ch],edi3179fd8a 740e            je      wwlib!DllGetClassObject+0x7fec4 (3179fd9a)The faulting instruction is at address 3179fd83, where di and eax are NULL and esi afixed value.  The value eax is copied from the stack.  The same with the di register.Stepping into the first called function:0:000> u 3179f6f4wwlib!DllGetClassObject+0x7f81e:3179f6f4 55              push    ebp3179f6f5 8bec            mov     ebp,esp3179f6f7 81ecb8010000    sub     esp,offset <Unloaded_dui.DLL>+0x187 (000001b8)3179f6fd a170474831      mov     eax,dword ptr [wwlib+0x244770 (31484770)]3179f702 33c5            xor     eax,ebp3179f704 8945fc          mov     dword ptr [ebp-4],eax3179f707 838db0feffffff  or      dword ptr [ebp-150h],0FFFFFFFFh3179f70e 33c9            xor     ecx,ecxThe stack trace information:0:000> kChildEBP RetAddr  WARNING: Stack unwind information not available. Following frames may be wrong.00126bc0 315d18cb wwlib!DllGetClassObject+0x7fe9e00126d8c 315d02f7 wwlib!FMain+0x133a2600126e18 315cf42f wwlib!FMain+0x13245200127430 315cefc0 wwlib!FMain+0x13158a0012763c 315ce9ba wwlib!FMain+0x13111b001276d4 6bdd1d83 wwlib!FMain+0x130b1500127784 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb00127804 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a1000127868 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe2800127898 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a500127a9c 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf73700127ad0 318e1917 MSPTLS!LsCreateLine+0x2300127b44 3181c5f8 wwlib!DllGetClassObject+0x1c1a4100127bac 31549412 wwlib!DllGetClassObject+0xfc72200127c9c 6be51b06 wwlib!FMain+0xab56d00127d3c 6be5c63a MSPTLS!FsDestroyMemory+0x1ee3900127eb4 6be5c92b MSPTLS!FsDestroyMemory+0x2996d00127f00 6be36d4d MSPTLS!FsDestroyMemory+0x29c5e00127f6c 6be37f7b MSPTLS!FsDestroyMemory+0x408000128078 6be4e8ca MSPTLS!FsDestroyMemory+0x52ae!exploitable output:Exploitability Classification: EXPLOITABLERecommended Bug Title: Exploitable - User Mode Write AV starting at wwlib!DllGetClassObject+0x000000000007fead (Hash=0x43317a27.0x44020844)User mode write access violations that are not near NULL are exploitable.This vulnerability can be remotely triggered if an user choose to open a .doc while using IE or any other browser (inIE it will spawn a winword.exe process inside the browser, but the process remains as a new one).CREDITSThis vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT).Best Regards, Rodrigo. --Rodrigo Rubira BrancoSenior Security ResearcherVulnerability Discovery Team (VDT)Check Point Software Technologies

By Date

By Thread

Current thread:

• Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability - CVE-2010-1903Rodrigo Branco (Aug 11)