[CORE-2010-0428] Microsoft Office Visio DXF File Insertion Buffer Overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://corelabs.coresecurity.com/

Microsoft Office Visio DXF File Insertion Buffer Overflow



1. *Advisory Information*

Title: Microsoft Office Visio DXF File Insertion Buffer Overflow
Advisory Id: CORE-2010-0428
Advisory URL:
[http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow]
Date published: 2010-05-04
Date of last update: 2010-05-04
Vendors contacted: Microsoft
Release mode: User release



2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1681
Bugtraq ID: 39836



3. *Vulnerability Description*

Microsoft Office Visio is vulnerable to a buffer overflow in
'VISIODWG.DLL', a DLL which is loaded when inserting a DXF file into a
Visio document,  either using drag-and-drop or "Insert, CAD drawing"
from the menu bar. This bug can be exploited to execute arbitrary code
with the privileges of the  user running Visio. The bug was fixed in
patch KB979364 [2] released with Microsoft Security Bulletin MS10-028
[1], but the bulletin contains no  mention of either the bug or the fix.


4. *Vulnerable packages*

   . Microsoft Office Visio using VISIODWG.DLL version 10.0.5006.4


5. *Non-vulnerable packages*


   . Microsoft Office Visio using VISIODWG.DLL version 10.0.6880.4
(patched with KB979364 [2]).


6. *Solutions and Workarounds*

Apply patch KB979364 [2] included in bulletin MS10-028 [1].


7. *Credits*

This vulnerability was discovered and researched by Daniel Kazimirow,
from Core Security Technologies. Publication was coordinated by Jorge
Lucangeli  Obes.


8. *Technical Description*

The vulnerability occurs in the 'VISIODWG.DLL' library. At offset '74ef'
in the library there is an unsafe call to 'strcpy', which can be used to
execute arbitrary code. This call is replaced with a call to 'strncpy',
at offset '81e7' in the new version of the library.

/-----
Original:

.text:667D74E2 loc_667D74E2:
.text:667D74E2 mov     ecx, [edi+2428h]
.text:667D74E8 mov     edx, [esp+6Ch+Key]
.text:667D74EC inc     ecx
.text:667D74ED push    ecx                  ; Source
.text:667D74EE push    edx                  ; Dest
.text:667D74EF call    strcpy
.text:667D74F4 mov     esi, ds:bsearch
.text:667D74FA push    offset sub_667D7400  ; PtFuncCompare
.text:667D74FF push    0Ch                  ; ElementSize
.text:667D7501 push    0D5h                 ; NumOfElements
.text:667D7506 lea     eax, [esp+80h+Key]
.text:667D750A push    offset off_6685E730  ; Base
.text:667D750F push    eax                  ; Key
.text:667D7510 call    esi                  ; bsearch
.text:667D7512 mov     edi, eax
.text:667D7514 add     esp, 1Ch
.text:667D7517 test    edi, edi
.text:667D7519 jz      loc_667D770F


Patched:

.text:667D81D2 loc_667D81D2:
.text:667D81D2 mov     ecx, [edi+2430h]
.text:667D81D8 mov     edx, [esp+6Ch+Key]
.text:667D81DC mov     ebx, ds:strncpy
.text:667D81E2 inc     ecx
.text:667D81E3 push    50h                  ; Count <-- MAX LENGTH
.text:667D81E5 push    ecx                  ; Source
.text:667D81E6 push    edx                  ; Dest
.text:667D81E7 call    ebx ; strncpy
.text:667D81E9 mov     esi, ds:bsearch
.text:667D81EF push    offset sub_667D80F0  ; PtFuncCompare
.text:667D81F4 push    0Ch                  ; ElementSize
.text:667D81F6 push    0D5h                 ; NumOfElements
.text:667D81FB lea     eax, [esp+84h+Key]
.text:667D81FF push    offset off_6685F730  ; Base
.text:667D8204 push    eax                  ; Key
.text:667D8205 mov     [esp+8Ch+var_1], 0
.text:667D820D call    esi                  ; bsearch
.text:667D820F mov     edi, eax
.text:667D8211 add     esp, 20h
.text:667D8214 test    edi, edi
.text:667D8216 jz      loc_667D840C

- -----/



9. *Report Timeline*

. 2010-04-28: Core notifies Microsoft of the undisclosed fix in MS10-028
[1] asking if the bug is related to the disclosed bugs and whether an
internal CVE was assigned.

. 2010-04-28: Microsoft asks if the bug is present in the patched
version of the library.

. 2010-04-28: Core replies that the bug is not present in the patched
version of the library, but that bulletin MS10-028 [1] associated with
the  patch makes no mention of either the bug or the fix. Core asks
again if the bug is related to the bugs disclosed in MS10-028 and
whether an internal  CVE was assigned.

. 2010-05-04: Advisory published.



10. *References*

[1] [http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx]
[2] [http://support.microsoft.com/kb/979364]


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security  technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and  simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and  prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools  for public use at:
[http://www.coresecurity.com/corelabs].


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process  for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security  assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables  organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading  technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA  and Buenos Aires, Argentina,
Core Security Technologies can be reached at 617-399-6980 or on the Web
at [http://www.coresecurity.com].


13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no  fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvgbUoACgkQyNibggitWa3GTQCfT8WvlRzJ5JIs8aZV1YXoyGLB
gQIAnRFEX6sGm6I5w+lCkxO642UzM0kf
=++e0
-----END PGP SIGNATURE-----

[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux