[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB14205925CA@USEXCHANGE.ad.checkpoint.com>
Date: Tue, 10 Aug 2010 18:06:42 -0700
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Microsoft Office Word HTML Linked Objects Memory Corruption
Vulnerability - CVE-2010-1903
Dear List,
I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/
Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability
CVE-2010-1903 - MS10-056
INTRODUCTION
There exists a vulnerability within the way Word handles html linked objects, which leads
to attacker controlled memory write and code execution.
There is a poc.doc file that demonstrates the vulnerability and is available to interested
parts.
This problem was confirmed in the following versions of Word and Windows, other versions
may be also affected.
Microsoft Office XP Service Pack 3 and older
Microsoft Office 2003 Service Pack 3 and older
2007 Microsoft Office System Service Pack 2 and older
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML file format converter for Mac
Microsoft Office Word Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Microsoft Works 9
CVSS Scoring System
The CVSS score is: 8.6
Base Score: 10
Temporal Score: 8.6
We used the following values to calculate the scores:
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal score is: E:POC/RL:U/RC:UR
TRIGGERING THE PROBLEM
The problem is triggered by a PoC available only to interested parts which causes invalid memory write in
all the referred versions.
DETAILS
Opening the attached poc.doc file and breaking in the following call, we see:
eax=00126c5c ebx=00126c40 ecx=00000000 edx=00000001 esi=00944001 edi=00000000
eip=3179fd74 esp=00126b9c ebp=00126bc0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
wwlib!DllGetClassObject+0x7fe9e:
3179fd74 e87bf9ffff call wwlib!DllGetClassObject+0x7f81e (3179f6f4)
Disassembling the code:
0:000> u
wwlib!DllGetClassObject+0x7fe9e:
3179fd74 e87bf9ffff call wwlib!DllGetClassObject+0x7f81e (3179f6f4)
3179fd79 3bf7 cmp esi,edi
3179fd7b 8b4310 mov eax,dword ptr [ebx+10h]
3179fd7e 894508 mov dword ptr [ebp+8],eax
3179fd81 7404 je wwlib!DllGetClassObject+0x7feb1 (3179fd87)
3179fd83 66893c46 mov word ptr [esi+eax*2],di
3179fd87 397b2c cmp dword ptr [ebx+2Ch],edi
3179fd8a 740e je wwlib!DllGetClassObject+0x7fec4 (3179fd9a)
The faulting instruction is at address 3179fd83, where di and eax are NULL and esi a
fixed value. The value eax is copied from the stack. The same with the di register.
Stepping into the first called function:
0:000> u 3179f6f4
wwlib!DllGetClassObject+0x7f81e:
3179f6f4 55 push ebp
3179f6f5 8bec mov ebp,esp
3179f6f7 81ecb8010000 sub esp,offset <Unloaded_dui.DLL>+0x187 (000001b8)
3179f6fd a170474831 mov eax,dword ptr [wwlib+0x244770 (31484770)]
3179f702 33c5 xor eax,ebp
3179f704 8945fc mov dword ptr [ebp-4],eax
3179f707 838db0feffffff or dword ptr [ebp-150h],0FFFFFFFFh
3179f70e 33c9 xor ecx,ecx
The stack trace information:
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00126bc0 315d18cb wwlib!DllGetClassObject+0x7fe9e
00126d8c 315d02f7 wwlib!FMain+0x133a26
00126e18 315cf42f wwlib!FMain+0x132452
00127430 315cefc0 wwlib!FMain+0x13158a
0012763c 315ce9ba wwlib!FMain+0x13111b
001276d4 6bdd1d83 wwlib!FMain+0x130b15
00127784 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb
00127804 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a10
00127868 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe28
00127898 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a5
00127a9c 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf737
00127ad0 318e1917 MSPTLS!LsCreateLine+0x23
00127b44 3181c5f8 wwlib!DllGetClassObject+0x1c1a41
00127bac 31549412 wwlib!DllGetClassObject+0xfc722
00127c9c 6be51b06 wwlib!FMain+0xab56d
00127d3c 6be5c63a MSPTLS!FsDestroyMemory+0x1ee39
00127eb4 6be5c92b MSPTLS!FsDestroyMemory+0x2996d
00127f00 6be36d4d MSPTLS!FsDestroyMemory+0x29c5e
00127f6c 6be37f7b MSPTLS!FsDestroyMemory+0x4080
00128078 6be4e8ca MSPTLS!FsDestroyMemory+0x52ae
!exploitable output:
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at wwlib!DllGetClassObject+0x000000000007fead (Hash=0x43317a27.0x44020844)
User mode write access violations that are not near NULL are exploitable.
This vulnerability can be remotely triggered if an user choose to open a .doc while using IE or any other browser (in
IE it will spawn a winword.exe process inside the browser, but the process remains as a new one).
CREDITS
This vulnerability was discovered and researched by Rodrigo Rubira Branco from
Check Point Vulnerability Discovery Team (VDT).
Best Regards,
Rodrigo.
--
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
Powered by blists - more mailing lists