lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5F1EAFD327C4429BBC58F9BEE1C0E378@acros.si>
Date: Wed, 10 Nov 2010 14:23:19 +0100
From: "ACROS Security Lists" <lists@...os.si>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
	<cert@...t.org>, <si-cert@...es.si>
Subject: ASPR #2010-11-10-1: Remote Binary Planting in Microsoft PowerPoint 2010

=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2010-11-10-1
-------------------------------------------------------------------------
ASPR #2010-11-10-1: Remote Binary Planting in Microsoft PowerPoint 2010
=========================================================================

Document ID:     ASPR #2010-11-10-1-PUB
Vendor:          Microsoft Corp. (http://www.microsoft.com)
Target:          Microsoft PowerPoint 2010 for Windows
Impact:          Remote execution of arbitrary code
Severity:        Very high
Status:          Official patch available, workarounds available
Discovered by:   Simon Raner of ACROS Security

CVSS score:      9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE ID:          CVE-2010-3337
CWE ID:          CWE-426: Untrusted Search Path

Current version 
   http://www.acrossecurity.com/aspr/ASPR-2010-11-10-1-PUB.txt


Summary
=======

A "binary planting" [1] vulnerability in Microsoft PowerPoint 2010 for 
Windows allows local or remote (even Internet-based) attackers to deploy 
and execute malicious code on Windows machines in the context of logged-on 
users.


Product Coverage
================

- Microsoft PowerPoint 2010 for Windows


Analysis 
========

Note: A more detailed analysis of this bug is available at 
http://blog.acrossecurity.com/2010/11/analysis-of-microsoft-office-
2010.html (http://bit.ly/9KNXmv).

As a result of an incorrect dynamic link library loading in Microsoft 
PowerPoint 2010 for Windows, an attacker can cause her malicious DLL to be 
loaded and executed from local drives, remote Windows shares, and even 
shares located on Internet. 

All a remote attacker has to do is plant a malicious DLL with a specific 
name (pptimpconv.dll) on a network share and get the user to open a 
specially crafted PPTX file from this network location - which should 
require minimal social engineering. Once the user opens the file, Office's 
library mso.dll makes an unsafe call to LoadLibrary("pptimpconv.dll"). As 
this DLL is not present on the system, its malicious version gets loaded 
from the current working directory.

Windows systems by default have the Web Client service running - which 
makes remote network shares accessible via WebDAV -, thus the malicious 
DLL can also be deployed from an Internet-based network share as long as 
the intermediate firewalls allow outbound HTTP traffic to the Internet. 

A systematic attack could deploy malicious code to a large number of 
Windows workstations in a short period of time, possibly as an Internet 
worm.

Visit http://www.binaryplanting.com/ for more information on binary 
planting vulnerabilities and attacks.

Additional details are available to interested corporate and government 
customers under NDA, as public disclosure would reveal too many details on 
the vulnerability and unduly accelerate malicious exploitation.


Mitigating Factors 
==================

- A firewall blocking outbound WebDAV traffic (in addition to blocking all 
  Windows Networking protocols) could stop an Internet-based attack.

- Microsoft's CWDIllegalInDllSearch hotfix [2] can stop a network-based 
  exploitation of this vulnerability.


Solution 
========

Microsoft has issued a security bulletin [3] and published an update for
Microsoft PowerPoint 2010 that fixes this issue.


Workaround 
==========

- Stopping the Web Client service could stop Internet-based attacks as 
  long as the network firewall stops outbound Microsoft Networking 
  protocols. This would not, however, stop remote LAN-based attacks where 
  the attacker is able to place a malicious DLL on a network share inside 
  the target (e.g., corporate) network.
  
- General recommendations for limiting or stopping binary planting attacks 
  are available at 
  http://www.binaryplanting.com/guidelinesAdministrators.htm


Related Services
================

ACROS is offering professional consulting on this issue to interested 
corporate and government customers. Typical questions we can help you 
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside 
   your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there circumstances in your environment that might prevent the 
   effectiveness of this fix?

5) Are there other workarounds that you could implement to fix this issue 
   more efficiently and/or inexpensively?

6) Are your systems or applications vulnerable to other similar issues?


Interested parties are encouraged to ask for more information at 
security@...ossecurity.com.


Background
==========

ACROS Security has performed an extensive Binary Planting research 
project, focused on various types of vulnerabilities where an attacker 
with low privileges can place (i.e., "plant") a malicious executable file 
(i.e., "binary") to some possibly remote location and get it launched by 
some vulnerable application running on user's computer. 

The research found that binary planting vulnerabilities are affecting a 
large percentage of Windows applications and often allowing for trivial 
exploitation: it identified ~520 remotely exploitable bugs in ~200 widely-
used Windows applications. A large majority of these vulnerabilties 
remain unfixed and publicly unknown at the time of this writing.

Find out more:
- http://www.binaryplanting.com
- http://blog.acrossecurity.com

Follow ACROS Security on Twitter to get immediate updates on the ongoing 
Binary Planting research and other research projects.
http://www.twitter.com/AcrosSecurity


References
==========

[1] Binary Planting - The Official Web Site
    http://www.binaryplanting.com/

[2] Microsoft's CWDIllegalInDllSearch hotfix
    http://support.microsoft.com/kb/2264107

[3] Microsoft Security Bulletin MS10-087 - Critical 
    http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@...ossecurity.com
web:    http://www.acrossecurity.com
phone:  +386 2 3000 280
fax:    +386 2 3000 282

ACROS Security PGP Key
   http://www.acrossecurity.com/pgpkey.asc
   [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
   http://www.acrossecurity.com/advisories.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the 
purpose of education and protection. ACROS d.o.o. shall in no event be 
liable for any damage whatsoever, direct or implied, arising from use or 
spread of this information. All identifiers (hostnames, IP addresses, 
company names, individual names etc.) used in examples and demonstrations 
are used only for explanatory purposes and have no connection with any 
real host, company or individual. In no event should it be assumed that 
use of these names means specific hosts, companies or individuals are 
vulnerable to any attacks nor does it mean that they consent to being used 
in any vulnerability tests. The use of information in this report is 
entirely at user's risk.


Revision History
================

November 10, 2010: Initial release


Copyright
=========

(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ