[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability - CVE-2010-1903

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.

Check Point Software Technologies - Vulnerability Discovery Team (VDT)

Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability
CVE-2010-1903 - MS10-056


There exists a vulnerability within the way Word handles html linked objects, which leads 
to attacker controlled memory write and code execution.

There is a poc.doc file that demonstrates the vulnerability and is available to interested

This problem was confirmed in the following versions of Word and Windows, other versions 
may be also affected.

Microsoft Office XP Service Pack 3 and older
Microsoft Office 2003 Service Pack 3 and older
2007 Microsoft Office System Service Pack 2 and older
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML file format converter for Mac
Microsoft Office Word Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Microsoft Works 9

CVSS Scoring System

The CVSS score is: 8.6
	Base Score: 10
	Temporal Score: 8.6
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C
	Temporal score is: E:POC/RL:U/RC:UR


The problem is triggered by a PoC available only to interested parts which causes invalid memory write in
all the referred versions.


Opening the attached poc.doc file and breaking in the following call, we see:

eax=00126c5c ebx=00126c40 ecx=00000000 edx=00000001 esi=00944001 edi=00000000
eip=3179fd74 esp=00126b9c ebp=00126bc0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
3179fd74 e87bf9ffff      call    wwlib!DllGetClassObject+0x7f81e (3179f6f4)

Disassembling the code:

0:000> u
3179fd74 e87bf9ffff      call    wwlib!DllGetClassObject+0x7f81e (3179f6f4)
3179fd79 3bf7            cmp     esi,edi
3179fd7b 8b4310          mov     eax,dword ptr [ebx+10h]
3179fd7e 894508          mov     dword ptr [ebp+8],eax
3179fd81 7404            je      wwlib!DllGetClassObject+0x7feb1 (3179fd87)
3179fd83 66893c46        mov     word ptr [esi+eax*2],di
3179fd87 397b2c          cmp     dword ptr [ebx+2Ch],edi
3179fd8a 740e            je      wwlib!DllGetClassObject+0x7fec4 (3179fd9a)

The faulting instruction is at address 3179fd83, where di and eax are NULL and esi a
fixed value.  The value eax is copied from the stack.  The same with the di register.

Stepping into the first called function:

0:000> u 3179f6f4
3179f6f4 55              push    ebp
3179f6f5 8bec            mov     ebp,esp
3179f6f7 81ecb8010000    sub     esp,offset <Unloaded_dui.DLL>+0x187 (000001b8)
3179f6fd a170474831      mov     eax,dword ptr [wwlib+0x244770 (31484770)]
3179f702 33c5            xor     eax,ebp
3179f704 8945fc          mov     dword ptr [ebp-4],eax
3179f707 838db0feffffff  or      dword ptr [ebp-150h],0FFFFFFFFh
3179f70e 33c9            xor     ecx,ecx

The stack trace information:

0:000> k
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00126bc0 315d18cb wwlib!DllGetClassObject+0x7fe9e
00126d8c 315d02f7 wwlib!FMain+0x133a26
00126e18 315cf42f wwlib!FMain+0x132452
00127430 315cefc0 wwlib!FMain+0x13158a
0012763c 315ce9ba wwlib!FMain+0x13111b
001276d4 6bdd1d83 wwlib!FMain+0x130b15
00127784 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb
00127804 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a10
00127868 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe28
00127898 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a5
00127a9c 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf737
00127ad0 318e1917 MSPTLS!LsCreateLine+0x23
00127b44 3181c5f8 wwlib!DllGetClassObject+0x1c1a41
00127bac 31549412 wwlib!DllGetClassObject+0xfc722
00127c9c 6be51b06 wwlib!FMain+0xab56d
00127d3c 6be5c63a MSPTLS!FsDestroyMemory+0x1ee39
00127eb4 6be5c92b MSPTLS!FsDestroyMemory+0x2996d
00127f00 6be36d4d MSPTLS!FsDestroyMemory+0x29c5e
00127f6c 6be37f7b MSPTLS!FsDestroyMemory+0x4080
00128078 6be4e8ca MSPTLS!FsDestroyMemory+0x52ae

!exploitable output:
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at wwlib!DllGetClassObject+0x000000000007fead (Hash=0x43317a27.0x44020844)
User mode write access violations that are not near NULL are exploitable.

This vulnerability can be remotely triggered if an user choose to open a .doc while using IE or any other browser (in
IE it will spawn a winword.exe process inside the browser, but the process remains as a new one).


This vulnerability was discovered and researched by Rodrigo Rubira Branco from 
Check Point Vulnerability Discovery Team (VDT).

Best Regards,
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies