ID

VAR-201002-0650

CVE

CVE-2010-0243

TITLE

Microsoft Office of MSO.DLL Vulnerable to buffer overflow

DESCRIPTION

Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow.". Microsoft Office is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Office file. Successful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user. The vulnerability is caused due to an error when parsing OfficeArtSpgr containers and can be exploited to cause a buffer overflow via a specially crafted Office file. SOLUTION: Apply patches. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability 1. *Advisory Information* Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability Advisory Id: CORE-2009-0827 Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow Date published: 2010-02-09 Date of last update: 2010-02-08 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 38073 CVE Name: CVE-2010-0243 3. *Vulnerability Description* A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user. 4. *Vulnerable packages* . *Non-vulnerable packages* . Open XML File Format Converter for Mac . PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2 . Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2 . Microsoft Works 8.5 . Microsoft Works 9 6. *Vendor Information, Solutions and Workarounds* Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp 7. *Credits* This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies during Bugweek 2009 [1]. 8. *Technical Description / Proof of Concept Code* 8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value leads to attacker controlled pointer usage [MSRC 9368]* A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user. The precise affected executable version we tested is 'Excel.exe v10.0.6854' and the DLL is 'mso.dll v10.0.6845' Likely attack vectors include: . Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment. Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment. The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file. A disassembly of the vulnerable code follows: /----- 30BDE405 CMP ECX,0F003 30BDE40B JB mso.30EFD183 30BDE411 CMP ECX,0F004 30BDE417 JA mso.30BDE4C8 30BDE41D XOR ESI,ESI 30BDE41F LEA EAX,DWORD PTR SS:[EBP-8] 30BDE422 PUSH ESI 30BDE423 PUSH EAX 30BDE424 PUSH EDI 30BDE425 MOV ECX,EBX 30BDE427 CALL mso.30BDEC18 30BDE42C TEST EAX,EAX 30BDE42E JE mso.30EFD21A 30BDE434 MOV EDX,DWORD PTR SS:[EBP-8] 30BDE437 MOV EAX,DWORD PTR DS:[EDX+50] 30BDE43A TEST AL,10 30BDE43C JE mso.30BDE356 30BDE442 TEST AL,4 30BDE444 JE mso.30EFD21A 30BDE44A CMP WORD PTR DS:[EDX+24],SI 30BDE44E JNZ mso.30EFD21A 30BDE454 PUSH 23 30BDE456 LEA EDI,DWORD PTR DS:[EBX+90] 30BDE45C POP ECX 30BDE45D MOV ESI,EDX 30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0] 30BDE465 ADD EDX,58 30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 30BDE46A CMP DWORD PTR DS:[EAX],EDX 30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX 30BDE472 JE mso.30EFD12E 30BDE478 MOV ECX,DWORD PTR DS:[EAX] 30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write* registers eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4 edi=017f06b8 eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 - -----/ 8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]* Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs. 9. *Report Timeline* . 2009-09-04: Core Security Technologies notifies the Microsoft team of the vulnerability #1 and sends a Proof of Concept malformed file. 2009-09-04: Microsoft acknowledges receipt of the vulnerability report, and opens MSRC case 9368 to track this issue. 2009-09-07: Core sends a second Proof of Concept malformed file triggering vulnerability #2 in Excel 2000/2002. 2009-09-08: The Microsoft team acknowledges receipt of the information and estimates that they will have more detailed information in two weeks. They inform us that they will send updated information on the fix release date as the investigation progresses. 2009-09-14: Core acknowledges receipt of the previous mail from the Microsoft team and reminds them that the publication date proposed by Core is November 24th, 2009. 2009-09-14: Core requests Microsoft's analysis of the second reported bug. 2009-09-14: Microsoft confirms that the first bug reported on Excel is exploitable and that they are working on defining a ship date. Microsoft also states that the bug reported as MSRC case 9154 / CORE-2009-0504 is not exploitable and no security bulletin will be issued for that case. 2009-09-16: Core notifies the Microsoft team that there has been a misunderstanding, and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not exploitable in July 2009. Core sends again the Proof of Concepts for the two bugs reported as CORE-2009-0827. 2009-09-17: Microsoft requests Core to hold off the publication of the advisory CORE-2009-0827 until Microsoft comes up with a plan to fix the vulnerability. 2009-09-21: Core notifies the Microsoft team that it had made a mistake in the names of the Proof of Concept files that lead to further confusion. Core confirms that two new bugs were reported and that the third non-exploitable bug belongs to another previous case/advisory. The Excel Proof of Concept files are sent again including identifier CORE-2009-0827. 2009-09-22: The Microsoft team acknowledges the clarification sent by Core and estimates that they will have a deeper analysis of the proof of concept #2 sent by Core in a few days. 2009-10-26: Core sends a summary of the status of the reported vulnerabilities, and requests from Microsoft additional information about its technical analysis of the reported bugs (in particular concerning exploitability of the second bug) and about its schedule to produce fixes. 2009-10-27: Microsoft confirms that they have reproduced the reported bugs, and communicates that they will be unable to release updates for these issues until February 9th, 2010. 2009-10-28: Core communicates that it is willing to reschedule the publication of its advisory provided that Microsoft gives technical information that justifies this decision. 2009-11-02: Microsoft explains that in general both the product team (in this case within Office) as well as MSRC Engineering team look for potential variant bugs for each vulnerability that is reported to them. This is followed by the development of a fix, and the testing of the fix. Microsoft states that it will be able to share additional technical information (requested by Core) about 3-4 weeks before release. 2009-11-02: Core confirms that it will reschedule publication of its advisory to February 9th, 2010, and that it looks forward to receiving technical information about the vulnerabilities. 2009-11-02: Microsoft acknowledges receipt of the previous communication. 2009-11-03: Core asks whether Microsoft considers the two bugs that have been reported as variants of the same problem, or as different issues. 2009-11-06: Microsoft replies that the vulnerability #2 has been lost in the mix, explains how MSRC triage officers assign MSRC tracking case numbers. The vulnerability #2 is assigned MSRC case 9562. 2009-11-06: Core confirms that it considers the second bug (MSRC 9562) to be a different bug than MSRC 9368. 2009-11-18: Microsoft sends a technical analysis of bug MSRC 9562, indicating that this bug causes Excel to crash safely. 2009-12-02: Microsoft sends technical information about bug MSRC 9368, including the root cause of the problem and the list of affected versions. 2009-12-16: Microsoft sends further analysis of bug MSRC 9562, which has been analyzed in conjunction with the reported bug MSRC case 9326 in Virtual PC. MSRC indicates that it has been unable to reproduce an exploitable condition using the Excel bug (MSRC 9562). 2009-12-22: Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees with the technical analysis. 2009-12-18: Microsoft sends a spreadsheet summarising Core cases, which indicates that fixes are confirmed to be released on March 9th 2010. 2009-12-21: Core acknowledges receipt of the technical information, and asks Microsoft whether the release of a fixed version has moved to March 9th 2010. 2009-12-21: Microsoft replies that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error). 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory. 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software. 2010-02-09: The advisory CORE-2009-0827 is published. 10. *References* [1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-003 http://www.microsoft.com/technet/security/bulletin/MS10-003.msp 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3 =Cmi1 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-040A Microsoft Updates for Multiple Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft Internet Explorer * Microsoft Office Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. Description Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. II. III. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for February 2010 - <http://www.microsoft.com/technet/security/bulletin/MS10-feb.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-040A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-040A Feedback VU#799780" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

buffer error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Damian Frizza

SOURCES

LAST UPDATE DATE

2024-08-14T12:54:33.147000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE