BugTraq
[CORE-2010-0428] Microsoft Office Visio DXF File Insertion Buffer Overflow May 04 2010 06:54PM
Core Security Technologies Advisories Team (advisories coresecurity com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/

Microsoft Office Visio DXF File Insertion Buffer Overflow

1. *Advisory Information*

Title: Microsoft Office Visio DXF File Insertion Buffer Overflow
Advisory Id: CORE-2010-0428
Advisory URL:
[http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow]
Date published: 2010-05-04
Date of last update: 2010-05-04
Vendors contacted: Microsoft
Release mode: User release

2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1681
Bugtraq ID: 39836

3. *Vulnerability Description*

Microsoft Office Visio is vulnerable to a buffer overflow in
'VISIODWG.DLL', a DLL which is loaded when inserting a DXF file into a
Visio document, either using drag-and-drop or "Insert, CAD drawing"
from the menu bar. This bug can be exploited to execute arbitrary code
with the privileges of the user running Visio. The bug was fixed in
patch KB979364 [2] released with Microsoft Security Bulletin MS10-028
[1], but the bulletin contains no mention of either the bug or the fix.

4. *Vulnerable packages*

. Microsoft Office Visio using VISIODWG.DLL version 10.0.5006.4

5. *Non-vulnerable packages*

. Microsoft Office Visio using VISIODWG.DLL version 10.0.6880.4
(patched with KB979364 [2]).

6. *Solutions and Workarounds*

Apply patch KB979364 [2] included in bulletin MS10-028 [1].

7. *Credits*

This vulnerability was discovered and researched by Daniel Kazimirow,
from Core Security Technologies. Publication was coordinated by Jorge
Lucangeli Obes.

8. *Technical Description*

The vulnerability occurs in the 'VISIODWG.DLL' library. At offset '74ef'
in the library there is an unsafe call to 'strcpy', which can be used to
execute arbitrary code. This call is replaced with a call to 'strncpy',
at offset '81e7' in the new version of the library.

/-----
Original:

.text:667D74E2 loc_667D74E2:
.text:667D74E2 mov ecx, [edi+2428h]
.text:667D74E8 mov edx, [esp+6Ch+Key]
.text:667D74EC inc ecx
.text:667D74ED push ecx ; Source
.text:667D74EE push edx ; Dest
.text:667D74EF call strcpy
.text:667D74F4 mov esi, ds:bsearch
.text:667D74FA push offset sub_667D7400 ; PtFuncCompare
.text:667D74FF push 0Ch ; ElementSize
.text:667D7501 push 0D5h ; NumOfElements
.text:667D7506 lea eax, [esp+80h+Key]
.text:667D750A push offset off_6685E730 ; Base
.text:667D750F push eax ; Key
.text:667D7510 call esi ; bsearch
.text:667D7512 mov edi, eax
.text:667D7514 add esp, 1Ch
.text:667D7517 test edi, edi
.text:667D7519 jz loc_667D770F

Patched:

.text:667D81D2 loc_667D81D2:
.text:667D81D2 mov ecx, [edi+2430h]
.text:667D81D8 mov edx, [esp+6Ch+Key]
.text:667D81DC mov ebx, ds:strncpy
.text:667D81E2 inc ecx
.text:667D81E3 push 50h ; Count <-- MAX LENGTH
.text:667D81E5 push ecx ; Source
.text:667D81E6 push edx ; Dest
.text:667D81E7 call ebx ; strncpy
.text:667D81E9 mov esi, ds:bsearch
.text:667D81EF push offset sub_667D80F0 ; PtFuncCompare
.text:667D81F4 push 0Ch ; ElementSize
.text:667D81F6 push 0D5h ; NumOfElements
.text:667D81FB lea eax, [esp+84h+Key]
.text:667D81FF push offset off_6685F730 ; Base
.text:667D8204 push eax ; Key
.text:667D8205 mov [esp+8Ch+var_1], 0
.text:667D820D call esi ; bsearch
.text:667D820F mov edi, eax
.text:667D8211 add esp, 20h
.text:667D8214 test edi, edi
.text:667D8216 jz loc_667D840C

- -----/

9. *Report Timeline*

. 2010-04-28: Core notifies Microsoft of the undisclosed fix in MS10-028
[1] asking if the bug is related to the disclosed bugs and whether an
internal CVE was assigned.

. 2010-04-28: Microsoft asks if the bug is present in the patched
version of the library.

. 2010-04-28: Core replies that the bug is not present in the patched
version of the library, but that bulletin MS10-028 [1] associated with
the patch makes no mention of either the bug or the fix. Core asks
again if the bug is related to the bugs disclosed in MS10-028 and
whether an internal CVE was assigned.

. 2010-05-04: Advisory published.

10. *References*

[1] [http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx]
[2] [http://support.microsoft.com/kb/979364]

11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://www.coresecurity.com/corelabs].

12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina,
Core Security Technologies can be reached at 617-399-6980 or on the Web
at [http://www.coresecurity.com].

13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.

14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.
asc].

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkvgbUoACgkQyNibggitWa3GTQCfT8WvlRzJ5JIs8aZV1YXoyGLB
gQIAnRFEX6sGm6I5w+lCkxO642UzM0kf
=++e0
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus