Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability

Core Security - CoreLabs


Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability

1.
Advisory Information

Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Advisory URL: http://www.coresecurity.com/content/CORE-2009-1103

Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release

2.
Vulnerability Information

Class: Buffer overflow [CWE-119]

Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264

3.
Vulnerability Description

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

4.
Vulnerable packages

  • Microsoft Excel 2002 (Office XP SP3)

5.
Non-vulnerable packages

  • Microsoft Office 2003
  • Microsoft Office 2007

6.
Vendor Information, Solutions and Workarounds

Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx

7.
Credits

This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies.

8.
Technical Description / Proof of Concept Code

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. The precise affected executable versions that we tested are:

  • EXCEL.exe version 10.0.6501
  • EXCEL.exe version 10.0.6854
  • EXCEL.exe version 10.0.6856

The vulnerable version is Microsoft Office Excel XP SP3.

According to the MSDN documentation [2] the DbOrParamQry record specifies a DbQuery or ParamQry record depending on the preceding record. The Record Query Parameters (ParamQry) offset DCh, contains information about ODBC parameterized queries. This record has the following format:

Offset  Name    Size  Contents
4      wTypeSql  2    Used for ODBC queries; the parameter SQL type
6      flags     2    Option flags

By modifying this record an exploitable condition can be triggered. An excerpt of the vulnerable code follows:

EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c           mov     eax,[esi+0x1c]    ds:0023:0180aa98=0197013c
302c20d1 85c0             test    eax,eax
302c20d3 0f84e1000000     je      EXCEL!Ordinal41+0x2c21ba (302c21ba)  [br=0]
302c20d9 8b08             mov     ecx,[eax]         ds:0023:0197013c=00010001
302c20db 50               push    eax
302c20dc ff5108           call  dword ptr [ecx+0x8] ds:0023:00010009=5c003a00

Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
5c003a00 ??               ???


9.
Report Timeline

  • 2009-11-04:
    Core Security Technologies notifies the Microsoft team of the vulnerability and sends a Proof of Concept malformed file. Planned publication date is set to February 9th 2010.
  • 2009-11-04:
    Microsoft acknowledges receipt of the report, and opens case 9564 to track this issue.
  • 2009-11-19:
    Microsoft confirms that the reported bug is exploitable on Office 2002, and that it is a bulletin class issue. Microsoft analysis indicates that Office 2003 and Office 2007 are not affected by this vulnerability. Microsoft estimates that its projected release date will be later than February.
  • 2009-11-19:
    Core replies that it needs additional information about Microsoft fix development and testing process, in particular a concrete estimated date for the release of fixes, before rescheduling publication.
  • 2009-12-18:
    Microsoft communicates that the Office Excel Team has scheduled a fix for this issue for March 9th 2010, and requests that Core reschedules publication of its advisory to that date.
  • 2009-12-21:
    Core agrees to reschedule publication to March 9th 2010, and tells Microsoft that it's still waiting for their technical analysis of the bug.
  • 2010-01-28:
    Microsoft informs Core that it is still on track to release the patch for this vulnerability in March 2009.
  • 2010-02-18:
    Microsoft informs Core that unexpected issues will force them to postpone the bulletin release from March, and that they will try to release it in April 2010.
  • 2010-03-02:
    Microsoft tells Core that finally the patch for this issue will be released on March 9th 2010.
  • 2010-03-08:
    Core acknowledges receipt of the previous mail, and requests the URL of Microsoft's security bulletin to include in the vendor information section of its advisory.
  • 2010-03-09:
    The advisory CORE-2009-1103 is published.

10.
References

[1] Microsoft Security Bulletin MS10-017
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
[2] MSDN DbOrParamQry entry
http://msdn.microsoft.com/en-us/library/dd953289.aspx

11.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

12.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13.
Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14.
PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Book Demo

Research Blog