Microsoft Office Visio DXF File Insertion Buffer Overflow

Core Security - CoreLabs


Microsoft Office Visio DXF File Insertion Buffer Overflow

1. Advisory Information

Title: Microsoft Office Visio DXF File Insertion Buffer Overflow

Advisory Id: CORE-2010-0428

Advisory URL: http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow

Date published: 2010-05-04

Date of last update: 2010-05-04

Vendors contacted: Microsoft

Release mode: User release

2. Vulnerability Information

Class: Buffer overflow [CWE-119]

Impact: Code execution

Remotely Exploitable: Yes (client-side)

Locally Exploitable: No

CVE Name: CVE-2010-1681

Bugtraq ID: 39836

3. Vulnerability Description

Microsoft Office Visio is vulnerable to a buffer overflow in VISIODWG.DLL, a DLL which is loaded when inserting a DXF file into a Visio document, either using drag-and-drop or "Insert, CAD drawing" from the menu bar. This bug can be exploited to execute arbitrary code with the privileges of the user running Visio. The bug was fixed in patch KB979364 [2] released with Microsoft Security Bulletin MS10-028 [1], but the bulletin contains no mention of either the bug or the fix.

4. Vulnerable packages

  • Microsoft Office Visio using VISIODWG.DLL version 10.0.5006.4

5. Non-vulnerable packages

  • Microsoft Office Visio using VISIODWG.DLL version 10.0.6880.4 (patched with KB979364 [2]).

6. Solutions and Workarounds

Apply patch KB979364 [2] included in bulletin MS10-028 [1].

7. Credits

This vulnerability was discovered and researched by Daniel Kazimirow, from Core Security Technologies. Publication was coordinated by Jorge Lucangeli Obes.

8. Technical Description / Proof of Concept Code

The vulnerability occurs in the VISIODWG.DLL library. At offset 74ef in the library there is an unsafe call to strcpy, which can be used to execute arbitrary code. This call is replaced with a call to strncpy, at offset 81e7 in the new version of the library.

Original:

.text:667D74E2 loc_667D74E2:
.text:667D74E2 mov     ecx, [edi+2428h]
.text:667D74E8 mov     edx, [esp+6Ch+Key]
.text:667D74EC inc     ecx
.text:667D74ED push    ecx                  ; Source
.text:667D74EE push    edx                  ; Dest
.text:667D74EF call    strcpy
.text:667D74F4 mov     esi, ds:bsearch
.text:667D74FA push    offset sub_667D7400  ; PtFuncCompare
.text:667D74FF push    0Ch                  ; ElementSize
.text:667D7501 push    0D5h                 ; NumOfElements
.text:667D7506 lea     eax, [esp+80h+Key]
.text:667D750A push    offset off_6685E730  ; Base
.text:667D750F push    eax                  ; Key
.text:667D7510 call    esi                  ; bsearch
.text:667D7512 mov     edi, eax
.text:667D7514 add     esp, 1Ch
.text:667D7517 test    edi, edi
.text:667D7519 jz      loc_667D770F


Patched:

.text:667D81D2 loc_667D81D2:
.text:667D81D2 mov     ecx, [edi+2430h]
.text:667D81D8 mov     edx, [esp+6Ch+Key]
.text:667D81DC mov     ebx, ds:strncpy       
.text:667D81E2 inc     ecx
.text:667D81E3 push    50h                  ; Count <-- MAX LENGTH
.text:667D81E5 push    ecx                  ; Source
.text:667D81E6 push    edx                  ; Dest
.text:667D81E7 call    ebx ; strncpy
.text:667D81E9 mov     esi, ds:bsearch
.text:667D81EF push    offset sub_667D80F0  ; PtFuncCompare
.text:667D81F4 push    0Ch                  ; ElementSize
.text:667D81F6 push    0D5h                 ; NumOfElements
.text:667D81FB lea     eax, [esp+84h+Key]
.text:667D81FF push    offset off_6685F730  ; Base
.text:667D8204 push    eax                  ; Key
.text:667D8205 mov     [esp+8Ch+var_1], 0
.text:667D820D call    esi                  ; bsearch
.text:667D820F mov     edi, eax
.text:667D8211 add     esp, 20h
.text:667D8214 test    edi, edi
.text:667D8216 jz      loc_667D840C

9. Report Timeline

  • 2010-04-28: Core notifies Microsoft of the undisclosed fix in MS10-028 [1] asking if the bug is related to the disclosed bugs and whether an internal CVE was assigned.
  • 2010-04-28: Microsoft asks if the bug is present in the patched version of the library.
  • 2010-04-28: Core replies that the bug is not present in the patched version of the library, but that bulletin MS10-028 [1] associated with the patch makes no mention of either the bug or the fix. Core asks again if the bug is related to the bugs disclosed in MS10-028 and whether an internal CVE was assigned.
  • 2010-05-04: Advisory published.

10. References

[1] http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx.
[2] http://support.microsoft.com/kb/979364.

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.

12. About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.

Locally Exploitable: 
no
Remotely Exploitable: 
no
  • Request Info

Research Blog