Microsoft Office Visio DXF File Insertion Buffer Overflow

Advisory ID Internal
CORE-2010-0428

1. Advisory Information

Title: Microsoft Office Visio DXF File Insertion Buffer Overflow
Advisory Id: CORE-2010-0428
Advisory URL: https://www.coresecurity.com/core-labs/advisories/ms-visio-dxf-buffer-overflow
Date published: 2010-05-04
Date of last update: 2010-05-04
Vendors contacted: Microsoft
Release mode: User release

2. Vulnerability Information

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-1681
Bugtraq ID: 39836

3. Vulnerability Description

Microsoft Office Visio is vulnerable to a buffer overflow in VISIODWG.DLL, a DLL which is loaded when inserting a DXF file into a Visio document, either using drag-and-drop or "Insert, CAD drawing" from the menu bar. This bug can be exploited to execute arbitrary code with the privileges of the user running Visio. The bug was fixed in patch KB979364 released with Microsoft Security Bulletin MS10-028, but the bulletin contains no mention of either the bug or the fix.

4. Vulnerable Packages

Microsoft Office Visio using VISIODWG.DLL version 10.0.5006.4

5. Non-vulnerable Packages

Microsoft Office Visio using VISIODWG.DLL version 10.0.6880.4 (patched with KB979364).

6. Solutions and Workarounds

Apply patch KB979364 included in bulletin MS10-028.

7. Credits

This vulnerability was discovered and researched by Daniel Kazimirow, from Core Security Technologies. Publication was coordinated by Jorge Lucangeli Obes.

8. Technical Description / Proof of Concept Code

The vulnerability occurs in the VISIODWG.DLL library. At offset 74ef in the library there is an unsafe call to strcpy, which can be used to execute arbitrary code. This call is replaced with a call to strncpy, at offset 81e7 in the new version of the library.

Original: .text:667D74E2 loc_667D74E2: .text:667D74E2 mov ecx, [edi+2428h] .text:667D74E8 mov edx, [esp+6Ch+Key] .text:667D74EC inc ecx .text:667D74ED push ecx ; Source .text:667D74EE push edx ; Dest .text:667D74EF call strcpy .text:667D74F4 mov esi, ds:bsearch .text:667D74FA push offset sub_667D7400 ; PtFuncCompare .text:667D74FF push 0Ch ; ElementSize .text:667D7501 push 0D5h ; NumOfElements .text:667D7506 lea eax, [esp+80h+Key] .text:667D750A push offset off_6685E730 ; Base .text:667D750F push eax ; Key .text:667D7510 call esi ; bsearch .text:667D7512 mov edi, eax .text:667D7514 add esp, 1Ch .text:667D7517 test edi, edi .text:667D7519 jz loc_667D770F Patched: .text:667D81D2 loc_667D81D2: .text:667D81D2 mov ecx, [edi+2430h] .text:667D81D8 mov edx, [esp+6Ch+Key] .text:667D81DC mov ebx, ds:strncpy .text:667D81E2 inc ecx .text:667D81E3 push 50h ; Count <-- MAX LENGTH .text:667D81E5 push ecx ; Source .text:667D81E6 push edx ; Dest .text:667D81E7 call ebx ; strncpy .text:667D81E9 mov esi, ds:bsearch .text:667D81EF push offset sub_667D80F0 ; PtFuncCompare .text:667D81F4 push 0Ch ; ElementSize .text:667D81F6 push 0D5h ; NumOfElements .text:667D81FB lea eax, [esp+84h+Key] .text:667D81FF push offset off_6685F730 ; Base .text:667D8204 push eax ; Key .text:667D8205 mov [esp+8Ch+var_1], 0 .text:667D820D call esi ; bsearch .text:667D820F mov edi, eax .text:667D8211 add esp, 20h .text:667D8214 test edi, edi .text:667D8216 jz loc_667D840C 

9. Report Timeline

  • 2010-04-28: Core notifies Microsoft of the undisclosed fix in MS10-028 asking if the bug is related to the disclosed bugs and whether an internal CVE was assigned.
  • 2010-04-28: Microsoft asks if the bug is present in the patched version of the library.
  • 2010-04-28: Core replies that the bug is not present in the patched version of the library, but that bulletin MS10-028 associated with the patch makes no mention of either the bug or the fix. Core asks again if the bug is related to the bugs disclosed in MS10-028 and whether an internal CVE was assigned.
  • 2010-05-04: Advisory published.

10. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/core-labs.

11. About Core Security 

Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, Core Impact, is the most comprehensive product for performing enterprise security assurance testing. Core Impact evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.