Core Security Technologies Advisory - A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user.
d40c00bfca38691caa302cc240a65cfb4055b89ee51b20a1b18ce6051b11c60e
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite
Vulnerability
1. *Advisory Information*
Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer
Overwrite Vulnerability
Advisory Id: CORE-2009-0827
Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow
Date published: 2010-02-09
Date of last update: 2010-02-08
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 38073
CVE Name: CVE-2010-0243
3. *Vulnerability Description*
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
context of the currently logged on user.
4. *Vulnerable packages*
. Microsoft Office XP Service Pack 3
. Microsoft Office 2004 for Mac
5. *Non-vulnerable packages*
. Microsoft Office 2003 Service Pack 3
. 2007 Microsoft Office System Service Pack 1
. 2007 Microsoft Office System Service Pack 2
. Microsoft Office 2008 for Mac
. Open XML File Format Converter for Mac
. Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office
Excel Viewer Service Pack 2
. Microsoft Office Word Viewer
. PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007
Service Pack 2
. Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2
. Microsoft Works 8.5
. Microsoft Works 9
6. *Vendor Information, Solutions and Workarounds*
Microsoft has addressed this vulnerability by issuing an update located
at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
7. *Credits*
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
context of the currently logged on user.
The precise affected executable version we tested is 'Excel.exe
v10.0.6854' and the DLL is 'mso.dll v10.0.6845'
Likely attack vectors include:
. Targeted attacks involving e-mailed malicious files combined with
social engineering to entice the user to open the malicious attachment.
. Targeted attacks involving malicious files hosted on a remote web
site combined with social engineering to entice the user to open the
malicious attachment.
The root cause description of the vulnerability is that there is no
check to make sure that there is a valid group before loading the SPGR
from the file.
A disassembly of the vulnerable code follows:
/-----
30BDE405 CMP ECX,0F003
30BDE40B JB mso.30EFD183
30BDE411 CMP ECX,0F004
30BDE417 JA mso.30BDE4C8
30BDE41D XOR ESI,ESI
30BDE41F LEA EAX,DWORD PTR SS:[EBP-8]
30BDE422 PUSH ESI
30BDE423 PUSH EAX
30BDE424 PUSH EDI
30BDE425 MOV ECX,EBX
30BDE427 CALL mso.30BDEC18
30BDE42C TEST EAX,EAX
30BDE42E JE mso.30EFD21A
30BDE434 MOV EDX,DWORD PTR SS:[EBP-8]
30BDE437 MOV EAX,DWORD PTR DS:[EDX+50]
30BDE43A TEST AL,10
30BDE43C JE mso.30BDE356
30BDE442 TEST AL,4
30BDE444 JE mso.30EFD21A
30BDE44A CMP WORD PTR DS:[EDX+24],SI
30BDE44E JNZ mso.30EFD21A
30BDE454 PUSH 23
30BDE456 LEA EDI,DWORD PTR DS:[EBX+90]
30BDE45C POP ECX
30BDE45D MOV ESI,EDX
30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0]
30BDE465 ADD EDX,58
30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
30BDE46A CMP DWORD PTR DS:[EAX],EDX
30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX
30BDE472 JE mso.30EFD12E
30BDE478 MOV ECX,DWORD PTR DS:[EAX]
30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write*
registers
eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4
edi=017f06b8
eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
- -----/
8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]*
Core Security Technologies reported a second bug in Excel which resulted
non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4,
and BIFF2 file formats for exploitability of this vulnerability. MSRC
has been unable to reproduce it in such a way that an exploitable
condition occurs.
9. *Report Timeline*
. 2009-09-04:
Core Security Technologies notifies the Microsoft team of the
vulnerability #1 and sends a Proof of Concept malformed file.
. 2009-09-04:
Microsoft acknowledges receipt of the vulnerability report, and opens
MSRC case 9368 to track this issue.
. 2009-09-07:
Core sends a second Proof of Concept malformed file triggering
vulnerability #2 in Excel 2000/2002.
. 2009-09-08:
The Microsoft team acknowledges receipt of the information and estimates
that they will have more detailed information in two weeks.
. 2009-09-11:
The Microsoft team confirms that vulnerability #1 is exploitable. They
inform us that they will send updated information on the fix release
date as the investigation progresses.
. 2009-09-14:
Core acknowledges receipt of the previous mail from the Microsoft team
and reminds them that the publication date proposed by Core is November
24th, 2009.
. 2009-09-14:
Core requests Microsoft's analysis of the second reported bug.
. 2009-09-14:
Microsoft confirms that the first bug reported on Excel is exploitable
and that they are working on defining a ship date. Microsoft also states
that the bug reported as MSRC case 9154 / CORE-2009-0504 is not
exploitable and no security bulletin will be issued for that case.
. 2009-09-16:
Core notifies the Microsoft team that there has been a misunderstanding,
and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not
exploitable in July 2009. Core sends again the Proof of Concepts for the
two bugs reported as CORE-2009-0827.
. 2009-09-17:
Microsoft requests Core to hold off the publication of the advisory
CORE-2009-0827 until Microsoft comes up with a plan to fix the
vulnerability.
. 2009-09-21:
Core notifies the Microsoft team that it had made a mistake in the names
of the Proof of Concept files that lead to further confusion. Core
confirms that two new bugs were reported and that the third
non-exploitable bug belongs to another previous case/advisory. The Excel
Proof of Concept files are sent again including identifier CORE-2009-0827.
. 2009-09-22:
The Microsoft team acknowledges the clarification sent by Core and
estimates that they will have a deeper analysis of the proof of concept
#2 sent by Core in a few days.
. 2009-10-26:
Core sends a summary of the status of the reported vulnerabilities, and
requests from Microsoft additional information about its technical
analysis of the reported bugs (in particular concerning exploitability
of the second bug) and about its schedule to produce fixes.
. 2009-10-27:
Microsoft confirms that they have reproduced the reported bugs, and
communicates that they will be unable to release updates for these
issues until February 9th, 2010.
. 2009-10-28:
Core communicates that it is willing to reschedule the publication of
its advisory provided that Microsoft gives technical information that
justifies this decision.
. 2009-11-02:
Microsoft explains that in general both the product team (in this case
within Office) as well as MSRC Engineering team look for potential
variant bugs for each vulnerability that is reported to them. This is
followed by the development of a fix, and the testing of the fix.
Microsoft states that it will be able to share additional technical
information (requested by Core) about 3-4 weeks before release.
. 2009-11-02:
Core confirms that it will reschedule publication of its advisory to
February 9th, 2010, and that it looks forward to receiving technical
information about the vulnerabilities.
. 2009-11-02:
Microsoft acknowledges receipt of the previous communication.
. 2009-11-03:
Core asks whether Microsoft considers the two bugs that have been
reported as variants of the same problem, or as different issues.
. 2009-11-06:
Microsoft replies that the vulnerability #2 has been lost in the mix,
explains how MSRC triage officers assign MSRC tracking case numbers. The
vulnerability #2 is assigned MSRC case 9562.
. 2009-11-06:
Core confirms that it considers the second bug (MSRC 9562) to be a
different bug than MSRC 9368.
. 2009-11-18:
Microsoft sends a technical analysis of bug MSRC 9562, indicating that
this bug causes Excel to crash safely.
. 2009-12-02:
Microsoft sends technical information about bug MSRC 9368, including the
root cause of the problem and the list of affected versions.
. 2009-12-16:
Microsoft sends further analysis of bug MSRC 9562, which has been
analyzed in conjunction with the reported bug MSRC case 9326 in Virtual
PC. MSRC indicates that it has been unable to reproduce an exploitable
condition using the Excel bug (MSRC 9562).
. 2009-12-22:
Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees
with the technical analysis.
. 2009-12-18:
Microsoft sends a spreadsheet summarising Core cases, which indicates
that fixes are confirmed to be released on March 9th 2010.
. 2009-12-21:
Core acknowledges receipt of the technical information, and asks
Microsoft whether the release of a fixed version has moved to March 9th
2010.
. 2009-12-21:
Microsoft replies that the ship date for the vulnerability MSRC 9368 in
MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical
error).
. 2010-02-01:
Core requests MSRC the list of non vulnerable versions of Excel /
Office, and a statement for the "vendor information" section of the
advisory.
. 2010-02-03:
Microsoft sends the CVE identifier for the vulnerability, and the list
of affected and non affected software.
. 2010-02-09:
The advisory CORE-2009-0827 is published.
10. *References*
[1] About Core Security's Bugweek
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek
[2] Microsoft Security Bulletin MS10-003
http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U
BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3
=Cmi1
-----END PGP SIGNATURE-----