what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Core Security Technologies Advisory 2009.1103

Core Security Technologies Advisory 2009.1103
Posted Mar 9, 2010
Authored by Core Security Technologies, Damian Frizza | Site coresecurity.com

Core Security Technologies Advisory - A memory corruption occurs on Microsoft Office Excel 2002 when parsing a .XLS file with a malformed DbOrParamQry record. This vulnerability could be used by a remote attacker to execute arbitrary code in the context of the currently logged on user, by enticing the user to open a specially crafted file.

tags | advisory, remote, arbitrary
advisories | CVE-2010-0264
SHA-256 | 7467a687c181b918d29055d813fdff2b35ff940ae1ff53bb67f0cc1fd65c64a0

Core Security Technologies Advisory 2009.1103

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/

Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability



1. *Advisory Information*

Title: Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability
Advisory Id: CORE-2009-1103
Advisory URL: http://www.coresecurity.com/content/CORE-2009-1103
Date published: 2010-03-09
Date of last update: 2010-03-09
Vendors contacted: Microsoft
Release mode: Coordinated release



2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
Bugtraq ID: N/A
CVE Name: CVE-2010-0264



3. *Vulnerability Description*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. This vulnerability could
be used by a remote attacker to execute arbitrary code in the context of
the currently logged on user, by enticing the user to open a specially
crafted file.


4. *Vulnerable packages*

. Microsoft Excel 2002 (Office XP SP3)


5. *Non-vulnerable packages*

. Microsoft Office 2003
. Microsoft Office 2007


6. *Vendor Information, Solutions and Workarounds*

Microsoft has addressed this vulnerability by issuing an update located
at http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx


7. *Credits*

This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.


8. *Technical Description / Proof of Concept Code*

A memory corruption occurs on Microsoft Office Excel 2002 when parsing a
.XLS file with a malformed DbOrParamQry record. The precise affected
executable versions that we tested are:

. EXCEL.exe version 10.0.6501
. EXCEL.exe version 10.0.6854
. EXCEL.exe version 10.0.6856

The vulnerable version is Microsoft Office Excel XP SP3.

According to the MSDN documentation [2] the DbOrParamQry record
specifies a DbQuery or ParamQry record depending on the preceding
record. The Record Query Parameters (ParamQry) offset DCh, contains
information about ODBC parameterized queries. This record has the
following format:


/-----
Offset Name Size Contents
4 wTypeSql 2 Used for ODBC queries; the parameter SQL type
6 flags 2 Option flags

- -----/

By modifying this record an exploitable condition can be triggered. An
excerpt of the vulnerable code follows:


/-----
EXCEL!Ordinal41+2c20ce:
302c20ce 8b461c mov eax,[esi+0x1c]
ds:0023:0180aa98=0197013c
302c20d1 85c0 test eax,eax
302c20d3 0f84e1000000 je EXCEL!Ordinal41+0x2c21ba (302c21ba)
[br=0]
302c20d9 8b08 mov ecx,[eax]
ds:0023:0197013c=00010001
302c20db 50 push eax
302c20dc ff5108 call dword ptr [ecx+0x8]
ds:0023:00010009=5c003a00

Access violation - code c0000005 (first chance)
eax=0197013c ebx=00000001 ecx=00010001 edx=0000014c esi=0180aa7c
edi=00000000
eip=5c003a00 esp=001363ec ebp=00136400 iopl=0 nv up ei pl nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
5c003a00 ?? ???

- -----/


9. *Report Timeline*

. 2009-11-04:
Core Security Technologies notifies the Microsoft team of the
vulnerability and sends a Proof of Concept malformed file. Planned
publication date is set to February 9th 2010.

. 2009-11-04:
Microsoft acknowledges receipt of the report, and opens case 9564 to
track this issue.

. 2009-11-19:
Microsoft confirms that the reported bug is exploitable on Office 2002,
and that it is a bulletin class issue. Microsoft analysis indicates that
Office 2003 and Office 2007 are not affected by this vulnerability.
Microsoft estimates that its projected release date will be later than
February.

. 2009-11-19:
Core replies that it needs additional information about Microsoft fix
development and testing process, in particular a concrete estimated date
for the release of fixes, before rescheduling publication.

. 2009-12-18:
Microsoft communicates that the Office Excel Team has scheduled a fix
for this issue for March 9th 2010, and requests that Core reschedules
publication of its advisory to that date.

. 2009-12-21:
Core agrees to reschedule publication to March 9th 2010, and tells
Microsoft that it's still waiting for their technical analysis of the bug.

. 2010-01-28:
Microsoft informs Core that it is still on track to release the patch
for this vulnerability in March 2009.

. 2010-02-18:
Microsoft informs Core that unexpected issues will force them to
postpone the bulletin release from March, and that they will try to
release it in April 2010.

. 2010-03-02:
Microsoft tells Core that finally the patch for this issue will be
released on March 9th 2010.

. 2010-03-08:
Core acknowledges receipt of the previous mail, and requests the URL of
Microsoft's security bulletin to include in the vendor information
section of its advisory.

. 2010-03-09:
The advisory CORE-2009-1103 is published.



10. *References*

[1] Microsoft Security Bulletin MS10-017
http://www.microsoft.com/technet/security/Bulletin/MS10-017.mspx
[2] MSDN DbOrParamQry entry
http://msdn.microsoft.com/en-us/library/dd953289.aspx


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkuWvzgACgkQyNibggitWa3sgQCfW9M7pPRWJ82ytbaY0V8rJh6W
3/4AmwQbyIyX8Lg2FPDrzetOCkgybb35
=HNzF
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close