CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
EPSS
Percentile
98.3%
**Title:**Microsoft Office Visio DXF File Insertion Buffer Overflow
Advisory Id: CORE-2010-0428 **Advisory URL: **<https://www.coresecurity.com/core-labs/advisories/ms-visio-dxf-buffer-overflow> **Date published: **2010-05-04 **Date of last update: **2010-05-04 **Vendors contacted: **Microsoft **Release mode: **User release
**Class:**Buffer overflow [CWE-119]
**Impact:**Code execution
**Remotely Exploitable:**Yes (client-side)
**Locally Exploitable:**No
CVE Name:CVE-2010-1681
Bugtraq ID:39836
Microsoft Office Visio is vulnerable to a buffer overflow in VISIODWG.DLL
, a DLL which is loaded when inserting a DXF file into a Visio document, either using drag-and-drop or βInsert, CAD drawingβ from the menu bar. This bug can be exploited to execute arbitrary code with the privileges of the user running Visio. The bug was fixed in patch KB979364 released with Microsoft Security Bulletin MS10-028, but the bulletin contains no mention of either the bug or the fix.
Microsoft Office Visio using VISIODWG.DLL version 10.0.5006.4
Microsoft Office Visio using VISIODWG.DLL version 10.0.6880.4 (patched with KB979364).
Apply patch KB979364 included in bulletin MS10-028.
This vulnerability was discovered and researched by Daniel Kazimirow, from Core Security Technologies. Publication was coordinated by Jorge Lucangeli Obes.
The vulnerability occurs in the VISIODWG.DLL
library. At offset 74ef
in the library there is an unsafe call to strcpy
, which can be used to execute arbitrary code. This call is replaced with a call to strncpy
, at offset 81e7
in the new version of the library.
Original: .text:667D74E2 loc_667D74E2: .text:667D74E2 mov ecx, [edi+2428h] .text:667D74E8 mov edx, [esp+6Ch+Key] .text:667D74EC inc ecx .text:667D74ED push ecx ; Source .text:667D74EE push edx ; Dest .text:667D74EF call strcpy .text:667D74F4 mov esi, ds:bsearch .text:667D74FA push offset sub_667D7400 ; PtFuncCompare .text:667D74FF push 0Ch ; ElementSize .text:667D7501 push 0D5h ; NumOfElements .text:667D7506 lea eax, [esp+80h+Key] .text:667D750A push offset off_6685E730 ; Base .text:667D750F push eax ; Key .text:667D7510 call esi ; bsearch .text:667D7512 mov edi, eax .text:667D7514 add esp, 1Ch .text:667D7517 test edi, edi .text:667D7519 jz loc_667D770F Patched: .text:667D81D2 loc_667D81D2: .text:667D81D2 mov ecx, [edi+2430h] .text:667D81D8 mov edx, [esp+6Ch+Key] .text:667D81DC mov ebx, ds:strncpy .text:667D81E2 inc ecx .text:667D81E3 push 50h ; Count <-- MAX LENGTH .text:667D81E5 push ecx ; Source .text:667D81E6 push edx ; Dest .text:667D81E7 call ebx ; strncpy .text:667D81E9 mov esi, ds:bsearch .text:667D81EF push offset sub_667D80F0 ; PtFuncCompare .text:667D81F4 push 0Ch ; ElementSize .text:667D81F6 push 0D5h ; NumOfElements .text:667D81FB lea eax, [esp+84h+Key] .text:667D81FF push offset off_6685F730 ; Base .text:667D8204 push eax ; Key .text:667D8205 mov [esp+8Ch+var_1], 0 .text:667D820D call esi ; bsearch .text:667D820F mov edi, eax .text:667D8211 add esp, 20h .text:667D8214 test edi, edi .text:667D8216 jz loc_667D840C
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.
Core Security develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The companyβs flagship product, Core Impact, is the most comprehensive product for performing enterprise security assurance testing. Core Impact evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at <https://www.coresecurity.com>.
The contents of this advisory are copyright Β© 2010 Core Security Technologies and Β© 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team.