Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 37913
Publication date : 2015-08-20 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes
Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1
The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.
The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Attached files:
Fuzzed minimized PoC: 1567070353_min.doc
Fuzzed non-minimized PoC: 1567070353_crash.doc
Original non-fuzzed file: 1567070353_orig.doc
DLL Versions:
mso.dll: 12.0.6721.5000
wwlib.dll: 12.0.6720.5000
Observed Crash:
eax=00000001 ebx=00000004 ecx=0189ff18 edx=00000019 esi=32646a30 edi=0db0eff8
eip=32fbca76 esp=0012bc98 ebp=0012bcb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
32fbca73 8b7df8 mov edi,dword ptr [ebp-8]
=> 32fbca76 f6470201 test byte ptr [edi+2],1 ds:0023:0db0effa=??
32fbca7a 7419 je mso!Ordinal2690+0x476 (32fbca95)
32fbca7c 833e07 cmp dword ptr [esi],7
32fbca7f 7414 je mso!Ordinal2690+0x476 (32fbca95)
32fbca81 8b4508 mov eax,dword ptr [ebp+8]
32fbca84 6a20 push 20h
32fbca86 ff7010 push dword ptr [eax+10h]
32fbca89 8d4dfc lea ecx,[ebp-4]
32fbca8c 51 push ecx
32fbca8d ff10 call dword ptr [eax]
32fbca8f 8127fffffeff and dword ptr [edi],0FFFEFFFFh
Stack Trace:
0:000> kb 8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bcb8 32fbcdc3 0012be28 0d9f4fe8 00000000 mso!Ordinal2690+0x457
0012bccc 32fbce5b 0012be28 0d9f4fe8 0012be28 mso!Ordinal2690+0x7a4
0012bd20 32fbc93e 0012be28 0d9f4fe8 0ddceeb8 mso!Ordinal2690+0x83c
0012bd74 32fbcd73 0012be28 0d9f4fe8 0db2f45a mso!Ordinal2690+0x31f
0012bd94 316dfe8f 0dbe8e38 0012be28 317e9c10 mso!Ordinal2690+0x754
0012bdb0 317e9aa4 0012be08 00000000 00000000 wwlib!wdCommandDispatch+0xcd37
0012bde4 31980e8d 0012be08 000000b4 038b78bc wwlib!wdCommandDispatch+0x11694c
0012c07c 31980b0f 0db2c9c0 00000000 00000001 wwlib!wdCommandDispatch+0x2add35
In this crash the value being dereferenced in edi is free-ed memory:
0:000> !heap -p -a 0xdb0eff8
address 0db0eff8 found in
_DPH_HEAP_ROOT @ 1151000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
d9e5240: db0e000 2000
7c83e330 ntdll!RtlFreeHeap+0x0000011a
0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8
331039d5 mso!Ordinal1743+0x00002d4d
329c91d1 mso!MsoFreePv+0x0000003f
329c913c mso!Ordinal519+0x00000017
32a54dcc mso!Ordinal320+0x00000021
32bb6f2e mso!Ordinal379+0x00000eae
There is a 1-bit clear at the location specified by edi shortly after the faulting eip location as well making this an exploitable condition.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37913.zip
Products Mentioned
Configuraton 0
Microsoft>>Office >> Version 2007
References