CVE-2015-2467 : Detail

CVE-2015-2467

Overflow
89.55%V3
Network
2015-08-14
22h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Microsoft Office 2007 SP3 allows remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 37913

Publication date : 2015-08-20 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1 The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86. The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location. Attached files: Fuzzed minimized PoC: 1567070353_min.doc Fuzzed non-minimized PoC: 1567070353_crash.doc Original non-fuzzed file: 1567070353_orig.doc DLL Versions: mso.dll: 12.0.6721.5000 wwlib.dll: 12.0.6720.5000 Observed Crash: eax=00000001 ebx=00000004 ecx=0189ff18 edx=00000019 esi=32646a30 edi=0db0eff8 eip=32fbca76 esp=0012bc98 ebp=0012bcb8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 32fbca73 8b7df8 mov edi,dword ptr [ebp-8] => 32fbca76 f6470201 test byte ptr [edi+2],1 ds:0023:0db0effa=?? 32fbca7a 7419 je mso!Ordinal2690+0x476 (32fbca95) 32fbca7c 833e07 cmp dword ptr [esi],7 32fbca7f 7414 je mso!Ordinal2690+0x476 (32fbca95) 32fbca81 8b4508 mov eax,dword ptr [ebp+8] 32fbca84 6a20 push 20h 32fbca86 ff7010 push dword ptr [eax+10h] 32fbca89 8d4dfc lea ecx,[ebp-4] 32fbca8c 51 push ecx 32fbca8d ff10 call dword ptr [eax] 32fbca8f 8127fffffeff and dword ptr [edi],0FFFEFFFFh Stack Trace: 0:000> kb 8 ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0012bcb8 32fbcdc3 0012be28 0d9f4fe8 00000000 mso!Ordinal2690+0x457 0012bccc 32fbce5b 0012be28 0d9f4fe8 0012be28 mso!Ordinal2690+0x7a4 0012bd20 32fbc93e 0012be28 0d9f4fe8 0ddceeb8 mso!Ordinal2690+0x83c 0012bd74 32fbcd73 0012be28 0d9f4fe8 0db2f45a mso!Ordinal2690+0x31f 0012bd94 316dfe8f 0dbe8e38 0012be28 317e9c10 mso!Ordinal2690+0x754 0012bdb0 317e9aa4 0012be08 00000000 00000000 wwlib!wdCommandDispatch+0xcd37 0012bde4 31980e8d 0012be08 000000b4 038b78bc wwlib!wdCommandDispatch+0x11694c 0012c07c 31980b0f 0db2c9c0 00000000 00000001 wwlib!wdCommandDispatch+0x2add35 In this crash the value being dereferenced in edi is free-ed memory: 0:000> !heap -p -a 0xdb0eff8 address 0db0eff8 found in _DPH_HEAP_ROOT @ 1151000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) d9e5240: db0e000 2000 7c83e330 ntdll!RtlFreeHeap+0x0000011a 0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8 331039d5 mso!Ordinal1743+0x00002d4d 329c91d1 mso!MsoFreePv+0x0000003f 329c913c mso!Ordinal519+0x00000017 32a54dcc mso!Ordinal320+0x00000021 32bb6f2e mso!Ordinal379+0x00000eae There is a 1-bit clear at the location specified by edi shortly after the faulting eip location as well making this an exploitable condition. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37913.zip

Products Mentioned

Configuraton 0

Microsoft>>Office >> Version 2007

References

https://www.exploit-db.com/exploits/37913/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1033239
Tags : vdb-entry, x_refsource_SECTRACK