CVE-2015-2510 : Detail

CVE-2015-2510

Overflow
73.13%V3
Network
2015-09-08
22h00 +00:00
2018-10-12
17h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2, Office 2007 SP3, Office 2010 SP2, Lync 2010, Lync 2010 Attendee, Lync 2013 SP1, Lync Basic 2013 SP1, and Live Meeting 2007 Console allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "Graphics Component Buffer Overflow Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 38217

Publication date : 2015-09-15 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=469 The following crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013. Attached files: Original File: 3013413838_orig.xls Crashing File: 3013413838_crash.xls Minimized Crashing File: 3013413838_min.xls The minimized crashing file shows a one bit delta from the original file at offset 0x139F. OffVis did not reveal anything unique about this offset in the minimized file. File Versions: Excel.exe: 12.0.6718.5000 OGL.dll: 12.0.6719.5000 oart.dll: 12.0.6683.5002 GDI32.dll: 5.2.3790.5563 Observed Crash: This crashing eip was observed 4 times in fuzzing results with various invalid memory address being dereferenced. eax=8a94e1a1 ebx=00000000 ecx=10a80598 edx=8a94e1a0 esi=0013d478 edi=0013d42c eip=3bd18f75 esp=0013d3dc ebp=0013d3e0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 OGL!ScanOperation::Convert_24_sRGB: 3bd18f68 55 push ebp 3bd18f69 8bec mov ebp,esp 3bd18f6b 837d0800 cmp dword ptr [ebp+8],0 3bd18f6f 7431 je OGL!ScanOperation::Convert_24_sRGB+0x3a (3bd18fa2) 3bd18f71 8d4201 lea eax,[edx+1] 3bd18f74 56 push esi => 3bd18f75 0fb65001 movzx edx,byte ptr [eax+1] ds:0023:8a94e1a2=?? 0:000> kb L8 ChildEBP RetAddr Args to Child 0013d3e0 3be703b3 0000666f 0013d42c 00000000 OGL!ScanOperation::Convert_24_sRGB+0xd 0013d3fc 3be18f32 00000000 8a94e1a0 0000666f OGL!EpAlphaBlender::Blend+0x55 0013d568 3bd9f6c1 0013d894 00000000 0013d58c OGL!ConvertBitmapData+0x61 0013d5a4 3bde4137 00000000 00000001 000e200b OGL!GpMemoryBitmap::InternalLockBits+0x105 0013d5d0 3bdfa09b 05492fa8 0013d5f8 00000001 OGL!GpMemoryBitmap::LockBits+0xba 0013d608 3bdfac0c 0013d7bc 0013d894 0013d62c OGL!CopyOnWriteBitmap::PipeLockBitsFromMemory+0xb8 0013d6e8 3bd2b7e7 0013d7bc 0013d894 0013d7d0 OGL!CopyOnWriteBitmap::PipeLockBits+0x553 0013d700 3be4cc56 0013d7bc 0013d894 00000001 OGL!GpBitmap::PipeLockBits+0x4e The function OGL!ScanOperation::Convert_24_sRGB was called with edx pointing to an invalid memory location: 0x8a94e1a0. Tracing back we can find that the heap address where edx came from was allocated with the following call stack: 3be70fe2 OGL!GpMalloc+0x00000014 3bd58669 OGL!CopyOnWriteBitmap::CopyOnWriteBitmap+0x00000049 3be0517e OGL!CopyOnWriteBitmap::Create+0x00000021 3be0514d OGL!GpBitmap::GpBitmap+0x00000030 The edx value was copied in from the stack at the following location OGL!GpMemoryBitmap::InitMemoryBitmap(): 3bd4f6f0 8b45fc mov eax,dword ptr [ebp-4] 3bd4f6f3 6a06 push 6 3bd4f6f5 59 pop ecx 3bd4f6f6 8bf3 mov esi,ebx =>3bd4f6f8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] The stack location was set with the invalid value here in OGL!ValidateBitmapInfo(): 3bda46ed 8b4d08 mov ecx,dword ptr [ebp+8] 3bda46f0 895804 mov dword ptr [eax+4],ebx 3bda46f3 895008 mov dword ptr [eax+8],edx 3bda46f6 89480c mov dword ptr [eax+0Ch],ecx => 3bda46f9 897810 mov dword ptr [eax+10h],edi Edi is set earlier as the result of an imul instruction that is then added to a base heap pointer: .text:3BDA46CB lea edi, [ebx-1] .text:3BDA46CE imul edi, edx .text:3BDA46D1 add edi, [ebp+arg_4] ; bad value here With this PoC edi=0x0000666e and edx=0x00013350. The edx value is calculated earlier in the same function. If 0xf9ef540 is the base pointer (arg_4) we end up setting this value to be 0x666e*0x13350+0xf9ef540 or 0x8a94e1a0 as we saw in the initial bad memory access. The heap chunk referenced at 0xf9ef540 has an original allocation size of 15156 and we've set our pointer far out of bounds of this allocation range. There is a distinct lack of overflow checks and bounds checking in the OGL!ValidateBitmapInfo function that may lead to memory corruption when doing bitmap conversion later on in the code. For example, if the 0x13350 value is able to grow to 0x27fd0 we can set the edi value to be 0xffffcb60 (0x666e * 0x27fd0 = 0xffffcb60) which leads to an out of bound write instead of an out of bound read later in the code. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38217.zip

Products Mentioned

Configuraton 0

Microsoft>>Live_meeting_console >> Version 2007

    Microsoft>>Lync >> Version 2010

    Microsoft>>Lync >> Version 2010

    Microsoft>>Lync >> Version 2010

    Microsoft>>Lync >> Version 2013

    Microsoft>>Lync >> Version 2013

      Microsoft>>Office >> Version 2007

      Microsoft>>Office >> Version 2010

      Microsoft>>Windows_server_2008 >> Version *

      Microsoft>>Windows_vista >> Version *

      References

      http://www.securitytracker.com/id/1033485
      Tags : vdb-entry, x_refsource_SECTRACK
      http://www.securitytracker.com/id/1033501
      Tags : vdb-entry, x_refsource_SECTRACK
      https://www.exploit-db.com/exploits/38217/
      Tags : exploit, x_refsource_EXPLOIT-DB
      http://www.securityfocus.com/bid/76593
      Tags : vdb-entry, x_refsource_BID
      http://www.securitytracker.com/id/1033500
      Tags : vdb-entry, x_refsource_SECTRACK