CVE-2016-3357 : Detail

CVE-2016-3357

7.8
/
High
Overflow
21.23%V3
Local
2016-09-14
08h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 2013 RT SP1, Office 2016, Word for Mac 2011, Word 2016 for Mac, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, SharePoint Server 2013 SP1, Excel Automation Services on SharePoint Server 2013 SP1, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, and Office Web Apps Server 2013 SP1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V3.0 7.8 HIGH CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges.

Scope

Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports.

Unchanged

An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same.

Base: Impact Metrics

The Impact metrics refer to the properties of the impacted component.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

Environmental Metrics

 [email protected]
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 40406

Publication date : 2016-09-20 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866 The following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled. File versions are: mso.dll: 14.0.7166.5000 ppcore.dll: 14.0.7168.5000 Attached crashing file: 3525170180.ppt Crashing context: eax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000 eip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 ppcore!DllGetLCID+0x18205e: 663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=???????? Call Stack: ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e 0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052 0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51 0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360 0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174 00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83 00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e Disassembly: 663088d2 55 push ebp 663088d3 8bec mov ebp,esp 663088d5 8b4d08 mov ecx,dword ptr [ebp+8] 663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=???????? The ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10: 0:000> dd poi(0024e46c) 1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0 1cb7cfb0 1979aea0 00000000 00000000 00000000 We can verify that this is allocated memory and find the function that allocated it: (address changed between runs and is now 0x1cb7cfa0) 0:000> !heap -p -a 1cb7cfa0 address 1cb7cfa0 found in _DPH_HEAP_ROOT @ 1261000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000 6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229 7719616e ntdll!RtlDebugAllocateHeap+0x00000030 7715a08b ntdll!RtlpAllocateHeap+0x000000c4 77125920 ntdll!RtlAllocateHeap+0x0000023a 72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa 701f16ac vfbasics+0x000116ac 641a6cca mso!Ordinal149+0x000078e0 66118132 ppcore!PPMain+0x00001244 662fcbda ppcore!DllGetLCID+0x00176360 662fc9ee ppcore!DllGetLCID+0x00176174 662e82fd ppcore!DllGetLCID+0x00161a83 Setting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context: eax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0 eip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293 ppcore!DllGetLCID+0xd3ae7: 6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7 0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6 0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068 0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052 0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a Given the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40406.zip

Products Mentioned

Configuraton 0

Microsoft>>Office >> Version 2007

Microsoft>>Office >> Version 2010

Microsoft>>Office >> Version 2013

Microsoft>>Office >> Version 2016

Microsoft>>Office_web_apps >> Version 2010

Microsoft>>Office_web_apps_server >> Version 2013

Microsoft>>Sharepoint_foundation >> Version 2010

Microsoft>>Sharepoint_foundation >> Version 2013

Microsoft>>Word_for_mac >> Version 2011

Microsoft>>Word_for_mac >> Version 2016

Microsoft>>Word_viewer >> Version *

References

http://www.securityfocus.com/bid/92786
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1036785
Tags : vdb-entry, x_refsource_SECTRACK
https://www.exploit-db.com/exploits/40406/
Tags : exploit, x_refsource_EXPLOIT-DB