Faiblesses connexes
CWE-ID |
Nom de la faiblesse |
Source |
CWE-399 |
Category : Resource Management Errors Weaknesses in this category are related to improper management of system resources. |
|
Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
9.3 |
|
AV:N/AC:M/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 37966
Date de publication : 2015-08-24 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes
Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1
The following access violation was observed in Microsoft Office 2007
(Word document):
(8c0.e68): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400
eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal7799+0x2fc:
32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d038 328a0a4e mso!Ordinal7799+0x2fc
0012ddd8 328a0a2c mso!Ordinal4388+0x1bc
0012dde4 320c337c mso!Ordinal4388+0x19a
0012de2c 320c330f wwlib!DllGetClassObject+0x850ba
0012de74 312db32b wwlib!DllGetClassObject+0x8504d
0012df1c 312dadf8 wwlib!FMain+0x96d7c
0012df84 312da84c wwlib!FMain+0x96849
0012e074 6be51b27 wwlib!FMain+0x9629d
0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e
0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982
0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73
0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080
0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae
0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12
0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526
0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689
0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3
0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6
0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc
0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209
Notes:
- Reproduce on Windows Server 2003 and Windows 7.
- The crash occurs due to an invalid read dereference of a bad object
pointer. If the word value read is controlled and set to a value other
than 0xFFFF, then a controlled value is used as an indirect call
target (at 328A1DD4 in MSO.dll 12.0.6683.5000).
- The bad object pointer is passed in to MSO.dll from wwlib.dll
(second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000).
- The test-case reduces to a 50-bit difference from the original
sample document.
- The affected bits lie in the OneTableDocumentStream's data section,
as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field.
- The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a
source buffer from the OneTableDocumentStream's data section, and
copies this invalid data into a stack buffer. The bad object pointer
comes from this stack-based structure.
- Attached files: 037542f7_crash.rtf (crashing file),
037542f7_orig.doc (original file). A test case with full control of
the crashing register value (0xAAAAAAAA) is also attached
(037542f7_full.doc)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip
Products Mentioned
Configuraton 0
Microsoft>>Word >> Version 2007
Références