CVE-2015-0065 : Détail

CVE-2015-0065

95.47%V3
Network
2015-02-11
01h00 +00:00
2018-10-12
17h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "OneTableDocumentStream Remote Code Execution Vulnerability."

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 37966

Date de publication : 2015-08-24 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=171&can=1 The following access violation was observed in Microsoft Office 2007 (Word document): (8c0.e68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0012dcf8 ebx=40000000 ecx=40000000 edx=0012de1c esi=40000000 edi=011f1400 eip=32881800 esp=0012d010 ebp=0012d038 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 mso!Ordinal7799+0x2fc: 32881800 0fb74614 movzx eax,word ptr [esi+0x14] ds:0023:40000014=???? 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012d038 328a0a4e mso!Ordinal7799+0x2fc 0012ddd8 328a0a2c mso!Ordinal4388+0x1bc 0012dde4 320c337c mso!Ordinal4388+0x19a 0012de2c 320c330f wwlib!DllGetClassObject+0x850ba 0012de74 312db32b wwlib!DllGetClassObject+0x8504d 0012df1c 312dadf8 wwlib!FMain+0x96d7c 0012df84 312da84c wwlib!FMain+0x96849 0012e074 6be51b27 wwlib!FMain+0x9629d 0012e114 6be5c65b MSPTLS!FsDestroyMemory+0x1ee4e 0012e28c 6be5c94c MSPTLS!FsDestroyMemory+0x29982 0012e2d8 6be36d59 MSPTLS!FsDestroyMemory+0x29c73 0012e344 6be37f87 MSPTLS!FsDestroyMemory+0x4080 0012e450 6be4e8eb MSPTLS!FsDestroyMemory+0x52ae 0012e4e0 6be4f1ff MSPTLS!FsDestroyMemory+0x1bc12 0012e584 6be4f362 MSPTLS!FsDestroyMemory+0x1c526 0012e624 6be4f5cc MSPTLS!FsDestroyMemory+0x1c689 0012e7d8 6be35d9f MSPTLS!FsDestroyMemory+0x1c8f3 0012e8ec 6be630b5 MSPTLS!FsDestroyMemory+0x30c6 0012e970 6be40ee2 MSPTLS!FsDestroyMemory+0x303dc 0012e9e4 6be63a7a MSPTLS!FsDestroyMemory+0xe209 Notes: - Reproduce on Windows Server 2003 and Windows 7. - The crash occurs due to an invalid read dereference of a bad object pointer. If the word value read is controlled and set to a value other than 0xFFFF, then a controlled value is used as an indirect call target (at 328A1DD4 in MSO.dll 12.0.6683.5000). - The bad object pointer is passed in to MSO.dll from wwlib.dll (second argument of function at 328A0A16 in MSO.dll 12.0.6683.5000). - The test-case reduces to a 50-bit difference from the original sample document. - The affected bits lie in the OneTableDocumentStream's data section, as well as as PlcfSed's aCP[0] field and PNFKPPAPX[44]'s pn field. - The copy operation at 3126A36C (wwlib.dll 12.0.6707.5000) uses a source buffer from the OneTableDocumentStream's data section, and copies this invalid data into a stack buffer. The bad object pointer comes from this stack-based structure. - Attached files: 037542f7_crash.rtf (crashing file), 037542f7_orig.doc (original file). A test case with full control of the crashing register value (0xAAAAAAAA) is also attached (037542f7_full.doc) Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37966.zip

Products Mentioned

Configuraton 0

Microsoft>>Word >> Version 2007

Références

http://secunia.com/advisories/62808
Tags : third-party-advisory, x_refsource_SECUNIA
https://www.exploit-db.com/exploits/37966/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/72465
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1031720
Tags : vdb-entry, x_refsource_SECTRACK