Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Microsoft Office Word HTML Linked Objects Memory Corruption Vulnerability CVE-2010-1903 - MS10-056 INTRODUCTION There exists a vulnerability within the way Word handles html linked objects, which leads to attacker controlled memory write and code execution. There is a poc.doc file that demonstrates the vulnerability and is available to interested parts. This problem was confirmed in the following versions of Word and Windows, other versions may be also affected. Microsoft Office XP Service Pack 3 and older Microsoft Office 2003 Service Pack 3 and older 2007 Microsoft Office System Service Pack 2 and older Microsoft Office 2004 for Mac Microsoft Office 2008 for Mac Open XML file format converter for Mac Microsoft Office Word Viewer Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 Microsoft Works 9 CVSS Scoring System The CVSS score is: 8.6 Base Score: 10 Temporal Score: 8.6 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:C Temporal score is: E:POC/RL:U/RC:UR TRIGGERING THE PROBLEM The problem is triggered by a PoC available only to interested parts which causes invalid memory write in all the referred versions. DETAILS Opening the attached poc.doc file and breaking in the following call, we see: eax=00126c5c ebx=00126c40 ecx=00000000 edx=00000001 esi=00944001 edi=00000000 eip=3179fd74 esp=00126b9c ebp=00126bc0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 wwlib!DllGetClassObject+0x7fe9e: 3179fd74 e87bf9ffff call wwlib!DllGetClassObject+0x7f81e (3179f6f4) Disassembling the code: 0:000> u wwlib!DllGetClassObject+0x7fe9e: 3179fd74 e87bf9ffff call wwlib!DllGetClassObject+0x7f81e (3179f6f4) 3179fd79 3bf7 cmp esi,edi 3179fd7b 8b4310 mov eax,dword ptr [ebx+10h] 3179fd7e 894508 mov dword ptr [ebp+8],eax 3179fd81 7404 je wwlib!DllGetClassObject+0x7feb1 (3179fd87) 3179fd83 66893c46 mov word ptr [esi+eax*2],di 3179fd87 397b2c cmp dword ptr [ebx+2Ch],edi 3179fd8a 740e je wwlib!DllGetClassObject+0x7fec4 (3179fd9a) The faulting instruction is at address 3179fd83, where di and eax are NULL and esi a fixed value. The value eax is copied from the stack. The same with the di register. Stepping into the first called function: 0:000> u 3179f6f4 wwlib!DllGetClassObject+0x7f81e: 3179f6f4 55 push ebp 3179f6f5 8bec mov ebp,esp 3179f6f7 81ecb8010000 sub esp,offset +0x187 (000001b8) 3179f6fd a170474831 mov eax,dword ptr [wwlib+0x244770 (31484770)] 3179f702 33c5 xor eax,ebp 3179f704 8945fc mov dword ptr [ebp-4],eax 3179f707 838db0feffffff or dword ptr [ebp-150h],0FFFFFFFFh 3179f70e 33c9 xor ecx,ecx The stack trace information: 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 00126bc0 315d18cb wwlib!DllGetClassObject+0x7fe9e 00126d8c 315d02f7 wwlib!FMain+0x133a26 00126e18 315cf42f wwlib!FMain+0x132452 00127430 315cefc0 wwlib!FMain+0x13158a 0012763c 315ce9ba wwlib!FMain+0x13111b 001276d4 6bdd1d83 wwlib!FMain+0x130b15 00127784 6bdd24c8 MSPTLS!LssbFIsSublineEmpty+0x22cb 00127804 6bddf8e0 MSPTLS!LssbFIsSublineEmpty+0x2a10 00127868 6bddff5d MSPTLS!LssbFIsSublineEmpty+0xfe28 00127898 6bddf1ef MSPTLS!LssbFIsSublineEmpty+0x104a5 00127a9c 6bdc4b85 MSPTLS!LssbFIsSublineEmpty+0xf737 00127ad0 318e1917 MSPTLS!LsCreateLine+0x23 00127b44 3181c5f8 wwlib!DllGetClassObject+0x1c1a41 00127bac 31549412 wwlib!DllGetClassObject+0xfc722 00127c9c 6be51b06 wwlib!FMain+0xab56d 00127d3c 6be5c63a MSPTLS!FsDestroyMemory+0x1ee39 00127eb4 6be5c92b MSPTLS!FsDestroyMemory+0x2996d 00127f00 6be36d4d MSPTLS!FsDestroyMemory+0x29c5e 00127f6c 6be37f7b MSPTLS!FsDestroyMemory+0x4080 00128078 6be4e8ca MSPTLS!FsDestroyMemory+0x52ae !exploitable output: Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at wwlib!DllGetClassObject+0x000000000007fead (Hash=0x43317a27.0x44020844) User mode write access violations that are not near NULL are exploitable. This vulnerability can be remotely triggered if an user choose to open a .doc while using IE or any other browser (in IE it will spawn a winword.exe process inside the browser, but the process remains as a new one). CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies