Vulnerabilities > CVE-2007-0936 - Remote Code Execution vulnerability in Microsoft Visio Packed Objects

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2007-06-12
Updated: 2018-10-16

Summary

Multiple unspecified vulnerabilities in Microsoft Visio 2002 allow remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted packed object that triggers memory corruption, aka "Visio Document Packaging Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
2

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-030.NASL
descriptionThe remote host contains a version of Microsoft Visio that has a vulnerability in the way it handles packed objects and version numbers that could be abused by an attacker to execute arbitrary code on the remote host. To exploit this vulnerability, an attacker would need to spend a specially crafted visio document to a user on the remote host and lure him into opening it.
last seen2020-06-01
modified2020-06-02
plugin id25489
published2007-06-14
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25489
titleMS07-030: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(25489);
 script_version("1.28");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-0934", "CVE-2007-0936");
 script_bugtraq_id(24349, 24384);
 script_xref(name:"MSFT", value:"MS07-030");
 script_xref(name:"MSKB", value:"931280");
 script_xref(name:"MSKB", value:"931281");
 

 script_name(english:"MS07-030: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)");
 script_summary(english:"Determines the presence of update 927051");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Visio.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Visio that has a
vulnerability in the way it handles packed objects and version numbers
that could be abused by an attacker to execute arbitrary code on the
remote host.

To exploit this vulnerability, an attacker would need to spend a
specially crafted visio document to a user on the remote host and lure
him into opening it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-030");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Microsoft Visio 2002 and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/06/12");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/06/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("audit.inc");

include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-030';
kbs = make_list("931280", "931281");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


list = get_kb_list_or_exit("SMB/Office/Visio/*/VisioPath");

e = 0;
share = '';
lastshare = '';
accessible_share = FALSE;
errors = make_list();
foreach item (keys(list))
{
  share = hotfix_path2share(path:list[item]);
  if (share != lastshare || !accessible_share)
  {
    lastshare = share;
    if (!is_accessible_share(share:share))
    {
      accessible_share = FALSE;
      errors = make_list(errors, 'Failed to access \''+share+'\' / can\'t verify Visio install in \''+list[item]+'.');
      continue;
    }
    accessible_share = TRUE;
  }
  if (accessible_share)
  {
    vers = item - 'SMB/Office/Visio/' - '/VisioPath';
    if ( "11.0" >< vers )  # Visio 2003
    {
      path = list[item];
      if ( hotfix_check_fversion(path:path, file:"Visio11\Vislib.dll", version:"11.0.7218.0", bulletin:bulletin, kb:'931281') == HCF_OLDER ) e ++;
    }
    else if ( "10.0" >< vers )  # Vision 2002
    {
      path = list[item];
      if ( hotfix_check_fversion(path:path, file:"Visio10\Vislib.dll", version:"10.0.6865.4", bulletin:bulletin, kb:'931280') == HCF_OLDER ) e ++;
    }
  }
}
hotfix_check_fversion_end();
if ( e )
{
  set_kb_item(name:"SMB/Missing/MS07-030", value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2013-02-11T04:00:38.496-05:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Office Visio 2002 SP2 is installed
    ovaloval:org.mitre.oval:def:692
  • commentMicrosoft Office Visio 2003 is installed
    ovaloval:org.mitre.oval:def:1450
descriptionMultiple unspecified vulnerabilities in Microsoft Visio 2002 allow remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted packed object that triggers memory corruption, aka "Visio Document Packaging Vulnerability."
familywindows
idoval:org.mitre.oval:def:1369
statusaccepted
submitted2007-06-12T16:59:33.000-04:00
titleVisio Document Packaging Vulnerability
version6

References