Vulnerabilities > CVE-2010-1681 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Visio 2002/2003/2007
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow. Local exploit for windows platform file exploits/windows/local/14944.py id EDB-ID:14944 last seen 2016-02-01 modified 2010-09-08 platform windows port published 2010-09-08 reporter Abysssec source https://www.exploit-db.com/download/14944/ title Microsoft Office Visio - .DXF File Stack based Overflow type local description Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability. CVE-2010-1681. Local exploit for windows platform id EDB-ID:17451 last seen 2016-02-02 modified 2011-06-26 published 2011-06-26 reporter metasploit source https://www.exploit-db.com/download/17451/ title Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
Metasploit
| description | This module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing' |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/VISIO_DXF_BOF |
| last seen | 2020-06-14 |
| modified | 1976-01-01 |
| published | 1976-01-01 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/visio_dxf_bof.rb |
| title | Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS10-028.NASL |
| description | The remote host contains a version of Microsoft Visio that is affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into opening a specially crafted Visio file, resulting in arbitrary code execution. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 45515 |
| published | 2010-04-13 |
| reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/45515 |
| title | MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) |
Packetstorm
data source https://packetstormsecurity.com/files/download/102595/visio_dxf_bof.rb.txt id PACKETSTORM:102595 last seen 2016-12-05 published 2011-06-27 reporter Core Security Technologies source https://packetstormsecurity.com/files/102595/Microsoft-Office-Visio-VISIODWG.DLL-DXF-File-Handling-Vulnerability.html title Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability data source https://packetstormsecurity.com/files/download/93630/moaub-msoffice.txt id PACKETSTORM:93630 last seen 2016-12-05 published 2010-09-09 reporter Abysssec source https://packetstormsecurity.com/files/93630/Month-Of-Abysssec-Undisclosed-Bugs-Microsoft-Office-Visio-Overflow.html title Month Of Abysssec Undisclosed Bugs - Microsoft Office Visio Overflow
Saint
| bid | 39836 |
| description | Microsoft Visio DXF file insertion buffer overflow |
| id | win_patch_visio2002vislib |
| title | ms_visio_dxf |
| type | client |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 39836 CVE ID: CVE-2010-1681 Visio是微软Office套件中的图形编辑工具。 Visio中所使用的VISIODWG.DLL库中存在缓冲区溢出漏洞,起因是在该库的74ef偏移处执行了不安全的strcpy调用。在将DXF文件注入到Visio文档中时(通过拖放操作或从菜单栏中选择“注入 -> CAD绘图”)会加载有漏洞的函数库。成功利用这个漏洞的攻击者可以以运行Visio用户的权限执行任意代码。 微软在MS10-028公告所提供的补丁中通过使用81e7偏移处的strncpy调用替换有漏洞的调用来修复这个漏洞,但公告中并没有提及这个漏洞。 /----- 安装补丁前: .text:667D74E2 loc_667D74E2: .text:667D74E2 mov ecx, [edi+2428h] .text:667D74E8 mov edx, [esp+6Ch+Key] .text:667D74EC inc ecx .text:667D74ED push ecx ; Source .text:667D74EE push edx ; Dest .text:667D74EF call strcpy .text:667D74F4 mov esi, ds:bsearch .text:667D74FA push offset sub_667D7400 ; PtFuncCompare .text:667D74FF push 0Ch ; ElementSize .text:667D7501 push 0D5h ; NumOfElements .text:667D7506 lea eax, [esp+80h+Key] .text:667D750A push offset off_6685E730 ; Base .text:667D750F push eax ; Key .text:667D7510 call esi ; bsearch .text:667D7512 mov edi, eax .text:667D7514 add esp, 1Ch .text:667D7517 test edi, edi .text:667D7519 jz loc_667D770F 安装补丁后: .text:667D81D2 loc_667D81D2: .text:667D81D2 mov ecx, [edi+2430h] .text:667D81D8 mov edx, [esp+6Ch+Key] .text:667D81DC mov ebx, ds:strncpy .text:667D81E2 inc ecx .text:667D81E3 push 50h ; Count <-- MAX LENGTH .text:667D81E5 push ecx ; Source .text:667D81E6 push edx ; Dest .text:667D81E7 call ebx ; strncpy .text:667D81E9 mov esi, ds:bsearch .text:667D81EF push offset sub_667D80F0 ; PtFuncCompare .text:667D81F4 push 0Ch ; ElementSize .text:667D81F6 push 0D5h ; NumOfElements .text:667D81FB lea eax, [esp+84h+Key] .text:667D81FF push offset off_6685F730 ; Base .text:667D8204 push eax ; Key .text:667D8205 mov [esp+8Ch+var_1], 0 .text:667D820D call esi ; bsearch .text:667D820F mov edi, eax .text:667D8211 add esp, 20h .text:667D8214 test edi, edi .text:667D8216 jz loc_667D840C - -----/ Microsoft Visio 2007 SP2 Microsoft Visio 2007 SP1 Microsoft Visio 2003 SP3 Microsoft Visio 2003 SP2 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-028)以及相应补丁: MS10-028:Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-028.mspx?pf=true id SSV:19558 last seen 2017-11-19 modified 2010-05-06 published 2010-05-06 reporter Root title Microsoft Visio VISIODWG.DLL库缓冲区溢出漏洞(MS10-028) bulletinFamily exploit description No description provided by source. id SSV:20104 last seen 2017-11-19 modified 2010-09-09 published 2010-09-09 reporter Root source https://www.seebug.org/vuldb/ssvid-20104 title Microsoft Office Visio DXF File Stack based Overflow