Vulnerabilities > CVE-2010-1681 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Visio 2002/2003/2007

047910
CVSS 7.6 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
high complexity
microsoft
CWE-119
nessus
exploit available
metasploit
NVD
Published: 2010-05-06
Updated: 2018-10-10

Summary

Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256.

Vulnerable Configurations

Part Description Count
Application
Microsoft
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionMOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow. Local exploit for windows platform
    fileexploits/windows/local/14944.py
    idEDB-ID:14944
    last seen2016-02-01
    modified2010-09-08
    platformwindows
    port
    published2010-09-08
    reporterAbysssec
    sourcehttps://www.exploit-db.com/download/14944/
    titleMicrosoft Office Visio - .DXF File Stack based Overflow
    typelocal
  • descriptionMicrosoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability. CVE-2010-1681. Local exploit for windows platform
    idEDB-ID:17451
    last seen2016-02-02
    modified2011-06-26
    published2011-06-26
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/17451/
    titleMicrosoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability

Metasploit

descriptionThis module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'
idMSF:EXPLOIT/WINDOWS/FILEFORMAT/VISIO_DXF_BOF
last seen2020-06-14
modified1976-01-01
published1976-01-01
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/visio_dxf_bof.rb
titleMicrosoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-028.NASL
descriptionThe remote host contains a version of Microsoft Visio that is affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into opening a specially crafted Visio file, resulting in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id45515
published2010-04-13
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/45515
titleMS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)

Packetstorm

Saint

bid39836
descriptionMicrosoft Visio DXF file insertion buffer overflow
idwin_patch_visio2002vislib
titlems_visio_dxf
typeclient

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 39836 CVE ID: CVE-2010-1681 Visio是微软Office套件中的图形编辑工具。 Visio中所使用的VISIODWG.DLL库中存在缓冲区溢出漏洞,起因是在该库的74ef偏移处执行了不安全的strcpy调用。在将DXF文件注入到Visio文档中时(通过拖放操作或从菜单栏中选择“注入 -> CAD绘图”)会加载有漏洞的函数库。成功利用这个漏洞的攻击者可以以运行Visio用户的权限执行任意代码。 微软在MS10-028公告所提供的补丁中通过使用81e7偏移处的strncpy调用替换有漏洞的调用来修复这个漏洞,但公告中并没有提及这个漏洞。 /----- 安装补丁前: .text:667D74E2 loc_667D74E2: .text:667D74E2 mov ecx, [edi+2428h] .text:667D74E8 mov edx, [esp+6Ch+Key] .text:667D74EC inc ecx .text:667D74ED push ecx ; Source .text:667D74EE push edx ; Dest .text:667D74EF call strcpy .text:667D74F4 mov esi, ds:bsearch .text:667D74FA push offset sub_667D7400 ; PtFuncCompare .text:667D74FF push 0Ch ; ElementSize .text:667D7501 push 0D5h ; NumOfElements .text:667D7506 lea eax, [esp+80h+Key] .text:667D750A push offset off_6685E730 ; Base .text:667D750F push eax ; Key .text:667D7510 call esi ; bsearch .text:667D7512 mov edi, eax .text:667D7514 add esp, 1Ch .text:667D7517 test edi, edi .text:667D7519 jz loc_667D770F 安装补丁后: .text:667D81D2 loc_667D81D2: .text:667D81D2 mov ecx, [edi+2430h] .text:667D81D8 mov edx, [esp+6Ch+Key] .text:667D81DC mov ebx, ds:strncpy .text:667D81E2 inc ecx .text:667D81E3 push 50h ; Count <-- MAX LENGTH .text:667D81E5 push ecx ; Source .text:667D81E6 push edx ; Dest .text:667D81E7 call ebx ; strncpy .text:667D81E9 mov esi, ds:bsearch .text:667D81EF push offset sub_667D80F0 ; PtFuncCompare .text:667D81F4 push 0Ch ; ElementSize .text:667D81F6 push 0D5h ; NumOfElements .text:667D81FB lea eax, [esp+84h+Key] .text:667D81FF push offset off_6685F730 ; Base .text:667D8204 push eax ; Key .text:667D8205 mov [esp+8Ch+var_1], 0 .text:667D820D call esi ; bsearch .text:667D820F mov edi, eax .text:667D8211 add esp, 20h .text:667D8214 test edi, edi .text:667D8216 jz loc_667D840C - -----/ Microsoft Visio 2007 SP2 Microsoft Visio 2007 SP1 Microsoft Visio 2003 SP3 Microsoft Visio 2003 SP2 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-028)以及相应补丁: MS10-028:Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-028.mspx?pf=true
    idSSV:19558
    last seen2017-11-19
    modified2010-05-06
    published2010-05-06
    reporterRoot
    titleMicrosoft Visio VISIODWG.DLL库缓冲区溢出漏洞(MS10-028)
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:20104
    last seen2017-11-19
    modified2010-09-09
    published2010-09-09
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-20104
    titleMicrosoft Office Visio DXF File Stack based Overflow

References