Vulnerabilities > CVE-2010-1883 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Integer overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted table in an embedded font, aka "Embedded OpenType Font Integer Overflow Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS10-076
bulletin_url
date2010-10-12T00:00:00
impactRemote Code Execution
knowledgebase_id982132
knowledgebase_url
severityCritical
titleVulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-076.NASL
descriptionThe remote Windows host contains a version of the Embedded OpenType (EOT) Font Engine that is affected by an integer overflow vulnerability when parsing certain tables within specially crafted files and content containing embedded fonts. If an attacker can trick a user on the affected system into viewing content rendered in a specially crafted EOT font, this issue could be leveraged to execute arbitrary code subject to the user
last seen2020-06-01
modified2020-06-02
plugin id49953
published2010-10-13
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/49953
titleMS10-076: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(49953);
  script_version("1.24");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2010-1883");
  script_bugtraq_id(43775);
  script_xref(name:"IAVA", value:"2010-A-0135");
  script_xref(name:"MSFT", value:"MS10-076");
  script_xref(name:"MSKB", value:"982132");

  script_name(english:"MS10-076: Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132)");
  script_summary(english:"Checks version of T2embed.dll");

  script_set_attribute(
    attribute:"synopsis",
    value:
"It is possible to execute arbitrary code on the remote Windows host
using the Embedded OpenType Font Engine."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host contains a version of the Embedded OpenType
(EOT) Font Engine that is affected by an integer overflow
vulnerability when parsing certain tables within specially crafted
files and content containing embedded fonts.

If an attacker can trick a user on the affected system into viewing
content rendered in a specially crafted EOT font, this issue could be
leveraged to execute arbitrary code subject to the user's privileges."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-076");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/10/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/10/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS10-076';
kbs = make_list("982132");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

kb = "982132";
if (
  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1",                   file:"T2embed.dll", version:"6.1.7600.20788", min_version:"6.1.7600.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1",                   file:"T2embed.dll", version:"6.1.7600.16663",                               dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"T2embed.dll", version:"6.0.6002.22475", min_version:"6.0.6002.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"T2embed.dll", version:"6.0.6002.18301",                               dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"T2embed.dll", version:"6.0.6001.22750", min_version:"6.0.6001.22000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"T2embed.dll", version:"6.0.6001.18520",                               dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 and XP x64
  hotfix_is_vulnerable(os:"5.2", sp:2,             file:"T2embed.dll", version:"5.2.3790.4766",                                dir:"\System32", bulletin:bulletin, kb:kb) ||

  # Windows XP
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"T2embed.dll", version:"5.1.2600.6031",                                dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/MS10-076", value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2012-03-26T04:03:32.762-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameDragos Prisaca
    organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows 7 (32-bit) is installed
    ovaloval:org.mitre.oval:def:6165
  • commentMicrosoft Windows 7 x64 Edition is installed
    ovaloval:org.mitre.oval:def:5950
  • commentMicrosoft Windows Server 2008 R2 x64 Edition is installed
    ovaloval:org.mitre.oval:def:6438
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition is installed
    ovaloval:org.mitre.oval:def:5954
descriptionInteger overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted table in an embedded font, aka "Embedded OpenType Font Integer Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:6881
statusaccepted
submitted2010-10-12T13:00:00
titleEmbedded OpenType Font Integer Overflow Vulnerability
version74

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 43775 CVE ID: CVE-2010-1883 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的t2embed.dll库中在将嵌入式OpenType文件转换为TrueType格式时存在整数溢出漏洞。在解析hdmx记录时,盲目的信任了记录大小和记录计数变量,并将所生成的值在拷贝循环中使用,这可能导致执行任意代码。 Microsoft Windows XP SP3 Microsoft Windows XP Pro x64版SP2 Microsoft Windows Vista SP2 Microsoft Windows Vista SP1 Microsoft Windows Server 2008 SP2 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 7 临时解决方法: * 在Internet Explorer中禁止解析嵌入式字体。 * 拒绝对T2EMBED.DLL的访问。 Windows XP和Windows Server 2003: 对于32位系统,在管理命令提示符后面以下命令: Echo y| cacls &quot;%windir%\system32\t2embed.dll&quot; /E /P everyone:N 对于64位系统,在管理命令提示符后面以下命令: Echo y| cacls &quot;%windir%\syswow64\t2embed.dll&quot; /E /P everyone:N Windows Vista和Windows Server 2008: 对于32位系统,在管理命令提示符后面以下命令: Takeown.exe /f &quot;%windir%\system32\t2embed.dll&quot; cacls.exe &quot;%windir%\system32\t2embed.dll&quot; /E /P everyone:N 对于64位系统,在管理命令提示符后面以下命令: Takeown.exe /f &quot;%windir%\syswow64\t2embed.dll&quot; cacls.exe &quot;%windir%\syswow64\t2embed.dll&quot; /E /P everyone:N 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-076)以及相应补丁: MS10-076:Vulnerability in the Embedded OpenType Font Engine Could Allow Remote Code Execution (982132) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-076.mspx?pf=true
idSSV:20174
last seen2017-11-19
modified2010-10-15
published2010-10-15
reporterRoot
titleMicrosoft Windows嵌入式OpenType字体引擎整数溢出漏洞(MS10-076)