Vulnerabilities > CVE-2010-2573 - Numeric Errors vulnerability in Microsoft Office, Powerpoint and Powerpoint Viewer
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer underflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3, PowerPoint Viewer SP2, and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Integer Underflow Causes Heap Corruption Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Common Weakness Enumeration (CWE)
Msbulletin
bulletin_id MS10-088 bulletin_url date 2010-11-09T00:00:00 impact Remote Code Execution knowledgebase_id 2293386 knowledgebase_url severity Important title Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution bulletin_id MS10-087 bulletin_url date 2010-11-09T00:00:00 impact Remote Code Execution knowledgebase_id 2423930 knowledgebase_url severity Critical title Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-087.NASL description The remote Windows host is running a version of Microsoft Office that is affected by several vulnerabilities : - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573) - A stack-based buffer overflow can be triggered when parsing specially crafted RTF files, leading to arbitrary code execution. (CVE-2010-3333) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files containing Office Art Drawing records. (CVE-2010-3334) - A memory corruption vulnerability exists in the way drawing exceptions are handled when opening specially crafted Office files. (CVE-2010-3335) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files. (CVE-2010-3336) - A DLL preloading (aka binary planting) vulnerability exists because the application insecurely looks in its current working directory when resolving DLL dependencies. (CVE-2010-3337) last seen 2020-06-01 modified 2020-06-02 plugin id 50528 published 2010-11-09 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50528 title MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50528); script_version("1.33"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2010-2573", "CVE-2010-3333", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3336", "CVE-2010-3337" ); script_bugtraq_id( 42628, 44628, 44652, 44656, 44659, 44660 ); script_xref(name:"EDB-ID", value:"17474"); script_xref(name:"MSFT", value:"MS10-087"); script_xref(name:"MSKB", value:"2289158"); script_xref(name:"MSKB", value:"2289161"); script_xref(name:"MSKB", value:"2289169"); script_xref(name:"MSKB", value:"2289187"); script_name(english:"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)"); script_summary(english:"Checks version of mso.dll"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Office."); script_set_attribute(attribute:"description", value: "The remote Windows host is running a version of Microsoft Office that is affected by several vulnerabilities : - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573) - A stack-based buffer overflow can be triggered when parsing specially crafted RTF files, leading to arbitrary code execution. (CVE-2010-3333) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files containing Office Art Drawing records. (CVE-2010-3334) - A memory corruption vulnerability exists in the way drawing exceptions are handled when opening specially crafted Office files. (CVE-2010-3335) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files. (CVE-2010-3336) - A DLL preloading (aka binary planting) vulnerability exists because the application insecurely looks in its current working directory when resolving DLL dependencies. (CVE-2010-3337)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-087"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Office XP, 2003, 2007, and 2010."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-087'; kbs = make_list("2289158", "2289161", "2289169", "2289187"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); arch = get_kb_item_or_exit("SMB/ARCH"); office_vers = hotfix_check_office_version(); if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); vuln = FALSE; x86_path = hotfix_get_commonfilesdir(); if (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files'); x64_path = hotfix_get_programfilesdirx86(); if (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)'); # Office 2010 if (office_vers["14.0"]) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"14.0.5128.5000", min_version:'14.0.0.0', path:x86_path+"\Microsoft Shared\Office14", bulletin:bulletin, kb:"2289161") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"14.0.5128.5000", min_version:'14.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office14", bulletin:bulletin, kb:"2289161") ) vuln = TRUE; } # Office 2007 if (office_vers["12.0"]) { sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(sp) && sp == 2) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"12.0.6545.5004", min_version:'12.0.0.0', path:x86_path+"\Microsoft Shared\Office12", bulletin:bulletin, kb:"2289158") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"12.0.6545.5004", min_version:'12.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office12", bulletin:bulletin, kb:"2289158") ) vuln = TRUE; } } # Office 2003 if (office_vers["11.0"]) { sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(sp) && sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"11.0.8329.0", min_version:'11.0.0.0', path:x86_path+"\Microsoft Shared\Office11", bulletin:bulletin, kb:"2289187") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"11.0.8329.0", min_version:'11.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office11", bulletin:bulletin, kb:"2289187") ) vuln = TRUE; } } # Office XP if (office_vers["10.0"]) { sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(sp) && sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"10.0.6867.0", path:x86_path+"\Microsoft Shared\Office10", bulletin:bulletin, kb:"2289169") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"10.0.6867.0", path:x64_path+"\Common Files\Microsoft Shared\Office10", bulletin:bulletin, kb:"2289169") ) vuln = TRUE; } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-088.NASL description The remote Windows host is running a version of Microsoft PowerPoint that is affected by several vulnerabilities : - A buffer overflow exists in the way the application parses the PowerPoint file format, which can be abused to execute arbitrary code if an attacker can trick a user into opening a specially crafted PowerPoint 95 file using the affected application. Note that by default opening of such files is blocked in Microsoft PowerPoint 2003 Service Pack 3. (CVE-2010-2572) - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573) last seen 2020-06-01 modified 2020-06-02 plugin id 50529 published 2010-11-09 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50529 title MS10-088: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50529); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2010-2572", "CVE-2010-2573"); script_bugtraq_id(44626, 44628); script_xref(name:"MSFT", value:"MS10-088"); script_xref(name:"MSKB", value:"2413272"); script_xref(name:"MSKB", value:"2413304"); script_xref(name:"MSKB", value:"2413381"); script_name(english:"MS10-088: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)"); script_summary(english:"Checks version of Pp7x32.dll, PowerPoint, or PowerPoint Viewer"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft PowerPoint." ); script_set_attribute( attribute:"description", value: "The remote Windows host is running a version of Microsoft PowerPoint that is affected by several vulnerabilities : - A buffer overflow exists in the way the application parses the PowerPoint file format, which can be abused to execute arbitrary code if an attacker can trick a user into opening a specially crafted PowerPoint 95 file using the affected application. Note that by default opening of such files is blocked in Microsoft PowerPoint 2003 Service Pack 3. (CVE-2010-2572) - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573)" ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-088"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for PowerPoint 2002 and 2003 as well as PowerPoint Viewer 2007." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-088'; kbs = make_list("2413272", "2413304", "2413381"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); vuln = FALSE; installs = get_kb_list("SMB/Office/PowerPoint/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPoint/' - '/ProductPath'; path = installs[install]; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (isnull(path)) path = "n/a"; else path = ereg_replace(pattern:'^(.+)\\\\[^\\\\]+\\.exe$', replace:"\1", string:path, icase:TRUE); if (ver[0] == 11 || ver[0] == 10) { # PowerPoint 2003. if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8324) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 3) { info = '\n Product : PowerPoint 2003' + '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8324.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:"2413304"); vuln = TRUE; } } # PowerPoint 2002. else if (ver[0] == 10 && ver[1] == 0 && ver[2] <= 6858) { office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { if (path != 'n/a') { if (hotfix_is_vulnerable(file:"Pp7x32.dll", version:"10.0.6867.0", min_version:'10.0.0.0', path:path, dir:"Xlators", bulletin:bulletin, kb:"2413272")) vuln = TRUE; } } } } } } # PowerPoint Viewer. installs = get_kb_list("SMB/Office/PowerPointViewer/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = "n/a"; else path = ereg_replace(pattern:'^(.+)\\\\[^\\\\]+\\.exe$', replace:"\1", string:path, icase:TRUE); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint Viewer 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6545 || (ver[2] == 6545 && ver[3] < 5004) ) ) { info = '\n Product : PowerPoint Viewer 2007' + '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6545.5004\n'; hotfix_add_report(info, bulletin:bulletin, kb:"2413381"); vuln = TRUE; break; } } } if (vuln) { set_kb_item(name:"SMB/Missing/MS10-088", value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
| accepted | 2012-05-28T04:00:14.127-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Integer underflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3, PowerPoint Viewer SP2, and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Integer Underflow Causes Heap Corruption Vulnerability." | ||||||||||||
| family | windows | ||||||||||||
| id | oval:org.mitre.oval:def:12122 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-02-08T13:00:00 | ||||||||||||
| title | PowerPoint Integer Underflow Causes Heap Corruption Vulnerability | ||||||||||||
| version | 8 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 44628 CVE ID: CVE-2010-2573 Microsoft PowerPoint是微软Office套件中的文档演示工具。 PowerPoint在解析PPT文件时错误的信任了文件中所定义的值并对这个值执行了一些算术计算,之后用作了循环的计数器。通过修改这个值,攻击者就可以触发整数下溢,最终导致堆溢出。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Office 2004 for Mac Microsoft PowerPoint Viewer 2007 SP2 Microsoft PowerPoint 2003 SP3 Microsoft PowerPoint 2002 SP3 临时解决方法: * 使用Microsoft Office文件阻断策略以防止打开未知或不可信任来源的Office 2003及更早版本的文档。 * 当打开来自未知来源或不可信来源的文件时使用Microsoft Office隔离转换环境(MOICE)。 * 不要打开从不可信任来源接收到或从可信任来源意外接收到的PowerPoint文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-088)以及相应补丁: MS10-088:Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-088.mspx?pf=true |
| id | SSV:20251 |
| last seen | 2017-11-19 |
| modified | 2010-11-17 |
| published | 2010-11-17 |
| reporter | Root |
| title | Microsoft Office PowerPoint PPT解析堆溢出漏洞(MS10-088) |
References
- http://www.us-cert.gov/cas/techalerts/TA10-313A.html
- http://www.us-cert.gov/cas/techalerts/TA10-313A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-088
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-088
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12122
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12122