Vulnerabilities > CVE-2010-3148 - Unspecified vulnerability in Microsoft Visio 2003

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
exploit available

Summary

Untrusted search path vulnerability in Microsoft Visio 2003 SP3 allows local users to gain privileges via a Trojan horse mfc71enu.dll file in the current working directory, as demonstrated by a directory that contains a .vsd, .vdx, .vst, or .vtx file, aka "Microsoft Visio Insecure Library Loading Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Exploit-Db

descriptionMicrosoft Visio 2003 DLL Hijacking Exploit (mfc71enu.dll). CVE-2010-3148. Local exploit for windows platform
fileexploits/windows/local/14744.c
idEDB-ID:14744
last seen2016-02-01
modified2010-08-25
platformwindows
port
published2010-08-25
reporterBeenu Arora
sourcehttps://www.exploit-db.com/download/14744/
titleMicrosoft Visio 2003 DLL Hijacking Exploit mfc71enu.dll
typelocal

Msbulletin

bulletin_idMS11-055
bulletin_url
date2011-07-12T00:00:00
impactRemote Code Execution
knowledgebase_id2560847
knowledgebase_url
severityImportant
titleVulnerability in Microsoft Visio Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS11-055.NASL
descriptionThe remote host contains a version of Microsoft Visio that is affected by an insecure library loading vulnerability. A remote attacker could exploit this by tricking a user into opening a specially crafted Microsoft Visio file, resulting in arbitrary code execution.
last seen2020-06-01
modified2020-06-02
plugin id55571
published2011-07-12
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/55571
titleMS11-055: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(55571);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2010-3148");
  script_bugtraq_id(42681);
  script_xref(name:"EDB-ID", value:"14744");
  script_xref(name:"IAVA", value:"2011-A-0098");
  script_xref(name:"MSFT", value:"MS11-055");
  script_xref(name:"Secunia", value:"45077");
  script_xref(name:"MSKB", value:"2493523");

  script_name(english:"MS11-055: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)");
  script_summary(english:"Checks version of Omfcu.dll");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote Windows host through
Visio.");
  script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft Visio that is
affected by an insecure library loading vulnerability.

A remote attacker could exploit this by tricking a user into opening a
specially crafted Microsoft Visio file, resulting in arbitrary code
execution.");

  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-055");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Visio 2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/07/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("audit.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-055';
kbs = make_list("2493523");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

installs = get_kb_list_or_exit("SMB/Office/Visio/*/VisioPath");

share = '';
kb = "2493523";
foreach install (keys(installs))
{
  version = install - 'SMB/Office/Visio/' - '/VisioPath';
  if (version =~ '^11\\.0')
  {
    path = installs[install];
    share = hotfix_path2share(path:path);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

    if (hotfix_is_vulnerable(path:path, file:"Visio11\Omfcu.dll", version:"11.0.8332.0", bulletin:bulletin, kb:kb))
    {
      set_kb_item(name:"SMB/Missing/" + bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
  }
}
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2013-02-11T04:03:45.086-05:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
commentMicrosoft Office Visio 2003 is installed
ovaloval:org.mitre.oval:def:1450
descriptionUntrusted search path vulnerability in Microsoft Visio 2003 SP3 allows local users to gain privileges via a Trojan horse mfc71enu.dll file in the current working directory, as demonstrated by a directory that contains a .vsd, .vdx, .vst, or .vtx file, aka "Microsoft Visio Insecure Library Loading Vulnerability."
familywindows
idoval:org.mitre.oval:def:7122
statusaccepted
submitted2010-10-08T04:21:55
titleUntrusted search path vulnerability in Microsoft Visio 2003
version10

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 42681 CVE ID: CVE-2010-3148 Microsoft Visio是Windows 操作系统下运行的流程图软件,它现在是Microsoft Office软件的一个部分。 Microsoft Visio在实现上存在不安全库加载漏洞,远程攻击者可利用此漏洞控制受影响系统。 此漏洞源于以不安全的方式加载应用程序库(例如mfc71enu.dll和mfc71loc.dll),通过诱使用户打开位于远程WebDAV或SMB共享上的Microsoft Visio Stencil (".vss")文件,造成加载任意库。 Microsoft Visio 2003 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS11-055)以及相应补丁: MS11-055:Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847) 链接:http://www.microsoft.com/technet/security/bulletin/MS11-055.asp
idSSV:20717
last seen2017-11-19
modified2011-07-14
published2011-07-14
reporterRoot
titleMicrosoft Visio 2003 "mfc71enu.dll" DLL加载远程代码执行漏洞(MS11-055)