Vulnerabilities > CVE-2010-3333 - Buffer Errors vulnerability in Microsoft Office and Open XML File Format Converter
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description Microsoft Office 2010 Download Execute. CVE-2010-3333. Remote exploit for windows platform id EDB-ID:24526 last seen 2016-02-02 modified 2013-02-20 published 2013-02-20 reporter g11tch source https://www.exploit-db.com/download/24526/ title Microsoft Office 2010 Download Execute description Microsoft Office 2010 - RTF Header Stack Overflow Vulnerability Exploit. CVE-2010-3333. Local exploit for windows platform id EDB-ID:17474 last seen 2016-02-02 modified 2011-07-03 published 2011-07-03 reporter Snake source https://www.exploit-db.com/download/17474/ title Microsoft Office 2010 - RTF Header Stack Overflow Vulnerability Exploit description Microsoft Word RTF pFragments Stack Buffer Overflow (File Format). CVE-2010-3333. Local exploit for windows platform id EDB-ID:16686 last seen 2016-02-02 modified 2011-03-04 published 2011-03-04 reporter metasploit source https://www.exploit-db.com/download/16686/ title Microsoft Word RTF pFragments Stack Buffer Overflow File Format description Microsoft Office 2003 Home/Pro - Code Execution (0day). CVE-2010-3333. Local exploit for windows platform id EDB-ID:18334 last seen 2016-02-02 modified 2012-01-08 published 2012-01-08 reporter b33f & g11tch source https://www.exploit-db.com/download/18334/ title Microsoft Office 2003 Home/Pro - Code Execution 0day
Metasploit
| description | This module exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. All versions of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting. It appears as though Microsoft Office 2000 is not vulnerable. It is unlikely that Microsoft will confirm or deny this since Office 2000 has reached its support cycle end-of-life. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS10_087_RTF_PFRAGMENTS_BOF |
| last seen | 2020-06-14 |
| modified | 2017-07-24 |
| published | 2010-12-29 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb |
| title | MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format) |
Msbulletin
| bulletin_id | MS10-087 |
| bulletin_url | |
| date | 2010-11-09T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2423930 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in Microsoft Office Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS10-087.NASL description The remote Windows host is running a version of Microsoft Office that is affected by several vulnerabilities : - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573) - A stack-based buffer overflow can be triggered when parsing specially crafted RTF files, leading to arbitrary code execution. (CVE-2010-3333) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files containing Office Art Drawing records. (CVE-2010-3334) - A memory corruption vulnerability exists in the way drawing exceptions are handled when opening specially crafted Office files. (CVE-2010-3335) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files. (CVE-2010-3336) - A DLL preloading (aka binary planting) vulnerability exists because the application insecurely looks in its current working directory when resolving DLL dependencies. (CVE-2010-3337) last seen 2020-06-01 modified 2020-06-02 plugin id 50528 published 2010-11-09 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50528 title MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50528); script_version("1.33"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2010-2573", "CVE-2010-3333", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3336", "CVE-2010-3337" ); script_bugtraq_id( 42628, 44628, 44652, 44656, 44659, 44660 ); script_xref(name:"EDB-ID", value:"17474"); script_xref(name:"MSFT", value:"MS10-087"); script_xref(name:"MSKB", value:"2289158"); script_xref(name:"MSKB", value:"2289161"); script_xref(name:"MSKB", value:"2289169"); script_xref(name:"MSKB", value:"2289187"); script_name(english:"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)"); script_summary(english:"Checks version of mso.dll"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Office."); script_set_attribute(attribute:"description", value: "The remote Windows host is running a version of Microsoft Office that is affected by several vulnerabilities : - An integer underflow exists in the way the application parses the PowerPoint file format, which could lead to heap corruption and allow for arbitrary code execution when opening a specially crafted PowerPoint file. (CVE-2010-2573) - A stack-based buffer overflow can be triggered when parsing specially crafted RTF files, leading to arbitrary code execution. (CVE-2010-3333) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files containing Office Art Drawing records. (CVE-2010-3334) - A memory corruption vulnerability exists in the way drawing exceptions are handled when opening specially crafted Office files. (CVE-2010-3335) - A memory corruption vulnerability exists in the way the application parses specially crafted Office files. (CVE-2010-3336) - A DLL preloading (aka binary planting) vulnerability exists because the application insecurely looks in its current working directory when resolving DLL dependencies. (CVE-2010-3337)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-087"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Office XP, 2003, 2007, and 2010."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/07/03"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS10-087'; kbs = make_list("2289158", "2289161", "2289169", "2289187"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); arch = get_kb_item_or_exit("SMB/ARCH"); office_vers = hotfix_check_office_version(); if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); vuln = FALSE; x86_path = hotfix_get_commonfilesdir(); if (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files'); x64_path = hotfix_get_programfilesdirx86(); if (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)'); # Office 2010 if (office_vers["14.0"]) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"14.0.5128.5000", min_version:'14.0.0.0', path:x86_path+"\Microsoft Shared\Office14", bulletin:bulletin, kb:"2289161") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"14.0.5128.5000", min_version:'14.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office14", bulletin:bulletin, kb:"2289161") ) vuln = TRUE; } # Office 2007 if (office_vers["12.0"]) { sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(sp) && sp == 2) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"12.0.6545.5004", min_version:'12.0.0.0', path:x86_path+"\Microsoft Shared\Office12", bulletin:bulletin, kb:"2289158") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"12.0.6545.5004", min_version:'12.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office12", bulletin:bulletin, kb:"2289158") ) vuln = TRUE; } } # Office 2003 if (office_vers["11.0"]) { sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(sp) && sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"11.0.8329.0", min_version:'11.0.0.0', path:x86_path+"\Microsoft Shared\Office11", bulletin:bulletin, kb:"2289187") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"11.0.8329.0", min_version:'11.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office11", bulletin:bulletin, kb:"2289187") ) vuln = TRUE; } } # Office XP if (office_vers["10.0"]) { sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(sp) && sp == 3) { if ( hotfix_is_vulnerable(file:"Mso.dll", version:"10.0.6867.0", path:x86_path+"\Microsoft Shared\Office10", bulletin:bulletin, kb:"2289169") || hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"10.0.6867.0", path:x64_path+"\Common Files\Microsoft Shared\Office10", bulletin:bulletin, kb:"2289169") ) vuln = TRUE; } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family MacOS X Local Security Checks NASL id MACOSX_MS_OFFICE_NOV2010.NASL description The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user last seen 2019-10-28 modified 2010-11-09 plugin id 50531 published 2010-11-09 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50531 title MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) (Mac OS X) code #TRUSTED 6fe6d9efe68623d935ecc4a7233b89f64cc311f5ad9a289450d519f04c6746333e83264e25e23dba892113fe1203dd73b684bc8b0368f3a09f36f53c9f1980b707bb35bf39cd930a42b782f1ad1e3d020547a8f9538a77e7df33ab8345643166cc78a022d119066c13d0c91cc0634d022829da7129bb963d6fe3b1e3f8cd3e50177c76ddc09fabd79d35d5104700010e40ce8c40f80fa167752673454544bd72d193b6b2daa32ce9658b80c61a74303657fc33605052ced2e07964bb4423126eea8d155ff25dde40a8daf04dca3d57d6beb7aade341495ac7341a92fe1e1586371b9828e2731f44a7e5e45ba6a6267a6299224f17e7abda039896a464a02f0ac2c0f36d3318923db23522147e8e977bde035becde0eac1a0b648cda7f047b0caeabde2d66edbcbb0c31501525028b952827f47e5dbeba2060e7b341bcc36ef1b7d4327db9fa9533507a52f072d36a0c6783424e694cc355e39663d20702a8562116e1de81d0e2144245250e0d87b02f759a00e576f4409605acdc9df056cc236a19459f5135836a21cd094c5f00af2c37dbd45a66b45d798354e1a6bf3b75d1377fccf09d2aaa2bd7459f6d54c48127dd49d0023571d7df589204826fea2dfe7446dff279d95ab169aad51b8d4c567bff8f8d4ec36e204e0d5e947f26ee6085b231c4d33d7b140f1d4fda20c76c0f570665f7e8733bb3c0c1ab93bd176680ee7 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(50531); script_version("1.22"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id( "CVE-2010-3333", "CVE-2010-3334", "CVE-2010-3335", "CVE-2010-3336" ); script_bugtraq_id(44652, 44656, 44659, 44660); script_xref(name:"MSFT", value:"MS10-087"); script_xref(name:"MSKB", value:"2423930"); script_xref(name:"MSKB", value:"2454823"); script_xref(name:"MSKB", value:"2476511"); script_xref(name:"MSKB", value:"2476512"); script_name(english:"MS10-087: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) (Mac OS X)"); script_summary(english:"Check version of Microsoft Office"); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote Mac OS X host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Office file, these issues could be leveraged to execute arbitrary code subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms10-087"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Office for Mac 2011, Office 2008 for Mac, and Open XML File Format Converter for Mac."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS10-087 Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/11/09"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2011::mac"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:open_xml_file_format_converter:::mac"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); function exec(cmd) { local_var buf, ret; if (islocalhost()) buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd)); else { ret = ssh_open_connection(); if (!ret) exit(1, "ssh_open_connection() failed."); buf = ssh_cmd(cmd:cmd); ssh_close_connection(); } return buf; } packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing."); uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system."); # Gather version info. info = ''; installs = make_array(); prod = 'Office for Mac 2011'; plist = "/Applications/Microsoft Office 2011/Office/MicrosoftComponentPlugin.framework/Versions/14/Resources/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^14\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '14.0.1'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } prod = 'Office 2008 for Mac'; plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'."); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '12.2.8'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } prod = 'Open XML File Format Converter for Mac'; plist = "/Applications/Open XML Converter.app/Contents/Info.plist"; cmd = 'cat \'' + plist + '\' | ' + 'grep -A 1 CFBundleShortVersionString | ' + 'tail -n 1 | ' + 'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''; version = exec(cmd:cmd); if (version && version =~ "^[0-9]+\.") { version = chomp(version); installs[prod] = version; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); fixed_version = '1.1.8'; fix = split(fixed_version, sep:'.', keep:FALSE); for (i=0; i<max_index(fix); i++) fix[i] = int(fix[i]); for (i=0; i<max_index(fix); i++) if ((ver[i] < fix[i])) { info += '\n Product : ' + prod + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; break; } else if (ver[i] > fix[i]) break; } # Report findings. if (info) { gs_opt = get_kb_item("global_settings/report_verbosity"); if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info); else security_hole(0); exit(0); } else { if (max_index(keys(installs)) == 0) exit(0, "Office for Mac / Open XML File Format Converter is not installed."); else { msg = 'The host has '; foreach prod (sort(keys(installs))) msg += prod + ' ' + installs[prod] + ' and '; msg = substr(msg, 0, strlen(msg)-1-strlen(' and ')); msg += ' installed and thus is not affected.'; exit(0, msg); } }
Oval
| accepted | 2014-06-09T04:00:10.662-04:00 | ||||||||||||||||
| class | vulnerability | ||||||||||||||||
| contributors |
| ||||||||||||||||
| definition_extensions |
| ||||||||||||||||
| description | Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability." | ||||||||||||||||
| family | windows | ||||||||||||||||
| id | oval:org.mitre.oval:def:11931 | ||||||||||||||||
| status | accepted | ||||||||||||||||
| submitted | 2010-03-09T13:00:00 | ||||||||||||||||
| title | RTF Stack Buffer Overflow Vulnerability | ||||||||||||||||
| version | 25 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/97153/ms10_087_rtf_pfragments_bof.rb.txt |
| id | PACKETSTORM:97153 |
| last seen | 2016-12-05 |
| published | 2010-12-29 |
| reporter | wushi |
| source | https://packetstormsecurity.com/files/97153/Microsoft-Word-RTF-pFragments-Stack-Buffer-Overflow.html |
| title | Microsoft Word RTF pFragments Stack Buffer Overflow |
Saint
| bid | 44652 |
| description | Microsoft Office RTF pFragments Property Stack Buffer Overflow |
| id | win_patch_office2002,win_patch_office2003,win_patch_office2007 |
| osvdb | 69085 |
| title | ms_office_rtf_pfragments_property |
| type | client |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 44652 CVE ID: CVE-2010-3333 Word是微软Office套件中的文字处理工具。 在处理RTF文档中的特定控制字时Word未经执行长度检查便将其属性字符串拷贝到了栈缓冲区中,这可能触发栈溢出。成功利用此漏洞的攻击者可以完全控制受影响的系统。 Microsoft Office XP SP3 Microsoft Office for Mac 2011 Microsoft Office 2010 Microsoft Office 2008 for Mac Microsoft Office 2007 SP2 Microsoft Office 2004 for Mac Microsoft Office 2003 Service Pack 3 临时解决方法: * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-087)以及相应补丁: MS10-087:Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-087.mspx?pf=true id SSV:20246 last seen 2017-11-19 modified 2010-11-17 published 2010-11-17 reporter Root title Microsoft Word RTF文件解析栈溢出漏洞(MS10-087) bulletinFamily exploit description No description provided by source. id SSV:20685 last seen 2017-11-19 modified 2011-07-04 published 2011-07-04 reporter Root source https://www.seebug.org/vuldb/ssvid-20685 title MS Office 2010 RTF Header Stack Overflow Vulnerability Exploit
The Hacker News
id THN:B02C7C78600ED331232ABD4D1F8D2C4A last seen 2017-01-08 modified 2013-10-14 published 2013-01-14 reporter Pierluigi Paganini source http://thehackernews.com/2013/01/operation-red-october-cyber-espionage.html title Operation Red October : Cyber Espionage campaign against many Governments id THN:3BF9400C51248462741DFA3EAF706DEE last seen 2018-01-27 modified 2013-12-13 published 2013-12-13 reporter Mohit Kumar source https://thehackernews.com/2013/12/chinese-hackers-spied-on-european.html title Chinese Hackers spied on European Diplomats during recent G20 meetings
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880
- http://secunia.com/advisories/38521
- http://secunia.com/advisories/42144
- http://securityreason.com/securityalert/8293
- http://www.securityfocus.com/bid/44652
- http://www.securitytracker.com/id?1024705
- http://www.us-cert.gov/cas/techalerts/TA10-313A.html
- http://www.vupen.com/english/advisories/2010/2923
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-087
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11931