Vulnerabilities > CVE-2011-3396 - DLL Loading Arbitrary Code Execution vulnerability in Microsoft Powerpoint 2007/2010

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2011-12-14
Updated: 2018-10-12

Summary

Untrusted search path vulnerability in Microsoft PowerPoint 2007 SP2 and 2010 allows local users to gain privileges via a Trojan horse DLL in the current working directory, aka "PowerPoint Insecure Library Loading Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms11-094 'PowerPoint Insecure Library Loading Vulnerability - CVE-2011-3396 A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles the loading of DLL files.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Msbulletin

bulletin_idMS11-094
bulletin_url
date2011-12-13T00:00:00
impactRemote Code Execution
knowledgebase_id2639142
knowledgebase_url
severityImportant
titleVulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS11-094.NASL
descriptionThe remote Windows host has a version of Microsoft PowerPoint that is affected by multiple vulnerabilities : - The application insecurely restricts the path used for loading external DLL files. This could lead to arbitrary code execution. (CVE-2011-3396) - The application could cause memory to be corrupted when reading an invalid record in a specially crafted PowerPoint file. (CVE-2011-3413) If a remote attacker can trick a user into opening a malicious PowerPoint file using the affected install, either vulnerability can be leveraged to execute arbitrary code subject to the user
last seen2020-06-01
modified2020-06-02
plugin id57280
published2011-12-13
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/57280
titleMS11-094: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(57280);
  script_version("1.20");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2011-3396", "CVE-2011-3413");
  script_bugtraq_id(50964, 50967);
  script_xref(name:"IAVA", value:"2011-A-0166");
  script_xref(name:"MSFT", value:"MS11-094");
  script_xref(name:"MSKB", value:"2553185");
  script_xref(name:"MSKB", value:"2596764");
  script_xref(name:"MSKB", value:"2596843");
  script_xref(name:"MSKB", value:"2596912");

  script_name(english:"MS11-094: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142)");
  script_summary(english:"Checks Ppcore.dll / Ppcnv.dll / PowerPointViewer version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"Arbitrary code can be executed on the remote host through Microsoft
PowerPoint."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host has a version of Microsoft PowerPoint that is
affected by multiple vulnerabilities :

  - The application insecurely restricts the path used for
    loading external DLL files. This could lead to
    arbitrary code execution. (CVE-2011-3396)

  - The application could cause memory to be corrupted when
    reading an invalid record in a specially crafted
    PowerPoint file. (CVE-2011-3413)

If a remote attacker can trick a user into opening a malicious
PowerPoint file using the affected install, either vulnerability can
be leveraged to execute arbitrary code subject to the user's
privileges."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-094");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for PowerPoint 2007 and 2010,
PowerPoint Viewer 2007, and Office Compatibility Pack."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/12/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("audit.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-094';
kbs = make_list("2553185", "2596764", "2596843", "2596912");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


vuln = FALSE;


# Check PowerPoint versions.
installs = get_kb_list("SMB/Office/PowerPoint/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';
    path = installs[install];
    if (isnull(path)) path = 'n/a';
    info = "";
    old_report = hotfix_get_report();

    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);

    # PowerPoint 2010
    office_sp2010 = get_kb_item("SMB/Office/2010/SP");
    office_sp2007 = get_kb_item("SMB/Office/2007/SP");
    if ((!isnull(office_sp2010) && office_sp2010 == 0) && (ver[0] == 14 && ver[1] == 0 && ver[2] < 6009))
    {
      kb = "2553185";
      fixed_version = "14.0.6111.5000";

      if (path != 'n/a')
      {
        path = ereg_replace(pattern:"^([A-Za-z]:.*)\\PowerPnt.exe", string:path, replace:"\1");
        share = hotfix_path2share(path:path);

        if (is_accessible_share(share:share))
        {
          if (hotfix_is_vulnerable(file:"ppcore.dll", version:fixed_version, min_version:"14.0.0.0", path:path, bulletin:bulletin, kb:kb))
          {
            file = ereg_replace(pattern:"^[A-Za-z]:(.*)", string:path, replace:"\1\ppcore.dll");
            kb_name = "SMB/FileVersions/"+tolower(share-'$')+tolower(str_replace(string:file, find:"\", replace:"/"));
            version = get_kb_item(kb_name);

            info =
              '\n  Product           : PowerPoint 2010' +
              '\n  Path              : ' + path + '\\ppcore.dll' +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : ' + fixed_version + '\n';
          }
        }
      }
    }

    # PowerPoint 2007 (not SP3)
    else if ((!isnull(office_sp2007) && office_sp2007 == 2) && (ver[0] == 12 && ver[1] == 0 && ver[2] < 6600))
    {
      kb = "2596764";
      fixed_version = "12.0.6654.5000";

      if (path != 'n/a')
      {
        path = ereg_replace(pattern:"^([A-Za-z]:.*)\\PowerPnt.exe", string:path, replace:"\1");
        share = hotfix_path2share(path:path);
        if (is_accessible_share(share:share))
        {
          if (hotfix_is_vulnerable(file:"ppcore.dll", version:fixed_version, min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:kb))
          {
            file = ereg_replace(pattern:"^[A-Za-z]:(.*)", string:path, replace:"\1\ppcore.dll");
            kb_name = "SMB/FileVersions/"+tolower(share-'$')+tolower(str_replace(string:file, find:"\", replace:"/"));
            version = get_kb_item(kb_name);

            info =
              '\n  Product           : PowerPoint 2007' +
              '\n  Path              : ' + path + '\\ppcore.dll' +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : ' + fixed_version + '\n';
            hotfix_check_fversion_end();
          }
        }
      }
    }
  }

  if (info)
  {
    hcf_report = '';
    hotfix_add_report(old_report + info, bulletin:bulletin, kb:kb);
    vuln = TRUE;
  }
}

# Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats
installs = get_kb_list("SMB/Office/PowerPointCnv/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath';
    path = installs[install];
    if (isnull(path)) path = 'n/a';
    info = "";

    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);

    if (path != 'n/a')
    {
      path = ereg_replace(pattern:"^([A-Za-z]:.*)\\Ppcnvcom.exe", string:path, replace:"\1");

      #  PowerPoint 2007 converter.
      if (ver[0] == 12 && path)
      {
        kb = "2596843";
        fixed_version = "12.0.6654.5000";

        share = hotfix_path2share(path:path);
        if (!is_accessible_share(share:share)) exit(1, "Can't connect to "+share+" share.");

        old_report = hotfix_get_report();
        if (hotfix_is_vulnerable(file:"ppcnv.dll", version:fixed_version, min_version:"12.0.0.0", path:path, bulletin:bulletin, kb:kb))
        {
          file = ereg_replace(pattern:"^[A-Za-z]:(.*)", string:path, replace:"\1\ppcnv.dll");
          kb_name = "SMB/FileVersions/"+tolower(share-'$')+tolower(str_replace(string:file, find:"\", replace:"/"));
          version = get_kb_item(kb_name);

          vuln = TRUE;
          info =
            '\n  Product           : Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats' +
            '\n  Path              : ' + path + '\\ppcnv.dll' +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          hcf_report = '';
          hotfix_add_report(old_report+info, bulletin:bulletin, kb:kb);
          break;
        }
      }
    }
  }
}

# PowerPoint Viewer.
installs = get_kb_list("SMB/Office/PowerPointViewer/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath';
    path = installs[install];
    if (isnull(path)) path = 'n/a';

    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);

    # PowerPoint Viewer 2007.
    #
    # nb: SP3 has a file version of "12.0.6600.1000" but is not affected per
    #     MS11-094. The previous release for SP2 seems to have been for MS11-022,
    #     which brought the version to 12.0.6550.5000.
    if (ver[0] == 12 && ver[1] == 0 && ver[2] < 6600)
    {
      kb = "2596912";
      info =
        '\n  Product           : PowerPoint Viewer 2007\n' +
        '  File              : ' + path + '\n' +
        '  Installed version : ' + version + '\n' +
        '  Fixed version     : 12.0.6654.5000\n';
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      vuln = TRUE;
    }
  }
}


hotfix_check_fversion_end();

if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2014-07-07T04:00:35.073-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSymantec Corporation
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft PowerPoint 2007 Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:24721
  • commentMicrosoft PowerPoint 2010 is installed
    ovaloval:org.mitre.oval:def:12376
descriptionUntrusted search path vulnerability in Microsoft PowerPoint 2007 SP2 and 2010 allows local users to gain privileges via a Trojan horse DLL in the current working directory, aka "PowerPoint Insecure Library Loading Vulnerability."
familywindows
idoval:org.mitre.oval:def:14665
statusaccepted
submitted2011-12-13T13:00:00
titlePowerPoint Insecure Library Loading Vulnerability
version16

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 50967 CVE ID: CVE-2011-3396 PowerPoint是一个由Microsoft公司开发的演示文稿程序,是Microsoft Office系统中的其中一个组件。它支持Microsoft WindowsApple的Mac OS X操作系统。 PowerPoint处理特制.ppt文件的方式中存在不安全加载DLL文件漏洞,成功利用后可允许攻击者以当前用户权限执行任意代码。 Microsoft Office 2008 for Mac Microsoft Office 2007 Microsoft PowerPoint 2007 临时解决方法: * 禁止从WebDAV或远程网络共享加载库 * 禁用WebClient 服务。 * 在防火墙禁用TCP端口139和445 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS11-094)以及相应补丁: MS11-094:Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2639142) 链接:http://www.microsoft.com/technet/security/bulletin/MS11-094.asp
idSSV:26053
last seen2017-11-19
modified2011-12-15
published2011-12-15
reporterRoot
titleMicrosoft PowerPoint DLL加载远程代码执行漏洞(MS11-094)

References