MS10-036: Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)

2010-06-0900:00:00

www.tenable.com

The remote host contains a vulnerable version of Microsoft Office 2003 or 2007. Opening a specially crafted Office file can result in arbitrary code execution. A remote attacker can exploit this by tricking a user into opening a specially crafted Office file.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(46843);
  script_version("1.26");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2010-1263");
  script_bugtraq_id(40574);
  script_xref(name:"MSFT", value:"MS10-036");
  script_xref(name:"MSKB", value:"982122");
  script_xref(name:"MSKB", value:"982124");
  script_xref(name:"MSKB", value:"982127");
  script_xref(name:"MSKB", value:"982133");
  script_xref(name:"MSKB", value:"982134");
  script_xref(name:"MSKB", value:"982135");
  script_xref(name:"MSKB", value:"982157");
  script_xref(name:"MSKB", value:"982158");
  script_xref(name:"MSKB", value:"982308");
  script_xref(name:"MSKB", value:"982311");
  script_xref(name:"MSKB", value:"982312");

  script_name(english:"MS10-036: Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (983235)");
  script_summary(english:"Checks if Office version is up to date");

  script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through opening a
Microsoft Office file.");
  script_set_attribute(attribute:"description", value:
"The remote host contains a vulnerable version of Microsoft Office 2003
or 2007. Opening a specially crafted Office file can result in
arbitrary code execution. A remote attacker can exploit this by
tricking a user into opening a specially crafted Office file.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-036");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office 2003 and 2007.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/06/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/06/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:publisher");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visio");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("audit.inc");

include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS10-036';
kbs = make_list("982122", "982124", "982127", "982133", "982134", "982135", "982157", "982158", "982308", "982311", "982312");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


function is_vuln(ver, fix)
{
  local_var i;

  ver = split(ver, sep:'.', keep:FALSE);
  fix = split(fix, sep:'.', keep:FALSE);

  for (i = 0; i < max_index(ver); i++)
  {
    if (int(ver[i]) < int(fix[i]))
      return TRUE;
    if (int(ver[i]) > int(fix[i]))
      return FALSE;
  }

  return FALSE;
}

arch = get_kb_item_or_exit("SMB/ARCH");

if (!is_accessible_share()) exit(1, "is_accessible_share() failed.");

x86_path = hotfix_get_commonfilesdir();
if (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files');
x64_path = hotfix_get_programfilesdirx86();
if (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)');
vuln = 0;

office_vers = hotfix_check_office_version();

share = '';
lastshare = '';
accessibleshare = FALSE;
kb = '';
if (!isnull(office_vers))
{
  if (office_vers["11.0"])
  {
    # Office 2003
    share = hotfix_path2share(path:x86_path);
    lastshare = share;
    if (is_accessible_share(share:share))
    {
      accessibleshare = TRUE;

      if (
        hotfix_is_vulnerable(file:"Mso.dll", version:"11.0.8324.0", min_version:'11.0.0.0', path:x86_path+"\Microsoft Shared\Office11", bulletin:bulletin, kb:'982311') ||
        hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"11.0.8324.0", min_version:'11.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office11", bulletin:bulletin, kb:'982311')
      ) vuln++;
    }
  }
  if (office_vers["12.0"])
  {
    # Office 2007
    share = hotfix_path2share(path:x86_path);
    if (lastshare != share || !accessibleshare)
    {
      lastshare = share;
      if (is_accessible_share(share:share))
      {
        accessibleshare = TRUE;
      }
    }

    if (
      (hotfix_is_vulnerable(file:"Mso.dll", version:"12.0.6535.5002", min_version:'12.0.0.0', path:x86_path+"\Microsoft Shared\Office12", bulletin:bulletin, kb:'982312')) ||
      (hotfix_is_vulnerable(file:"Mso.dll", arch:"x64", version:"12.0.6535.5002", min_version:'12.0.0.0', path:x64_path+"\Common Files\Microsoft Shared\Office12", bulletin:bulletin, kb:'982312'))
    ) vuln++;
  }
}

# Visio
installs = get_kb_list("SMB/Office/Visio/*/VisioPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/Visio/' - '/VisioPath';
    path = installs[install];
    share = hotfix_path2share(path:path);
    if (share != lastshare || !accessibleshare)
    {
      lastshare = share;
      if (!is_accessible_share(share:share))
      {
        accessibleshare = FALSE;
      }
      else accessibleshare = TRUE;
    }
    if (accessibleshare)
    {
      if (
        version &&
        ("12.0" >< version &&
        hotfix_is_vulnerable(path:path, file:"Vislib.dll", version:"12.0.6535.5002", bulletin:bulletin, kb:'982127')) ||
        ("11.0" >< version &&
        hotfix_is_vulnerable(path:path, file:"Visio11\Vislib.dll", version:"11.0.8323.0", bulletin:bulletin, kb:'982126'))
      )
      {
        vuln++;
      }
    }
  }
}
hotfix_check_fversion_end();

# Use the KB to check the other components

office_sp2003 = get_kb_item("SMB/Office/2003/SP");
office_sp2007 = get_kb_item("SMB/Office/2007/SP");
# Excel
installs = get_kb_list("SMB/Office/Excel/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/Excel/' - '/ProductPath';
    path = installs[install];

    if (
      version &&
      (
        ('11.0.' >< version && is_vuln(ver:version, fix:'11.0.8324.0') && (!isnull(office_sp2003) && office_sp2003 == 3)) ||
        ('12.0.' >< version && is_vuln(ver:version, fix:'12.0.6535.5002') && (!isnull(office_sp2007) && (office_sp2007 == 1 || office_sp2007 == 2)))
      )
    )
    {
      ver = split(version, sep:'.', keep:FALSE);
      if (ver[0] == '11')
      {
        fix = '11.0.8324.0';
        kb = '982133';
      }
      else
      {
        fix = '12.0.6535.5002';
        kb = '982308';
      }

      info =
        '\n  Product           : Excel' +
        '\n  File              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix + '\n';
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      vuln++;
    }
  }
}

# Powerpoint
installs = get_kb_list("SMB/Office/PowerPoint/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';
    path = installs[install];

    if (
      version &&
      (
        ('11.0.' >< version && is_vuln(ver:version, fix:'11.0.8324.0') && (!isnull(office_sp2003) && office_sp2003 == 3)) ||
        ('12.0.' >< version && is_vuln(ver:version, fix:'12.0.6500.5000') && (!isnull(office_sp2007) && (office_sp2007 == 1 || office_sp2007 == 2)))
      )
    )
    {
      ver = split(version, sep:'.', keep:FALSE);
      if (ver[0] == '11')
      {
        fix = '11.0.8324.0';
        kb = '982157';
      }
      else
      {
        fix = '12.0.6500.5000';
        kb = '982158';
      }

      info =
        '\n  Product           : PowerPoint'+
        '\n  File              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix + '\n';
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      vuln++;
    }
  }
}

# Publisher
installs = get_kb_list("SMB/Office/Publisher/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/Publisher/' - '/ProductPath';
    path = installs[install];

    if (
      version &&
      (
        ('11.0.' >< version && is_vuln(ver:version, fix:'11.0.8324.0')) ||
        ('12.0.' >< version && is_vuln(ver:version, fix:'12.0.6535.5002'))
      )
    )
    {
      ver = split(version, sep:'.', keep:FALSE);
      if (ver[0] == '11')
      {
        fix = '11.0.8324.0';
        kb = '982122';
      }
      else
      {
        fix = '12.0.6535.5002';
        kb = '982124';
      }

      info =
        '\n  Product           : Publisher' +
        '\n  File              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix + '\n';
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      vuln++;
    }
  }
}

# Word
installs = get_kb_list("SMB/Office/Word/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/Word/' - '/ProductPath';
    path = installs[install];

    if (
      version &&
      (
        ('11.0.' >< version && is_vuln(ver:version, fix:'11.0.8324.0') && (!isnull(office_sp2003) && office_sp2003 == 3)) ||
        ('12.0.' >< version && is_vuln(ver:version, fix:'12.0.6535.5000') && (!isnull(office_sp2007) && (office_sp2007 == 1 || office_sp2007 == 2)))
      )
    )
    {
      ver = split(version, sep:'.', keep:FALSE);
      if (ver[0] == '11')
      {
        fix = '11.0.8324.0';
        kb = '982134';
      }
      else
      {
        fix = '12.0.6535.5000';
        kb = '982135';
      }

      info =
        '\n  Product           : Word'+
        '\n  File              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix + '\n';
      hotfix_add_report(info, bulletin:bulletin, kb:kb);
      vuln++;
    }
  }
}

if (vuln)
{
  set_kb_item(name:'SMB/Missing/MS10-036', value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

VendorProductVersionCPE
microsoftofficecpe:/a:microsoft:office
microsoftwordcpe:/a:microsoft:word
microsoftexcelcpe:/a:microsoft:excel
microsoftpublishercpe:/a:microsoft:publisher
microsoftvisiocpe:/a:microsoft:visio
microsoftpowerpointcpe:/a:microsoft:powerpoint

Vendor	Product	CPE
microsoft	office	cpe:/a:microsoft:office
microsoft	word	cpe:/a:microsoft:word
microsoft	excel	cpe:/a:microsoft:excel
microsoft	publisher	cpe:/a:microsoft:publisher
microsoft	visio	cpe:/a:microsoft:visio
microsoft	powerpoint	cpe:/a:microsoft:powerpoint