========================================================================= ACROS Security Problem Report #2010-11-10-2
Document ID: ASPR #2010-11-10-2-PUB Vendor: Microsoft Corp. (http://www.microsoft.com) Target: Microsoft Word 2010 for Windows Impact: Remote execution of arbitrary code Severity: Very high Status: Official patch available, workarounds available Discovered by: Simon Raner of ACROS Security
CVSS score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE ID: CVE-2010-3337 CWE ID: CWE-426: Untrusted Search Path
Current version http://www.acrossecurity.com/aspr/ASPR-2010-11-10-2-PUB.txt
A "binary planting"  vulnerability in Microsoft Word 2010 for Windows allows local or remote (even Internet-based) attackers to deploy and execute malicious code on Windows machines in the context of logged-on users.
Note: A more detailed analysis of this bug is available at http://blog.acrossecurity.com/2010/11/analysis-of-microsoft-office- 2010.html (http://bit.ly/9KNXmv).
As a result of an incorrect dynamic link library loading in Microsoft Word 2010 for Windows, an attacker can cause her malicious DLL to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific name (wdimpconv.dll) on a network share and get the user to open a specially crafted DOCX file from this network location - which should require minimal social engineering. Once the user opens the file, Office's library mso.dll makes an unsafe call to LoadLibrary("wdimpconv.dll"). As this DLL is not present on the system, its malicious version gets loaded from the current working directory.
Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, thus the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.
A systematic attack could deploy malicious code to a large number of Windows workstations in a short period of time, possibly as an Internet worm.
Visit http://www.binaryplanting.com/ for more information on binary planting vulnerabilities and attacks.
Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation.
A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack.
Microsoft's CWDIllegalInDllSearch hotfix  can stop a network-based exploitation of this vulnerability.
Microsoft has issued a security bulletin  and published an update for Microsoft Word 2010 that fixes this issue.
Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound Microsoft Networking protocols. This would not, however, stop remote LAN-based attacks where the attacker is able to place a malicious DLL on a network share inside the target (e.g., corporate) network.
General recommendations for limiting or stopping binary planting attacks are available at http://www.binaryplanting.com/guidelinesAdministrators.htm
ACROS is offering professional consulting on this issue to interested corporate and government customers. Typical questions we can help you answer are:
1) To what extent is your organization affected by this issue?
2) Is it possible to get remote code from the Internet launched inside your network? Can this be demonstrated?
3) Have you adequately applied the remedies to remove the vulnerability?
4) Are there circumstances in your environment that might prevent the effectiveness of this fix?
5) Are there other workarounds that you could implement to fix this issue more efficiently and/or inexpensively?
6) Are your systems or applications vulnerable to other similar issues?
Interested parties are encouraged to ask for more information at email@example.com.
ACROS Security has performed an extensive Binary Planting research project, focused on various types of vulnerabilities where an attacker with low privileges can place (i.e., "plant") a malicious executable file (i.e., "binary") to some possibly remote location and get it launched by some vulnerable application running on user's computer.
The research found that binary planting vulnerabilities are affecting a large percentage of Windows applications and often allowing for trivial exploitation: it identified ~520 remotely exploitable bugs in ~200 widely- used Windows applications. A large majority of these vulnerabilties remain unfixed and publicly unknown at the time of this writing.
Find out more: - http://www.binaryplanting.com - http://blog.acrossecurity.com
Follow ACROS Security on Twitter to get immediate updates on the ongoing Binary Planting research and other research projects. http://www.twitter.com/AcrosSecurity
 Binary Planting - The Official Web Site http://www.binaryplanting.com/
 Microsoft's CWDIllegalInDllSearch hotfix http://support.microsoft.com/kb/2264107
 Microsoft Security Bulletin MS10-087 - Critical http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx
ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor
e-mail: firstname.lastname@example.org web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282
ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]
ACROS Security Advisories http://www.acrossecurity.com/advisories.htm
The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk.
November 10, 2010: Initial release
(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged.