navigation bar left navigation bar right

Secunia CSI7
navigation left tab About us navigation right tab
navigation left tab Careers navigation right tab
navigation left tab Memberships navigation right tab
navigation left tab Newsroom navigation right tab
navigation left tab Contact us navigation right tab
Blog
News
Articles

OS Dependant PowerPoint Viewer Vulnerabilities

Get this blog as an RSS Feed
11:16 CET on the 26th February 2010
Entry written by Carsten Eiram.

Last week, we finished off the final BAs for the latest round of vulnerabilities fixed by the Microsoft security bulletin releases.

There were some very interesting vulnerabilities fixed this time and two of these were the PowerPoint Viewer 2003 vulnerabilities (CVE-2010-0033 and CVE-2010-0034). As such the vulnerabilities and analysis were simple and very straight-forward, however, an interesting case of how the "CExpParameterValidate::Read(..)" function in ole32.dll is implemented differently across versions of Windows has a big impact on the exploitability and even existence of the vulnerabilities.

While Microsoft rates the exploitability rating as "1" for these two vulnerabilities on their monthly index, then it's somewhat misleading as it depends on the OS that PowerPoint Viewer 2003 is installed on. If installed on e.g. Windows Server 2003 or Windows 7, then the two errors in the code do lead to stack-based buffer overflows, however, if installed on Windows XP (and possible earlier versions), no buffer overflows occur.

We have made the BA that describes the two vulnerabilities in technical details publicly available, but let me briefly sum up the problem here: The unpatched version has two signed comparisons used to determine if a TextBytesAtom or TextCharsAtom record size is greater than 127 before copying the record content into a 128-byte stack buffer via a call to CExposedStream::Read(..), provided by ole32.dll. However, since the comparison is signed, a value greater than 7FFFFFFFh is considered negative and passes the check, causing CExposedStream::Read(..) to be unintentionally called with a 128-byte destination buffer and an overly large size as arguments.

In all versions of Windows, CExposedStream::Read(..) calls CExpParameterValidate::Read(..) to validate the supplied arguments before reading in the record data from the stream. However, the number of validation checks performed and how the checks are performed differs.

In older versions of Windows (e.g. Windows XP), one of the checks determines if it is possible to actually write the supplied number of bytes into the destination memory via a call to IsBadHugeWritePtr(..). Since it won't be possible to write between 80000000h and FFFFFFFFh bytes of data into the stack space, the check eventually throws an exception, causing CExposedStream::Read(..) to return without writing data into the buffer. This, in turn, causes PowerPoint Viewer to throw an exception and display a message box, stating that the file is corrupted and that's that.

In newer versions of Windows (including at least Windows Server 2003 and Windows 7), CExpParameterValidate::Read(..) no longer performs the check to ensure that it's possible to actually write all the data to the buffer before doing so. Instead, a couple of cursory checks are performed that won't detect that the supplied size is much too big before writing the data. The result is a stack-based buffer overflow on the later versions of Windows that are usually considered to be safer than the older versions - you have to appreciate the irony in that.

Stay secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: OS Dependant PowerPoint Viewer Vulnerabilities
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+