当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090470

漏洞标题:office word 07,10任意代码执行(有条件限制)

相关厂商:Microsoft

漏洞作者: telnetgmike

提交时间:2015-01-28 12:13

修复时间:2015-04-28 12:14

公开时间:2015-04-28 12:14

漏洞类型:远程代码执行

危害等级:高

自评Rank:15

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-28: 细节已通知厂商并且等待厂商处理中
2015-02-02: 厂商已经确认,细节仅向厂商公开
2015-02-05: 细节向第三方安全合作伙伴开放
2015-03-29: 细节向核心白帽子及相关领域专家公开
2015-04-08: 细节向普通白帽子公开
2015-04-18: 细节向实习白帽子公开
2015-04-28: 细节向公众公开

简要描述:

office word对tasksymbol控件的一些处理(如点击,保存等)操作,将导致一个任意代码执行的问题,攻击者可以执行任意代码来控制主机

详细说明:

office word对tasksymbol控件的一些处理(如点击,保存等)操作,将导致一个任意代码执行的问题。该poc在xpsp3和win7打完最新系统和office补丁的系统上测试成功。

STACK_DEPTH:59
STACK_FRAME:Unknown
STACK_FRAME:mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x17
STACK_FRAME:ole32!OleIsRunning+0x25
STACK_FRAME:wwlib!wdCommandDispatch+0x1a74f5
STACK_FRAME:wwlib!DllCanUnloadNow+0x2af90a
STACK_FRAME:wwlib!FMain+0x3bf53
STACK_FRAME:wwlib!FMain+0x311ad
STACK_FRAME:wwlib!FMain+0x7d849
STACK_FRAME:wwlib!DllGetLCID+0x364f4
STACK_FRAME:wwlib!wdCommandDispatch+0x8332a
STACK_FRAME:wwlib!DllCanUnloadNow+0x363d18
STACK_FRAME:wwlib!DllGetLCID+0x3c759
STACK_FRAME:wwlib!DllGetLCID+0x33c3c
STACK_FRAME:wwlib!DllGetLCID+0x3125b
STACK_FRAME:wwlib!wdCommandDispatch+0xfb030
STACK_FRAME:wwlib!wdCommandDispatch+0x2ddb82
STACK_FRAME:wwlib!FMain+0xd2029
STACK_FRAME:wwlib!FMain+0xe8b16
STACK_FRAME:wwlib!FMain+0xe8449
STACK_FRAME:wwlib!FMain+0xe8383
STACK_FRAME:wwlib!FMain+0xe7eeb
STACK_FRAME:wwlib!FMain+0xe7de9
STACK_FRAME:wwlib!DllGetClassObject+0x6f122
STACK_FRAME:wwlib!FMain+0xe6125
STACK_FRAME:wwlib!FMain+0xe5ddb
STACK_FRAME:wwlib!FMain+0xe5cd3
STACK_FRAME:VBE6!lblEX_ThisVCallHresult+0x22
STACK_FRAME:OLEAUT32!DispCallFunc+0x16a
STACK_FRAME:VBE6!EpiInvokeMethod+0x2e3
STACK_FRAME:Unknown
STACK_FRAME:VBE6!BASIC_DISPINTERFACE_Invoke+0x91
STACK_FRAME:VBE6!WRAPPER_EVENT_SINK::Invoke+0x8e
STACK_FRAME:wwlib!FMain+0x1012a8
STACK_FRAME:wwlib!FMain+0x1011b3
STACK_FRAME:wwlib!FMain+0x101467
STACK_FRAME:wwlib!FMain+0x1013dd
STACK_FRAME:wwlib!FMain+0x100ff8
STACK_FRAME:wwlib!FMain+0x10137b
STACK_FRAME:wwlib!FMain+0x7c74f
STACK_FRAME:wwlib!FMain+0x7c6b1
STACK_FRAME:wwlib!FMain+0x530e2
STACK_FRAME:wwlib!DllGetLCID+0x185b2
STACK_FRAME:wwlib!DllGetLCID+0x10863
STACK_FRAME:wwlib!DllGetLCID+0x10494
STACK_FRAME:wwlib!DllGetLCID+0x10101
STACK_FRAME:wwlib!DllGetLCID+0xffac
STACK_FRAME:wwlib!DllGetLCID+0xfe30
STACK_FRAME:wwlib!FMain+0xd2029
STACK_FRAME:wwlib!wdCommandDispatch+0x3f798b
STACK_FRAME:wwlib!wdCommandDispatch+0x3f7f06
STACK_FRAME:wwlib!DllCanUnloadNow+0x3ba5b2
STACK_FRAME:wwlib!DllCanUnloadNow+0x3ba9e4
STACK_FRAME:wwlib!FMain+0xd4b3f
STACK_FRAME:wwlib!FMain+0xdf6fb
STACK_FRAME:wwlib!FMain+0xdc6b3
STACK_FRAME:wwlib!FMain+0x6ac
STACK_FRAME:WINWORD+0x15fb
STACK_FRAME:WINWORD+0x156d
STACK_FRAME:kernel32!BaseProcessStart+0x23
INSTRUCTION_ADDRESS:0x0000000010110d5f
INVOKING_STACK_FRAME:1
DESCRIPTION:Possible Stack Corruption
SHORT_DESCRIPTION:PossibleStackCorruption
CLASSIFICATION:UNKNOWN
BUG_TITLE:Possible Stack Corruption starting at Unknown Symbol @ 0x0000000010110d5f called from mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x0000000000000017 (Hash=0x0914394d.0xb948749e)
EXPLANATION:The stack trace contains one or more locations for which no symbol or module could be found.

漏洞证明:

使用的是0xcc填充payload区域后:

EXCEPTION_FAULTING_ADDRESS:0x10110d5f
EXCEPTION_CODE:0x80000003
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_BREAKPOINT
FAULTING_INSTRUCTION:10110d5f int 3
BASIC_BLOCK_INSTRUCTION_COUNT:1
BASIC_BLOCK_INSTRUCTION:10110d5f int 3
MAJOR_HASH:0x0914394d
MINOR_HASH:0xb948749e
STACK_DEPTH:59
STACK_FRAME:Unknown
STACK_FRAME:mmcndmgr!ATL::CComContainedObject<CTaskSymbol>::QueryInterface+0x17
STACK_FRAME:ole32!OleIsRunning+0x25

修复方案:

版权声明:转载请注明来源 telnetgmike@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-02-02 08:36

厂商回复:

仍然在进一步分析,商请白帽子提供进一步的样本POC信息.先行确认,但未能直接认定.

最新状态:

暂无