| Title | Microsoft Office Visio DXF File stack overflow |
| Version | Microsoft Visio 2002 SP2 |
| Analysis | http://www.abysssec.com |
| Vendor | http://www.microsoft.com |
| Impact | Ciritical |
| Contact | shahin [at] abysssec.com , info [at] abysssec.com |
| @abysssec | |
| CVE | CVE-2010-1681 |
| Microsoft Visio 2003 SP3 |
| Microsoft Visio 2002 SP2 |
| Class | 1- Stack overflow |
| Impact | Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Failed exploit attempts will result in a denial-of-service condition. |
| Remotely Exploitable | Yes |
| Locally Exploitable | Yes |
Drawing Exchange Format (DXF) is a kind of data file format for CAD which is designed by Autodesk for cooperation between Autocad and other software. Varius software supports dxf file and Microsoft Visio is one of them.
Dxf file contain some section which every section contain some records. Every record consist of a pair of code and its value. The mentioned code called group code specify type of data follow it.
Every section starts with code zero that “SECTION” strings follow it. Then after each SECTION code 2 and after that a string representing name of the SECTION ( for example HEADER ). Every section is finished by zero and the “ENDSEC” string.
Here is the general structure of the DXF file:
It contains general information of our drawing design. This section contains a version of AutoCAD data base section and some system variables. Every variable contain a name and value pair.
This section holds information about instanced class in the utility application which its instances are represented in other sections.
It contains description of the following tables:
APPID (application identification table)
BLOCK_RECORD (block reference table)
DIMSTYLE (dimension style table)
LAYER (layer table)
LTYPE (linetype table)
LTYPE (linetype table)
UCS (user coordinate system table)
VIEW (view table)
VPORT (viewport configuration table)
This section contains block description and entities of our drawing design which create block reference in the design.
It contains graphic objects (Entity) in our drawing design which add block references.
This chapter presents the group codes that apply to nongraphical objects. These codes are found in the OBJECTS section of a DXF™ file and are used by AutoLISP® and ObjectARX® applications in entity definition lists.
For further information about DXF file format refer to the following link: http://images.autodesk.com/adsk/files/acad_dxf0.pdf
This vulnerability is a stack overflow exists in the processing of dxf files. The vulnerable module is VISIODWG.DLL and the module is loaded to when opening a dxf file. This vulnerable version is Microsoft Visio 2002 sp2.
sub_667D74C0 function process HEADER in the DXF files. In the beginning of the function there is a 92bytes of buffer are allocated for the function.
1 2 3 4 5 6 | .text:667D74C0 sub esp, 5Ch ; Integer Subtraction .text:667D74C3 push ebx .text:667D74C4 push ebp .text:667D74C5 mov ebp, [esp+64h+arg_0] .text:667D74C9 push esi .text:667D74CA push edi |
Then a little farther the vulnerable strcpy function is used that its second parameter is specified by some value in the file. In fact, in the beginning of sub_667D74C0 strcpy function copies name of the parameter in HEADER section to a fixed length buffer. Now if name of the parameters are greater than size of this buffer and because of no bound checking a stack overflow can occur.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | .text:667D74E2 mov ecx, [edi+2428h] .text:667D74E8 mov edx, [esp+6Ch+Key] .text:667D74EC inc ecx ; Increment by 1 .text:667D74ED push ecx ; Source .text:667D74EE push edx ; Dest .text:667D74EF call strcpy ; Call Procedure .text:667D74F4 mov esi, ds:bsearch .text:667D74FA push offset sub_667D7400 ; PtFuncCompare .text:667D74FF push 0Ch ; SizeOfElements .text:667D7501 push 0D5h ; NumOfElements .text:667D7506 lea eax, [esp+80h+Key] ; Load Effective Address .text:667D750A push offset off_6685E730 ; Base .text:667D750F push eax ; Key .text:667D7510 call esi ; bsearch ; Indirect Call Near Procedure .text:667D7512 mov edi, eax .text:667D7514 add esp, 1Ch ; Add |
If length of the parameter name string in Header section is greater than 81bytes the return address will be overwritten.
Here are the contents of dxf file in hex format that one of the parameter names in the HEADER section is greater than 81bytes:
Explotation of this stack overflow is simple because we don’t have GS or DEP protection in Microsoft Visio 2002.
As we discussed we know how to take control of the program so it is just needed to transfer the control to our shellcode. Also we can put our shellcode in the beginning of the file in header section without corruption the file. If you look at the EBP register before overflow and execution of RET instruction, you will notice that this register point to some memory that is in our input data.
At address 0x61C92866, the following instructions are exists:
1 2 3 | 61C92866 C9 LEAVE 61C92867 61 POPAD 61C92868 C3 RETN |
By executing these instructions, value of esp and ebp are swapped and esp is incremented. In this situation esp points to our data. Now if we direct the RET instruction to some address containing JMP ESP instruction the execution flow will be transferred to our shellcode.
The important point is that our shellcode should be akphanumeric and does not contain bad characters (for example 5E). Check out the Microsoft Office Visio DXF File Stack based Overflow exploit.