Posts

OWC Remote Code Execution (Aug 27, 2009)

Microsoft Office Web Components (OWC) provide a mechanism for data analysis and visualization. OWC can be divided into two groups — visible components and data controls. The data controls provide methods for connecting to data sources and retrieving data. If the control is instantiated, it attempts to provide data binding to the server controls. If the binding fails, it may release the object.

A memory corruption vulnerability exists in Microsoft Office Web Components controls. Specifically, the vulnerability exists in the initialization and release of the control object. In case that loading and releasing of the vulnerable control is repeated multiple times (through script code), the object attempts to read data from corrupted heap memory; as a result, flow of code execution may be changed. Remote attackers could exploit this vulnerability by enticing a target user to visit a maliciously crafted web page. Successful exploitation would result in code execution with the privileges of the logged in user. This vulnerability has been assigned as CVE-2009-0562.

By default the affected ActiveX controls are not installed on any Windows platform. However they are often installed with the popular MS Office suite and some server applications. This makes for a very large base of affected users.

The ClassIDs of the affected controls are:

0002E543-0000-0000-C000-000000000046
0002E553-0000-0000-C000-000000000046
0002E55B-0000-0000-C000-000000000046

The affected controls can also be instantiated using ProgIDs:

OWC10.DataSourceControl
OWC11.DataSourceControl

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3144 – MS Office Web Components Remote Code Execution Attempt (MS09-043)