Posts

Microsoft Word 2016 Memory Corruption Vulnerability Analysis (CVE-2016-3316)

/in /by

Aug 19 2016

Microsoft Word is prone to a memory corruption vulnerability CVE-2016-3316 (MS16-099). This vulnerability affects Microsoft Word 2016 for Windows and Mac, Microsoft Word 2013 SP1 and Microsoft Word 2013 RT SP1. An attacker could exploit this vulnerability remotely by a certain crafted doc file. A successful attack could cause arbitrary code execution with the privilege of the current running process.

The PoC of this vulnerability is already in the wild: https://www.exploit-db.com/exploits/40238/

This vulnerability is caused by the application’s inappropriate handling of the sprmSDyaTop property – which indicates the height of the top margin of a document. When the property is set to a value larger than the height of the page, the process will read memory outside the allocated buffer, causing a memory corruption vulnerability.

Details: The file section caused the vulnerability is a “Prl” structure, which defines a modification for the document property. The following figure describes the format of the Prl data structure.

Inside the exploit file, this section starts with 0x9023, followed by the 2-bytes signed integer that specifies the page height. If the value is larger than 0x3DE0, the vulnerability will be triggered. As is shown in the following figure, the exploit file could be detected by searching for the Prl pattern and checking if the sprmSDyaTop value is safe.

The vulnerability is a typical heap memory corruption that starts with a arbitrary address read.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers

  • SPY:1083 “Malformed-file doc.MP.42”

Reference:

  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3316
  • https://technet.microsoft.com/library/security/MS16-099
  • https://www.exploit-db.com/exploits/40238/
  • https://msdn.microsoft.com/en-us/library/dd923541(v=office.12).aspx
  • https://msdn.microsoft.com/en-us/library/dd920359(v=office.12).aspx

Microsoft Security Bulletin Coverage (Aug 9, 2016)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of Aug 9, 2016. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS16-095 Cumulative Security Update for Internet Explorer

  • CVE-2016-3288 Internet Explorer Memory Corruption Vulnerability
    SPY:1082 ” Malformed-File html.MP.62″
  • CVE-2016-3289 Microsoft Browser Memory Corruption Vulnerability
    IPS:11781 ” Microsoft Browser Memory Corruption Vulnerability (MS16-095) “
  • CVE-2016-3290 Internet Explorer Memory Corruption Vulnerability
    IPS:11782 ” Internet Explorer Memory Corruption Vulnerability (MS16-095) “
  • CVE-2016-3293 Microsoft Browser Memory Corruption Vulnerability
    IPS:11783 ” Microsoft Browser Memory Corruption Vulnerability (MS16-095) 2″
  • CVE-2016-3321 Internet Explorer Information Disclosure Vulnerability
    IPS:11784 ” Internet Explorer Information Disclosure Vulnerability (MS16-095) 2 “
  • CVE-2016-3322 Internet Explorer Security Feature Bypass Vulnerability
    SPY:1076 ” Malformed-File html.MP.60_3 “
  • CVE-2016-3326 Microsoft Browser Information Disclosure Vulnerability
    IPS:11787 ” Microsoft Browser Information Disclosure Vulnerability (MS16-096) “
  • CVE-2016-3327 Microsoft Browser Information Disclosure Vulnerability
    SPY:1087 ” Malformed-File swf.MP.477 “
  • CVE-2016-3329 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-096 Cumulative Security Update for Microsoft Edge

  • CVE-2016-3289 Microsoft Browser Memory Corruption Vulnerability
    IPS:11781 ” Microsoft Browser Memory Corruption Vulnerability (MS16-095) “
  • CVE-2016-3293 Microsoft Browser Memory Corruption Vulnerability
    IPS:11783 ” Microsoft Browser Memory Corruption Vulnerability (MS16-095) 2″
  • CVE-2016-3296 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3319 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3322 Internet Explorer Security Feature Bypass Vulnerability
    SPY:1076 ” Malformed-File html.MP.60_3 “
  • CVE-2016-3326 Microsoft Browser Information Disclosure Vulnerability
    IPS:11787 ” Microsoft Browser Information Disclosure Vulnerability (MS16-096) “
  • CVE-2016-3327 Microsoft Browser Information Disclosure Vulnerability
    SPY:1087 ” Malformed-File swf.MP.477 “
  • CVE-2016-3329 Microsoft Browser Information Disclosure Vulnerability
    There are no known exploits in the wild.

MS16-097 Security Update for Microsoft Graphics Component

  • CVE-2016-3301 Windows Graphics Component RCE Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3303 Windows Graphics Component RCE Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3304 Windows Graphics Component RCE Vulnerability
    There are no known exploits in the wild.

MS16-098 Security Update for Windows Kernel-Mode Drivers

  • CVE-2016-3308 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3309 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3310 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.
  • CVE-2016-3311 Win32k Elevation of Privilege Vulnerability
    This is a local Vulnerability.

MS16-099 Security Update for Microsoft Office

  • CVE-2016-3313 Microsoft Office Memory Corruption Vulnerability
    SPY:1079 ” Malformed-file doc.MP.41 “
  • CVE-2016-3
    315     Microsoft OneNote Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3316 Microsoft Office Memory Corruption Vulnerability
    SPY:1083 ” Malformed-file doc.MP.42 “
  • CVE-2016-3317 Microsoft Office Memory Corruption Vulnerability
    SPY:1084 ” Malformed-File rtf.MP.14 “
  • CVE-2016-3318 Graphics Component Memory Corruption Vulnerability
    SPY:1085 ” Malformed-File rtf.MP.15″

MS16-100 Security Update for Secure Boot

  • CVE-2016-3320 Secure Boot Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS16-101 Security Update for Windows Authentication Methods

  • CVE-2016-3237 Kerberos Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2016-3300 NetLogon Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS16-102 Security Update for Microsoft Windows PDF Library

  • CVE-2016-3319 Microsoft PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS16-103 Security Update for ActiveSyncProvider

  • CVE-2016-3312 Universal Outlook Information Disclosure Vulnerability
    There are no known exploits in the wild.