CVE-2010-1681
published 2010-05-06CVE-2010-1681: Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF…
PriorityP260high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
67.31%
99.2th percentile
Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | visio | — | — |
| microsoft | visio | — | — |
| microsoft | visio | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherRET 0x6173345c (push esp, ret from VISIODWG.DLL) — Visio 2002 English on Windows XP SP3 Spanish↗
bytes↗
|0A 45 4E 44 53 45 43|
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3;)
bytes↗
\xeb\x20\x90\x90
bytes↗
\x81\xc4\x48\xf4\xff\xff
- →The overflow is triggered during parsing of the HEADER section of a DXF file, specifically around the $ACADMAINTVER field. Monitor for Visio opening DXF files via Insert -> CAD Drawing with oversized HEADER section content. ↗
- →Malicious DXF files exploit the $ACADMAINTVER header field with oversized data (offset 0x50 to EIP). Inspect DXF files for abnormally long $ACADMAINTVER values. ↗
- →The Snort/ET rule uses flowbit DXF.Ext.Access to track DXF file downloads over HTTP; pair this flowbit with the ENDSEC byte signature (0A 45 4E 44 53 45 43) and a byte_test for values >0x81 to detect exploit delivery.
- →Payload encoder uses ECX as BufferRegister with alphanumeric-only charset; look for alphanumeric shellcode blobs immediately following the $ACADMAINTVER overflow padding in DXF HEADER sections. ↗
- →Stack pivot sequence: push esp / pop ecx (0x54 0x59) followed by a sub instruction to adjust ECX to point to shellcode. Detect this byte pattern in DXF file content. ↗
- ·The exploit targets only Microsoft Office Visio 2002 (VISIO.EXE v10.0.525.4 / VISIODWG.DLL v10.0.525.4); versions patched by MS10-028 (VISIODWG.DLL >= 10.0.6880.4) are not vulnerable. ↗
- ·Payload space is limited to 2000 bytes and must be alphanumeric-only (all other bytes are bad chars), which constrains the shellcode that can be delivered. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution
suricata·2011-01-06
CVE-2010-1681 ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution
ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution"; flow:established,to_client; flowbits:isset,DXF.Ext.Access; content:"|0A 45 4E 44 53 45 43|"; content:!"|0a|"; within:2; byte_test:1,>,81,2,relative; reference:url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow; reference:url,www.exploit-db.com/exploits/14944/; reference:cve,2010-1681; reference:url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx; reference:bid,39836; classtype:attempted-user; sid:2012153; rev:3; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2
Exploit-DB
Microsoft Visio - 'VISIODWG.dll .DXF' File Handling (MS10-028) (Metasploit)
exploitdb·2011-06-26
CVE-2010-1681 Microsoft Visio - 'VISIODWG.dll .DXF' File Handling (MS10-028) (Metasploit)
Microsoft Visio - 'VISIODWG.dll .DXF' File Handling (MS10-028) (Metasploit)
---
##
# $Id: visio_dxf_bof.rb 13034 2011-06-26 16:09:53Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/##
require 'msf/core'
class Metasploit3 'Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability',
'Description' => %q{
This module exploits a stack based overflow vulnerability in the handling
of the DXF files by Microsoft Visio 2002. Revisions prior to the release of
the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application
is used to import a specially cra
Exploit-DB
Microsoft Visio 2002 - '.DXF' Local Stack Overflow
exploitdb·2010-09-08·CVSS 7.6
CVE-2010-1681 [HIGH] Microsoft Visio 2002 - '.DXF' Local Stack Overflow
Microsoft Visio 2002 - '.DXF' Local Stack Overflow
---
'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ 920:
print "[*] Error : Shellcode is too long !"
return
if len(shellcode) 0 :
shellcode += '\x90'
dif = dif - 1
fdW= open('exploit.dxf', 'wb+')
fdW.write(str1)
fdW.write(shellcode)
fdW.write(str2)
fdW.write(jmp)
fdW.write(str3)
fdW.write(eip)
fdW.write(str4)
fdW.close()
fdR.close()
print '[-] DXF file generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()
Metasploit
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
metasploit
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
This module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'
No writeups or analysis indexed.
http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflowhttp://www.exploit-db.com/exploits/14944http://www.securityfocus.com/archive/1/511121/100/0/threadedhttp://www.securityfocus.com/bid/39836http://www.securitytracker.com/id?1023938http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflowhttp://www.exploit-db.com/exploits/14944http://www.securityfocus.com/archive/1/511121/100/0/threadedhttp://www.securityfocus.com/bid/39836http://www.securitytracker.com/id?1023938
2010-05-06
Published