ID

VAR-200801-0206

CVE

CVE-2008-0228

TITLE

Linksys WRT54GL Wireless-G Broadband Router Vulnerable to cross-site request forgery

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. WRT54GL is prone to a cross-site request forgery vulnerability. Linksys WRT54G is a wireless router of Cisco, which is a wireless routing device that combines the functions of wireless access point, switch and router. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Microsoft Word Malformed FIB Arbitrary Free Vulnerability 1. *Advisory Information* Title: Microsoft Word Malformed FIB Arbitrary Free Vulnerability Advisory ID: CORE-2008-0228 Advisory URL: http://www.coresecurity.com/content/word-arbitrary-free Date published: 2008-12-10 Date of last update: 2008-12-10 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Arbitrary free Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 29633 CVE Name: CVE-2008-4024 3. *Vulnerability Description* A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed record value. An attacker who successfully exploited this vulnerability could execute arbitrary code with the privileges of the user running the MS Word application. More specifically, a Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions and enable an arbitrary free with controlled values. 4. *Vulnerable packages* . Microsoft Word 2000 Service Pack 3 . Microsoft Word 2002 Service Pack 3 5. *Non-vulnerable packages* . Microsoft Word 2003 Service Pack 3 . Microsoft Word 2007 6. *Vendor Information, Solutions and Workarounds* Microsoft has released patches for this vulnerability. For more information refer to the Microsoft Security Bulletin MS08-072 released on December 9th, 2008, available at http://www.microsoft.com/technet/security/Bulletin/ms08-072.mspx Microsoft recommends that customers apply the update immediately. 7. *Credits* This vulnerability was discovered and researched by Ricardo Narvaja, from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies. 8. *Technical Description / Proof of Concept Code* A vulnerability has been found in the way that Microsoft Word handles specially crafted Word files. A Word file with a specially crafted 'lcbPlcfBkfSdt' field value (offset '0x4f0') inside the File Information Block (FIB) can corrupt the heap structure on vulnerable Word versions, and enable an arbitrary free with controlled values. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on vulnerable systems with the privileges of the user running the MS Word application. To construct a PoC file that demonstrates this bug it is sufficient to use Microsoft Word 2007 to generate a Word 97-2003 compatible '.doc' file, and then change the byte at offset 0x4f0, this is the 'lcbPlcfBkfSdt' field value located inside the File Information Block (FIB). By simply changing this byte from 0 to 1, we obtain a file that will make vulnerable Word versions crash when closing the file. This can be improved to make Word crash when opening the file by changing some other values. This fact was detected using automated fuzzing. In location 0x2b80, there is an arbitrary pointer that can be controlled to choose the address that will be used as parameter of a call to the free function '__MsoPvFree'. If the 'lcbPlcfBkfSdt' value is 0, modifying this pointer has no effect. But if this value is 1, then modifying this arbitrary pointer will cause the free function to close the program. The execution of '__MsoPvFree' is reached with two controlled values, the pointer that was directly changed in the .doc file and the contents of the memory position that it points to. That is, both of them are controlled, one directly and the other in an indirect manner, we can thus fully control the effect of the free function. The exploitation of this bug depends on the construction of a file such that different arbitrary blocks are allocated when closing the file before 'free' is called. However this scenario is complex due to the limitations of the '__MsoPvFree' API, including checks that make the exploitation difficult. The vendor's analysis indicates that the root cause of this vulnerability is the processing of a 'PlfLfo' structure that is read in from the file. It contains an array of 'Lfo' objects. If any of those 'Lfo' objects has a 'clfolvl' value of 0 and a 'plfolvl' (the previous 4 bytes) value that is non-zero, Word will attempt to free memory at 'plfolvl'. This is because 'plfolvl' is supposed to be overwritten with a valid pointer to allocated memory, but if 'clfolvl' is 0 this initialization step is skipped. Later on cleanup code will check if 'plfolvl' has a non-zero value and if so, attempt to free the memory chunk it points to. A Proof of Concept '.doc' file which makes Word 2000 and Word 2002 crash ('WINWORD.EXE', main thread, module 'MS09') is available at [2]. An illustrated explanation can be downloaded from Core's website (see reference [3]). 9. *Report Timeline* . 2008-03-13: Core notifies the vendor of the vulnerability and sends the advisory draft. The advisory's publication is preliminary set to April 14th, 2008. 2008-03-13: Vendor acknowledges notification. 2008-03-31: Core requests information concerning Microsoft's plans to fix the vulnerability (no reply received). 2008-04-16: Core requests again information concerning Microsoft's schedule to produce a fix. The advisory publication is rescheduled for May 12th, 2008. 2008-04-25: Vendor informs that they are wrapping up the investigation and threat model analysis and that fixes will not be included in the Word Security Bulletin of May. Vendor estimates that it will take a few months to produce and test a fix for the vulnerability. Vendor promises an update on May 23th. 2008-04-25: Core sends additional information with low level details of the vulnerability. 2008-04-28: Core requests the vendor details about the schedule for the vulnerability fix in order to coordinate the publication of the advisory (no reply received). 2008-05-28: Core requests again details about the vulnerability fix schedule (no reply received). 2008-06-02: Core requests again details about the vulnerability fix schedule, root cause of the problem and confirmation of vulnerable versions. Core reschedules the publication of the advisory for June 11th, 2008 as "user release" (no reply received). 2008-06-13: In another attempt to coordinate the publication of the advisory with the release of a fixed version, Core reschedules publication for the second Wednesday of July, under "user release" mode. The latest advisory version is sent to the vendor. 2008-06-17: Vendor apologies for having mistakenly marked this issue as "no action until 6/23". Vendor informs that they are working on a fix plan and promises more information to be sent on Monday June 23rd. 2008-06-27: Core requests the vendor the expected details on the vulnerability fix schedule. 2008-07-03: Vendor thanks Core for holding on the publication of this vulnerability, and informs that the issue described in advisory CORE-2008-0228 is marked to be addressed in October 2008. It also informs that they don't have reports of the vulnerability being exploited in the wild. 2008-07-08: Vendor informs that they have binaries available to pre-test the potential fixes. 2008-07-08: Core asks for the patches to pre-test and informs the vendor that publication date of the advisory will be revisited. 2008-07-23: Core sends the vendor an updated version of the advisory and PoC files. 2008-08-26: Core requests the vendor a more precise date for the release of fixes in October. 2008-08-29: Vendor informs that they are tentatively targeting October 14th, and that patches will be sent to Core for inspection the following week. 2008-08-29: Core acknowledges reception of the previous mail. 2008-09-30: Vendor informs that the planned release of the fix for this vulnerability has slipped out to December 11th. Vendor supplies Core a draft of their own security bulletin and a copy of the Office 2000 update fixing the bug. 2008-10-01: Core confirms the vendor that after private discussions the advisory will be published in December 9th (second Tuesday of the month). 2008-10-01: Vendor confirms that the release date of fixes is December 9th and supplies Core with a copy of their own security bulletin and a copy of the Office XP update fixing the bug. 2008-10-20: Core confirms that it intends to publish the advisory CORE-2008-0228 on December 9th as previously established. 2008-11-11: Vendor confirms it is still on track to publish this fix for December 9th. 2008-11-11: Core informs the vendor that the patch was tested and works on Office XP (i.e. the crash avoided) and confirms that it intends to publish advisory CORE-2008-0228 on December 9th as previously established by both parties. 2008-12-04: Core sends the final draft of the advisory to the vendor. 2008-12-09: Microsoft Security Bulletin MS08-072 is released. 2008-12-10: Advisory CORE-2008-0228 is published. 10. *References* [1] Word 97-2007 Binary File Format (*.doc) Specification http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/Word97-2007BinaryFileFormat(doc)Specification.pdf [2] Microsoft Word Arbitrary Free Vulnerability PoC http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word-advisory-POC.doc [3] Microsoft Word Arbitrary Free Vulnerability Explained http://www.coresecurity.com/files/attachments/CORE-2008-0228-Word.pdf 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkk/32wACgkQyNibggitWa1twACfR4nlubY9KyYIN7ubBUnXlnm6 QgEAnRl3fbRhADlci+pJwDQGjrtj2bxs =hR/7 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Linksys WRT54GL Cross-Site Request Forgery SECUNIA ADVISORY ID: SA28364 VERIFY ADVISORY: http://secunia.com/advisories/28364/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: Linksys WRT54GL 4.x http://secunia.com/product/17134/ DESCRIPTION: Tomaz Bratusa has reported a vulnerability in Linksys WRT54GL, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited to e.g. disable the firewall by enticing a logged-in administrator to visit a malicious site. The vulnerability is reported in firmware version 4.30.9. Other versions may also be affected. SOLUTION: The vendor is currently working on a fix. Do not browse untrusted websites or follow untrusted links while logged on to the application. PROVIDED AND/OR DISCOVERED BY: Tomaz Bratusa, Team Intell ORIGINAL ADVISORY: TISA-2008-01 (via Bugtraq): http://archives.neohapsis.com/archives/bugtraq/2008-01/0063.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

cross-site request forgery

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Unknown

SOURCES

LAST UPDATE DATE

2025-04-10T23:22:25.226000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE