Monday, January 24, 2011

Jan 24 CVE-2010-3970 DOC 'Secretary-General Liao' from (Update - Analysis by the Sematic)

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3970  Stack-based buffer overflow in the CreateSizedDIBSECTION function in shimgvw.dll in the Microsoft Graphics Rendering Engine in Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted .MIC or unsplecified Office document containing a thumbnail bitmap with a negative biClrUsed value, as reported by Moti and Xu Hao.

  General File Information

File  44.doc (part of ATT63777.7z archive)MD5  f51d3fb324d8f11b734ca63dbccbdc32SHA1 b3c4c84c98c6befaf6a480ae145cdcebb5929a82File size : 10240 bytesType:  DOC
Distribution: Email attachment

  Post Update - Vulnerability Analysis

Feb 23 Sematic blog posted an excellent analysis of the exploit

Ultimately it plans to fetch and execute the file located at:
This file would be stored under %SYSTEM32% as 'a.exe'.


The malicious word document was sent inside a 7zip archive folder with 43 non-malicious image files.  Due to this, a recipient is likely to switch to the 'thumbnails' or filmstrip view, which triggers the exploit. It crashed explorer.exe but nothing else during all the tests.

This vulnerability was disclosed by Moti and Xu Hao during POC 2010 - international security & hacking conference in Korea, which took place on December 14-15, 2010. You can view their slides here 

Metasploit added this exploit (by jduck) on January 4, 2011.

 This particular file appears to be metasploit generated (thanks to Steven Adair for checking this) but it does not work. I am posting it anyway because it is is a very notable attempt to use a new unpatched (except for the manual Fix-it) vulnerability in a targeted attack.

This vulnerability affects Windows 2000, XP, and Server 2003. It was tested on XP SP2 and XP3 without any patches with DEP on and DEP off without any success.  If you make it work, let me know.

The message sent in Chinese, from a Korean hosting company IP address, using a Yahoo Taiwan webmail address.

Original Message

From: 空白空白 []
Sent: Monday, January 24, 2011 9:58 PM
Subject: 百變廖了以——廖了以從政圖集


 machine translation:
Variety Liao taking - taking political atlas Liao

KMT Secretary-General Liao a new political atlas ...

about the general: 

Message Headers

Received: (qmail 19994 invoked from network); 25 Jan 2011 02:58:34 -0000
Received: from (HELO (
  by XXXXXXXXXXXXXXXX with SMTP; 25 Jan 2011 02:58:34 -0000
Received: (qmail 89001 invoked by uid 1000); 25 Jan 2011 02:57:45 -0000
Received: (qmail 51287 invoked by uid 60001); 25 Jan 2011 02:57:44 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1295924263; bh=Z0LAcyDUZ2z7IpHzTTg3KMfi8jZPRcfmWkcH4Qb+a5s=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=p44FQx52jjZ1acEA3Blwqf42wkC6tdcpnct4q0uIT6mr01sDUstZnHQUMTlrxV6UAKdi3KQ2s8NAF1t/JXFYqSp5J8vNDvMtH/TyMnsapel70Y4JSYg2IR6KkA6lJFDdF+WOCTfNL2yqHVW8Woice1mofVlW89pbxbZxDQ8XxQw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
Message-ID: <>
X-YMail-OSG: dL9.0vwVM1lBL6b9cdApJJGfAs7gOVzx._rBgfQPeeX9Ufb
Received: from [] by via HTTP; Tue, 25 Jan 2011 10:57:43 CST
X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/
Date: Tue, 25 Jan 2011 10:57:43 +0800
From: =?big5?B?qsWl1arFpdU=?=
Subject: =?big5?B?psrF3Ln5pEalSKFYoVi5+aRGpUixcaxGuc+2sA==?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-28100207-1295924263=:46984"

Organization:    LG DACOM KIDC
Country:    Korea 
This is a hosting company

Automated Scans

Submission date:2011-02-05 03:13:51 (UTC)
Result:11 /43 (25.6%)
AntiVir     2011.02.04     EXP/CVE-2010-3970
Avast     4.8.1351.0     2011.02.04     DIB:CVE_2010_3970
Avast5     5.0.677.0     2011.02.04     DIB:CVE_2010_3970
Commtouch     2011.02.05     CVE-2010-3970!Camelot
GData     21     2011.02.05     DIB:CVE_2010_3970
Kaspersky     2011.02.05     Exploit.Win32.CVE-2010-3970.a
McAfee     5.400.0.1158     2011.02.05     Exploit-CVE2010-3970
McAfee-GW-Edition     2010.1C     2011.02.05     Exploit-CVE2010-3970
NOD32     5847     2011.02.04     a variant of Win32/Exploit.CVE-2010-3970.A
PCTools     2011.02.04     Trojan.Generic
Symantec     20101.3.0.103     2011.02.05     Trojan Horse
MD5   : f51d3fb324d8f11b734ca63dbccbdc32

Detail view

Thumbnail view - seconds before explorer crash.

No comments:

Post a Comment