MS10-031: VBE6 Single-Byte Stack Overwrite

Today we released bulletin MS10-031 addressing vulnerability CVE-2010-0815 in the VBE6.DLL library. VBE6.dll is part of Visual Basic Environment and can be used by many Microsoft products, including Microsoft Office. We wanted to share a little more detail about this vulnerability to help you make a risk decision regarding its exploitability.

The vulnerability is a one-byte stack overwrite due to a code defect in text parsing code, with three additional conditions limiting attacker’s control:

  • The byte being overwritten must be equal to 0x2e (46 decimal)

  • The overwriting value is always zero

  • No zero byte can be present between the parsing buffer and the byte being overwritten (0x2e)

In theory there are a few ways this vulnerability could be used in a successful exploit, yet all of them require very specific properties of the program (for an example: return address that does not start with 0x00 and includes 0x2e and after turning 0x2e into 0x00 points to a code usable by an exploit). Such properties, while possible, are unlikely to be found in practice.

In our analysis, we feel that consistent exploit code resulting in arbitrary code execution is not likely to be released within the next 30 days. However, following our general guidelines, we have classified this vulnerability as exploitable with possibility for code execution.

– Greg Wroblewski, MSRC Engineering

*Posting is provided “AS IS” with no warranties, and confers no rights.*