Monday, July 10, 2006

Microsoft Word 2000/2003 Unchecked Boundary Condition Vulnerability

/*------------------------------------------------------------
* Microsoft Word unchecked boundary condition vulnerability.
* ---------------------------------------------------------
* One of the functions in mso.dll (older versions mso9.dll)
* cannot properly handle the specially crafted files causing
* invalid memory acess and in some cases arbitrary overwrites.
* The exported function LsCreateLine (entry : mso_203) contains a boundary
* error while parsing certain specially crafted .DOC files,resulting in
* an invalid memory access.
*
* Following proof of concept code generates a .doc file , opening
* the file will cause an access violation, in mso.dll.
* Code execution is possible if 4-bytes of arbitrary memory
* is overwritten. Apparently this is not specific to MS Word
* only but other Office products are also vulnerable which use these
* functions. No other user interaction required in order to
trigger the vulnerability.
*
* Affected Products: Microsoft Office
* Tested against : Microsoft Word 2003,2002,2000
*
* // naveed afzal
*------------------------------------------------------------*/

A proof of concept code is available here
http://www.bsdpakistan.org/downloads/wordPOC.c

PoC is also listed at Milw0rm.

Microsoft states on the MSRC blog that they were able to determine that the claim is not accurate: while the Word application will exit unexpectedly, this is not a remotely exploitable vulnerability in Microsoft Word.

No comments:

Post a Comment