|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
MS Word Unchecked Boundary Condition Vulnerability
From: naveed (naveedafzal
gmail.com)
Date: Mon Jul 10 2006 - 10:47:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
/*------------------------------------------------------------
* Microsoft Word unchecked boundary condition vulnerability.
* ---------------------------------------------------------
* One of the functions in mso.dll (older versions mso9.dll)
* cannot properly handle the specially crafted files causing
* invalid memory acess and in some cases arbitrary overwrites.
* The exported function LsCreateLine (entry : mso_203) contains a boundary
* error while parsing certain specially crafted .DOC files,resulting in
* an invalid memory access.
*
* Following proof of concept code generates a .doc file , opening
* the file will cause an access violation, in mso.dll.
* Code execution is possible if 4-bytes of arbitrary memory
* is overwritten. Apparently this is not specific to MS Word
* only but other Office products are also vulnerable which use these
* functions. No other user interaction required in order to
trigger the vulnerability.
*
* Affected Products: Microsoft Office
* Tested against : Microsoft Word 2003,2002,2000
*
* // naveed afzal
*------------------------------------------------------------*/
A proof of concept code is available here
http://www.bsdpakistan.org/downloads/wordPOC.c
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]