<<< Date Index >>>     <<< Thread Index >>>

Microsoft WordPerfect 5.x Converter Heap Overflow



NGSSoftware Insight Security Research Advisory

Name: Microsoft WordPerfect 5.x Converter Heap Overflow
Systems Affected: Microsoft Office, Microsoft FrontPage, Microsoft
                  Publisher and Microsoft Works Suite
Severity: Medium Risk
Vendor URL: http://www.microsoft.com/
Author: Peter Winter-Smith [ peter@xxxxxxxxxxxxxxx ]
Date Vendor Notified: 13th January 2004
Date of Public Advisory: 14th September 2004
Advisory number: #NISR14092004
Advisory URL: http://www.ngssoftware.com/advisories/wordperconv.txt


Description
***********

It has been discovered that the Microsoft WordPerfect 5.x document
converter is vulnerable to a heap based buffer overflow which could allow
a remote attacker to execute arbitrary code on a vulnerable system.

This would require at least a default install of the affected products and
a certain amount of user interaction, such a visiting a malicious website
or opening a malicious document. The risk may change as a result of
individual user settings.


Details
*******

A WordPerfect 5 document can be manipulated in such a way as to cause a
heap based buffer overflow within the Microsoft WordPerfect 5.x Converter.

If the heap management structures have been overwritten, when the process
attempts to modify the structure of the heap, values which have been
overwritten are used for potentially dangerous operations which can be
made to overwrite execution-critical information and potentially cause the
application to execute arbitrary attacker supplied code.


Fix Information
***************

Microsoft have provided a fix for this issue which can be downloaded from
the Microsoft Security website at:

http://www.microsoft.com/technet/security/bulletin/MS04-027.mspx


About NGSSoftware
*****************

NGSSoftware design, research and develop intelligent, advanced application
security assessment scanners. Based in the United Kingdom, NGSSoftware
have offices in the South of London and the East Coast of Scotland.
NGSSoftware's sister company NGSConsulting, offers best of breed security
consulting services, specialising in application, host and network
security assessments.

http://www.ngssoftware.com/

Telephone +44 208 401 0070
Fax +44 208 401 0076

enquiries@xxxxxxxxxxxxxxx