Shared section vulnerability when opening microsoft office document resulting in DoS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Shared section vulnerability when opening microsoft office document resulting in DoS
From: sylvain.roger@xxxxxxxxxx
Date: 27 Jul 2005 07:36:46 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

There is a shared section vulnerability in office products when trying to open
an office document with firefox. For example try to open a word document
attached in a webmail. firefox.exe process will create a son winword.exe
process (it only appears when the process is created with firefox not 
svchosts). When creating this process a shared section is created called
\BaseNameObjects\Mso97SharedDgXXXXXXXX (the number may change I am not sure at
the present time). The rights on this shared section are put on "everyone" for
delete/synchronise/query/modify. this allows to write arbitrary data and to
perform a Dos against ALL Office open applications.

I do not manage to know if it is a firefox or Microsoft office vulnerability

Prev by Date: Re: Peter Gutmann data deletion theaory?
Next by Date: [SECURITY] [DSA 768-1] New phpbb2 packages fix cross-site scripting
Previous by thread: Re: Re : [Firefox Bug 302187] New: Shared section vulnerability when opening microsoft office document resulting in DoS
Next by thread: [SECURITY] [DSA 768-1] New phpbb2 packages fix cross-site scripting
Index(es):
- Date
- Thread