MS Word Unchecked Boundary Condition Vulnerability
/*------------------------------------------------------------
* Microsoft Word unchecked boundary condition vulnerability.
* ---------------------------------------------------------
* One of the functions in mso.dll (older versions mso9.dll)
* cannot properly handle the specially crafted files causing
* invalid memory acess and in some cases arbitrary overwrites.
* The exported function LsCreateLine (entry : mso_203) contains a boundary
* error while parsing certain specially crafted .DOC files,resulting in
* an invalid memory access.
*
* Following proof of concept code generates a .doc file , opening
* the file will cause an access violation, in mso.dll.
* Code execution is possible if 4-bytes of arbitrary memory
* is overwritten. Apparently this is not specific to MS Word
* only but other Office products are also vulnerable which use these
* functions. No other user interaction required in order to
trigger the vulnerability.
*
* Affected Products: Microsoft Office
* Tested against : Microsoft Word 2003,2002,2000
*
* // naveed afzal
*------------------------------------------------------------*/
A proof of concept code is available here
http://www.bsdpakistan.org/downloads/wordPOC.c