MS Word Unchecked Boundary Condition Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MS Word Unchecked Boundary Condition Vulnerability
From: naveed <naveedafzal@xxxxxxxxx>
Date: Mon, 10 Jul 2006 20:47:21 +0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=ldLh8nq5e9svpUtexrloNaYWEkI2wieUDqCLFv/zuSprlh+cf4doiULlPCHWeJb8PNi/TK6NBsQ/CRDWCpi/42NmCyDa8lfZEn+XILOsr9wt5oBAiWJ3PesDZukXkJFJ8xnplChpKn59PTSAwOYMBIjDtWXvqTbwWyxG3yyVILY=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

/*------------------------------------------------------------
*    Microsoft Word unchecked boundary condition vulnerability.
*  ---------------------------------------------------------
*    One of the functions in mso.dll (older versions mso9.dll)
*    cannot properly handle the specially crafted files causing
*    invalid memory acess and in some cases arbitrary overwrites.
*    The exported function LsCreateLine (entry : mso_203) contains a boundary
*    error while parsing certain specially crafted .DOC files,resulting in
*    an invalid memory access.
*
*    Following proof of concept code generates a .doc file , opening
*    the file will cause an access violation, in mso.dll.
*    Code execution is possible if 4-bytes of arbitrary memory
*    is overwritten. Apparently this is not specific to MS Word
*    only but other Office products are also vulnerable which use these
*    functions. No other user interaction required in order to
trigger the vulnerability.
*
*    Affected Products: Microsoft Office
*    Tested against : Microsoft Word 2003,2002,2000
*
*    // naveed afzal
*------------------------------------------------------------*/

A proof of concept code is available here

http://www.bsdpakistan.org/downloads/wordPOC.c

Prev by Date: Re: PHP security (or the lack thereof)
Next by Date: Re: Mico crashes when contected with wrong IOR / DoS
Previous by thread: Re: Digital Armaments Security Advisory 10.07.2006: Flexwath Authorization Bypassing and XSS Vulnerability
Next by thread: Old vulnerable sotwares collection
Index(es):
- Date
- Thread