Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:5243
HistoryOct 15, 2003 - 12:00 a.m.

Microsoft Word Macro Buffer Overflow

2003-10-1500:00:00
vulners.com
28
JSON

Topic: Buffer overflow on Macro structure processing
Vulnerable: Microsoft Office 97, Microsoft Office 2000 (any service pack)
Not Vulnerable: Microsoft Office XP

Description:

During processing of document with embedded macros Microsoft Office
family products are vulnerable to buffer overflow.

Details:

Macros information is stored in internal struture. This structure
contains internal and external Macro names in Unicode and length for
each name (number of Unicode characters). During processing specified
number of Unicode characters is copied to internal buffer of fixed
length (256 Unicode characters), but length of Macro name is never
checked. A part of code from winword.exe below explains the problem:

esi contains number of characters from string

3019460B lea eax, [esi+esi]

now eax has number of bytes (esi*2)

3019460E add [ebp+var_4], eax
30194611 mov ecx, [ebp+var_4]
30194614 cmp ecx, [ebp+var_14]

now we check if we do not leave input stream of data:(?)

30194617 jg loc_30194B2B
3019461D push 0
3019461F push eax

eax contains number of bytes to copy

30194620 lea eax, [ebp+var_44A]

now eax contains pointer to buffer

30194626 jmp short loc_30194640

30194628 loc_30194628:
30194628 add [ebp+var_4], esi
3019462B mov eax, [ebp+var_4]
3019462E cmp eax, [ebp+var_14]
30194631 jg loc_30194B2B
30194637 push 0
30194639 push esi
3019463A lea eax, [ebp+var_133]

30194640 loc_30194640:
30194640 push eax
30194641 push [ebp+arg_24]
30194644 push [ebp+arg_0]
30194647 call sub_30193323
^^^^^^^^^^^^

This function is used very often :) In this case it copies full name of
the macro from stream to buffer. In this case copying is not something
like rep movsd but is more complicated process defined by document
structure.

To test it in practice we have to create document. Now, record macro.
Make sure Macro is recorded in current document, not in normal.dot
template. Save document and open it in hex editor (I use BIEW Written by
Nick Kurshev, perfect free editor). Try to locate this:

000013C8: 10 FF FF 01 00 02 00 00 03 50 00 72 00 6F 00 6A ЪЪ  P r o j
000013D8: 00 65 00 63 00 74 00 2E 00 4E 00 65 00 77 00 4D e c t . N e w M
000013E8: 00 61 00 63 00 72 00 6F 00 73 00 2E 00 73 00 70 a c r o s . s p
000013F8: 00 61 00 6D 00 63 00 6F 00 64 00 65 00 72 00 01 a m c o d e r 
00001408: 00 11 01 00 0A 00 1B 00 50 00 52 00 4F 00 4A 00   P R O J
00001418: 45 00 43 00 54 00 2E 00 4E 00 45 00 57 00 4D 00 E C T . N E W M
00001428: 41 00 43 00 52 00 4F 00 53 00 2E 00 53 00 50 00 A C R O S . S P
00001438: 41 00 4D 00 43 00 4F 00 44 00 45 00 52 00 00 00 A M C O D E R
00001448: 40 00 80 01 00 06 00 00 00 06 00 00 00 8C 24 AD @ Ђ   Њ$­

Take a look into first string:

10 FF FF 01 00 02 00 25 02 50 00 72 00 6F 00 6A
^^ ^^

2502 (0225h, decimal 549) is number of characters in Unicode string. In
you case it will be smaller, try to change it on larger value. Because
stack frame size is 1100 to overflow buffer at least 549 characters
required. I was not able to exploit this problem, may be you can.

As it was told before, function in question is called in few
situations, so there are may be different overflows.

JSON