The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
SUMMARY
The Microsoft Word "WordPerfect" document converter included in Microsoft
Word has a buffer overflow bug. If the WordPerfect document converter is
installed, (by default it is in Office 2000), and a malicious .doc file is
opened, there exists the ability for an attacker to execute arbitrary
code.
This buffer overflow bug can also happen within Internet Explorer, because
Microsoft Word is executed automatically as a helper-application when a
doc file is received.
This buffer overflow overwrites the return address in the stack area. We
confirmed that arbitrary code could be executed by using this buffer
overflow bug.
DETAILS
Systems Affected:
While parsing a WordPerfect file, the WordPerfect converter copies data
stored in the .doc file to a local buffer. If we modify some bytes of the
doc file, we can specify the data offset and data size. The WordPerfect
converter does not properly check the size of the data contained in the
doc file, and tries to copy all of the data from the file to the local
buffer allocated in the stack area. This results in a typical buffer
overflow vulnerability in which we can set any value for EIP.
The process for making the .doc file to confirm this buffer overflow is as
follows:
[Technical data may wrap in e-mail, please visit
<http://www.eeye.com/html/Research/Advisories/AD20030903-1.html>
http://www.eeye.com/html/Research/Advisories/AD20030903-1.html.]
–
00000000 FF 57 50 43 6D 02 00 00 01 0A 00 00 00 00 00 00 .WPCm…
…
00000130 00 00 00 00 CD 01 00 00 08 00 02 00 00 00 CD 01 …
…
000001C0 61 75 74 68 6F 72 00 65 45 79 65 00 00 00 00 FB author.eEye…
000001D0 FF 05 00 32 00 00 00 00 00 01 01 6C 00 00 00 01 …2…l…
000001E0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
Vendor Status:
Microsoft was notified on May 6, 2003, and has released a patch for this
vulnerability. The patch is available at:
<http://www.securiteam.com/windowsntfocus/5MP0415B5S.html>
http://www.microsoft.com/technet/security/bulletin/MS03-036.asp.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> Marc Maiffret
of eEye.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages.