Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13806
HistoryAug 09, 2006 - 12:00 a.m.

[Full-disclosure] Microsoft PowerPoint Malformed Record Memory Corruption

2006-08-0900:00:00
vulners.com
11
JSON

Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability

By Sowhat of Nevis Labs
2006.08.08

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060808.txt

Vendor
Microsoft Inc.

Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Office PowerPoint 2003
PowerPoint 2004 for Mac
PowerPoint 2004 v. X for Mac

Remote: YES
Exploitable: maybe ;)

CVE: CVE-2006-3449

Overview:

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .PPT file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .PPT file.

Details:

The specific flaw exists within the parsing of the BIFF(?) file format used
by Microsoft PowerPoint.

There will be a memory corruption during the analysis of a malformed PPT Record.

The disassembly code:

3009a818 3945fc cmp [ebp-0x4],eax
3009a81b 7703 ja POWERPNT+0x9a820 (3009a820)
3009a81d 8b45fc mov eax,[ebp-0x4]
3009a820 8b7308 mov esi,[ebx+0x8]
3009a823 8b7d08 mov edi,[ebp+0x8]
3009a826 2945fc sub [ebp-0x4],eax
3009a829 014508 add [ebp+0x8],eax
3009a82c 8bc8 mov ecx,eax
3009a82e 8bd1 mov edx,ecx
3009a830 c1e902 shr ecx,0x2
3009a833 f3a5 rep movsd ----> Access violation here. :)
3009a835 8bca mov ecx,edx
3009a837 83e103 and ecx,0x3
3009a83a f3a4 rep movsb
3009a83c 014308 add [ebx+0x8],eax
3009a83f 014318 add [ebx+0x18],eax
3009a842 837dfc00 cmp dword ptr [ebp-0x4],0x0
3009a846 75b7 jnz POWERPNT+0x9a7ff (3009a7ff)
3009a848 8b450c mov eax,[ebp+0xc]
3009a84b 5f pop edi
3009a84c 5e pop esi
3009a84d 5b pop ebx
3009a84e c9 leave
3009a84f c20800 ret 0x8

Code execution may possible.

POC:

No POC will be supplied

Fix:

Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx

Vendor Response:

2006.07.14 Vendor notified via [email protected]
2006.07.15 Vendor responded
2006.08.08 Vendor released MS06-048 patch
2006.08.08 Advisory released

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

    CVE-2006-3449

Greetings to Becky PhD. ;)

Reference:

  1. http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
  2. http://secway.org/vuln.htm


Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

cert 1
nessus 1
cve 1
securityvulns 1
cert
cert
Microsoft PowerPoint fails to properly handle malformed records
2006-08-08 00:00:00
nessus
nessus
MS06-048: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
2006-08-08 00:00:00
cve
cve
CVE-2006-3449
2006-08-09 00:04:00
securityvulns
securityvulns
Microsoft Security Bulletin MS06-048 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
2006-08-08 00:00:00
JSON
Related for SECURITYVULNS:DOC:13806
cert1nessus1cve1securityvulns1