CVE-2010-3200 : Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability Sep 14 2010 02:39AM
Aditya K Sood (adi_ks secniche org)

Advisory
Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability

CVE: 2010-3200

Version
Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3

Details :

A null pointer dereference vulnerability has been noticed in MS Word.The
exception results in the MSO.dll library which fails to handle the
special crafted buffer in a file.The issue can be potentially triggered
by openinga malicious word file which resulted in a null pointer
exception due to invalid memory read.

Note: It has intermediate impact because if system is running (n) number
of instance of MS Word , opening of this malicious doc file results in
crash of all the instances thereby completely subverting the
functionality of word.

The following state of registers and frames were noticed

eax=00000000 ebx=00000000 ecx=02711d68 edx=00000000 esi=00000000
edi=008c1b1c
eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0 nv up ei ng nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00210282
mso!Ordinal1033+0x3f4:
30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch]
ds:0023:0000001c=????????

0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
0013ccb4 30f16d61 mso!Ordinal1033+0x3f4
0013ccdc 30ef266f mso!Ordinal2272+0xad
0013cdc8 30f16951 mso!Ordinal233+0x596
00000000 00000000 mso!Ordinal1307+0xc0e

0:000> u
mso!Ordinal1033+0x3f4:
30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch]
30f91fda f6c101 test cl,1
30f91fdd 0f85f3b20900 jne mso!Ordinal2868+0x2eb87 (3102d2d6)
30f91fe3 8b701c mov esi,dword ptr [eax+1Ch]
30f91fe6 83e601 and esi,1
30f91fe9 753a jne mso!Ordinal1033+0x442 (30f92025)
30f91feb 8b4848 mov ecx,dword ptr [eax+48h]
30f91fee 2bd1 sub edx,ecx

Basic Block:
30f91fd7 mov ecx,dword ptr [eax+1ch]
Tainted Input Operands: eax
30f91fda test cl,1
Tainted Input Operands: cl
30f91fdd jne mso!ordinal2868+0x2eb87 (3102d2d6)
Tainted Input Operands: ZeroFlag

Proof of Concept
The required proof of concept is available on below mentioned link
http://www.secniche.org/word_crash_11.8326.8324_poc.zip

Vendor Response:
The vulnerability was reported to Microsoft. Due to the nature of
inherent crash no separate bulletin will be released. In the next
release of development this issue will be patched or corrected.

Regards
Aditya K Sood

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus