MS Word Unchecked Boundary Condition Vulnerability Jul 10 2006 03:47PM
naveed (naveedafzal gmail com)
* Microsoft Word unchecked boundary condition vulnerability.
* ---------------------------------------------------------
* One of the functions in mso.dll (older versions mso9.dll)
* cannot properly handle the specially crafted files causing
* invalid memory acess and in some cases arbitrary overwrites.
* The exported function LsCreateLine (entry : mso_203) contains a boundary
* error while parsing certain specially crafted .DOC files,resulting in
* an invalid memory access.
* Following proof of concept code generates a .doc file , opening
* the file will cause an access violation, in mso.dll.
* Code execution is possible if 4-bytes of arbitrary memory
* is overwritten. Apparently this is not specific to MS Word
* only but other Office products are also vulnerable which use these
* functions. No other user interaction required in order to
trigger the vulnerability.
* Affected Products: Microsoft Office
* Tested against : Microsoft Word 2003,2002,2000
* // naveed afzal

A proof of concept code is available here


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus