Microsoft PowerPoint Malformed Record Memory Corruption Aug 08 2006 08:16PM
Sowhat (smaillist gmail com)
Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability

By Sowhat of Nevis Labs


Microsoft Inc.

Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Office PowerPoint 2003
PowerPoint 2004 for Mac
PowerPoint 2004 v. X for Mac

Remote: YES
Exploitable: maybe ;)

CVE: CVE-2006-3449


This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .PPT file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .PPT file.


The specific flaw exists within the parsing of the BIFF(?) file format used
by Microsoft PowerPoint.

There will be a memory corruption during the analysis of a malformed PPT Record.

The disassembly code:

3009a818 3945fc cmp [ebp-0x4],eax
3009a81b 7703 ja POWERPNT+0x9a820 (3009a820)
3009a81d 8b45fc mov eax,[ebp-0x4]
3009a820 8b7308 mov esi,[ebx+0x8]
3009a823 8b7d08 mov edi,[ebp+0x8]
3009a826 2945fc sub [ebp-0x4],eax
3009a829 014508 add [ebp+0x8],eax
3009a82c 8bc8 mov ecx,eax
3009a82e 8bd1 mov edx,ecx
3009a830 c1e902 shr ecx,0x2
3009a833 f3a5 rep movsd ----> Access violation here. :)
3009a835 8bca mov ecx,edx
3009a837 83e103 and ecx,0x3
3009a83a f3a4 rep movsb
3009a83c 014308 add [ebx+0x8],eax
3009a83f 014318 add [ebx+0x18],eax
3009a842 837dfc00 cmp dword ptr [ebp-0x4],0x0
3009a846 75b7 jnz POWERPNT+0x9a7ff (3009a7ff)
3009a848 8b450c mov eax,[ebp+0xc]
3009a84b 5f pop edi
3009a84c 5e pop esi
3009a84d 5b pop ebx
3009a84e c9 leave
3009a84f c20800 ret 0x8

Code execution may possible.


No POC will be supplied


Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:


Vendor Response:

2006.07.14 Vendor notified via secure (at) microsoft (dot) com [email concealed]
2006.07.15 Vendor responded
2006.08.08 Vendor released MS06-048 patch
2006.08.08 Advisory released

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


Greetings to Becky PhD. ;)


1. http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
2. http://secway.org/vuln.htm

"Life is like a bug, Do you know how to exploit it ?"

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus