[NT] Buffer Overrun in WordPerfect Converter Could Allow Code Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 09/04/03

  • Next message: SecuriTeam: "[NT] Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution" 
    To: list@securiteam.com
Date: 4 Sep 2003 10:13:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overrun in WordPerfect Converter Could Allow Code Execution
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft Office provides a number of converters that allow users to
    import and edit files that use formats that are not native to Office.
    These converters are available as part of the default installation of
    Office and are available separately in the Microsoft Office Converter
    Pack. These converters can be useful to organizations that use Office in a
    mixed environment with earlier versions of Office and other applications,
    including Office for the Macintosh and third party productivity
    applications.

    There is a flaw in the way that the Microsoft WordPerfect converter
    handles Corel® WordPerfect documents. A security vulnerability results
    because the converter does not correctly validate certain parameters when
    it opens a WordPerfect document, which results in an unchecked buffer. As
    a result, an attacker could construct a malicious WordPerfect document
    that could allow code of their choice to be executed if an application
    that used the WordPerfect converter opened the document. Microsoft Word
    and Microsoft PowerPoint (which are part of the Office suite), FrontPage
    (which is available as part of the Office suite or separately), Publisher,
    and Microsoft Works Suite can all use the Microsoft Office WordPerfect
    converter.

    The vulnerability could only be exploited by an attacker who persuaded a
    user to open a malicious WordPerfect document - there is no way for an
    attacker to force a malicious document to be opened or to trigger an
    attack automatically by sending an e-mail message.

    DETAILS

    Affected Software:
     * Microsoft Office 97
     * Microsoft Office 2000
     * Microsoft Office XP
     * Microsoft Word 98 (J)
     * Microsoft FrontPage 2000
     * Microsoft FrontPage 2002
     * Microsoft Publisher 2000
     * Microsoft Publisher 2002
     * Microsoft Works Suite 2001
     * Microsoft Works Suite 2002
     * Microsoft Works Suite 2003

    Mitigating factors:
     * The user must open the malicious document for an attacker to be
    successful. An attacker cannot force the document to be opened
    automatically.

     * The vulnerability cannot be exploited automatically through e-mail. A
    user must open an attachment that is sent in an e-mail message for an
    e-mail-borne attack to be successful.

    Patch availability:
    Download locations for this patch
    Office XP, FrontPage 2002, Publisher 2002, Works 2002, and Works 2003:
     
    <http://microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-B39E-2D672C0C223F&displaylang=en> http://microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-B39E-2D672C0C223F&displaylang=en

    Office 2000, FrontPage 2000, Publisher 2000, and Works 2001:
     
    <http://microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-A739-F7181310FBA7&displaylang=en> http://microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-A739-F7181310FBA7&displaylang=en

    Office 97 and Word 98(J): For information about how to receive support for
    Word 97 and for Word 98(J) see the following Microsoft Knowledge Base
    article:
     <http://support.microsoft.com/default.aspx?scid=kb;en-us;827656>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;827656

    Microsoft recommends users visit Office Update at
    <http://www.office.microsoft.com/ProductUpdates/default.aspx>
    http://www.office.microsoft.com/ProductUpdates/default.aspx to detect and
    install this security patch and all other public updates to Office family
    products (note: Office Update does not support Office 97 or Visio 2000).

    What's the scope of the vulnerability?
    This is a buffer-overrun vulnerability. An attacker who successfully
    exploited this vulnerability could run the code of their choice on a
    user's system in the same security context as the user. An attacker's code
    could take any action that the system's owner could take, such as adding,
    changing, or deleting any data or configuration information. For example,
    the code could lower the security settings in the browser or write a file
    to the hard disk. Because the code would run as the user and not as the
    operating system, any security limitations on the user's account would
    also apply to any code that the attacker could run by successfully
    exploiting this vulnerability. In environments where user accounts are
    restricted, such as in enterprise environments, the actions that an
    attacker's code could take would be limited by these restrictions

    What is the Microsoft Office WordPerfect converter?
    The Microsoft Office WordPerfect converter helps users convert documents
    from Corel WordPerfect file formats to Microsoft Word file formats. The
    WordPerfect converter is included in all versions of Office and is also
    available separately in the Microsoft Office Converter Pack.

    What is the Microsoft Office Converter Pack?
    The Microsoft Office Converter Pack combines file converters and filters
    that were not included in earlier versions of Office. The converters and
    filters allow Office to work with additional document formats that are not
    natively supported. The Converter Pack is available as a Web download.

    What causes the vulnerability?
    The vulnerability results because the Microsoft Office WordPerfect
    converter does not correctly validate parameters that are passed to it
    when a WordPerfect document is opened, which results in an unchecked
    buffer.

    What could this vulnerability enable an attacker to do?
    This vulnerability could enable an attacker to run code of their choice on
    a user's system. This could allow an attacker to take any action on a
    user's system that the user had permissions to carry out.

    How could an attacker exploit this vulnerability?
    An attacker could seek to exploit this vulnerability by sending a
    malicious file to the user and by persuading the user to open the file. If
    the user opened the file, the application that used the WordPerfect
    converter could fail and could allow the attacker to execute code of their
    choice in the security context of the user.

    Can the vulnerability be exploited automatically through an e-mail
    message?
    No - a user must open a malicious document that an attacker sent to them
    by for the vulnerability to be exploited. Simply viewing an e-mail message
    - even if Microsoft Word has been selected as the default e-mail editor
    for Microsoft Outlook - would not expose the vulnerability.

    Is the Microsoft Office WordPerfect converter installed by default in all
    the products that are listed in the "Affected Software" section of this
    bulletin?
    Yes - by default, the WordPerfect converter is installed in all supported
    versions of the products that are listed in the "Affected Software"
    section of this bulletin. However, the user can choose not to install the
    converter during the setup process.

    What does the patch do?
    The patch corrects the vulnerability by making sure that the WordPerfect
    converter correctly validates parameters when it opens a document.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:0_51914_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution"

    Relevant Pages