Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
Date: 15 Dec 2004 19:26:31 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
------------------------------------------------------------------------


SUMMARY

WordPad is "a word processing application that uses the MFC rich edit 
control classes. It is installed by default on most Windows platforms, and 
contains filters for converting from other filetypes into RTF (Rich Text 
Format)".

Remote exploitation of a buffer overflow vulnerability in Microsoft 
Corp.'s Word 6.0/95 Document Converter could allow attackers to exploit 
arbitrary code under the privileges of the target user.

DETAILS

The Microsoft Word 6.0/95 Document Converter (MSWRD632.WPC) is a module 
that is utilized by WordPad and potentially other applications to convert 
Microsoft Word format files into the Rich Text Format natively handled by 
WordPad. The module is installed by default in:

C:\Program Files\Common Files\Microsoft Shared\TextConv

The problem specifically exists when a specially crafted file is opened by 
WordPad or another application that utilizes the vulnerable library and 
results in a buffer overflow. The overflow is caused by copying a length 
tagged segment of a file into a fixed length stack buffer of smaller size. 
The following instruction sequence is found within ConvertForeignToRtf():

0150eba6   8bd1      mov edx, ecx
0150eba8   83e203    and edx, 0x3
0150ebab   c1e902    shr ecx, 0x2
0150ebae   f3a5      rep movsd edi, esi

This instruction sequence will copy bytes from the memory region pointed 
to by ESI into the memory region pointed to by EDI. Due to a lack of 
bounds checking, an overflow occurs directly overwriting the stored return 
address and frame pointer on the stack and allowing for the eventual 
execution of arbitrary code.

Analysis:
Successful exploitation allows remote attackers to execute arbitrary code 
under the privileges of the target user that opened the malicious 
document. WordPad, a vulnerable application, is installed by default and 
will open WRI and large TXT files. If Microsoft Word is not installed, 
WordPad will also be the default application for opening DOC and RTF 
files.

In order for this vulnerability to be exploited, a user would need to open 
an attacker-supplied file with a vulnerable application.

Detection:
The following operating systems appear to be impacted by this 
vulnerability in their default configuration:

  Windows XP
  Windows 2000
  Windows 2003
  Windows NT 4.0
  Windows ME
  Windows 98

iDEFENSE Labs has confirmed that MSWRD632.WPC, file version 1999.8.7.0 is 
vulnerable. Any application that utilizes this module to convert Word 
documents may be considered vulnerable. This includes wordpad.exe, which 
is the default application for opening files with the .wri extension, and 
doc and .rtf files if Microsoft Word is not installed.

It does not seem to be possible to exploit Microsoft Word itself with this 
vulnerability, as it does not appear to use this library.

As this module comes with Windows by default, even if you have Word 
installed, WordPad is still vulnerable to exploitation from files with the 
 .wri extension, or by opening an affected file from within WordPad.

Workaround:
User awareness is the best defense against this class of attack. Users 
should be aware of the existence of such attacks and proceed with caution 
when following links or opening attachments from suspicious and/or 
unsolicited e-mail.

Alternatively, concerned users can remove the affected converter module, 
MSWRD632.WPC. This will prevent the user from opening Word for Windows 
files, but will still allow other supported file types to be opened such 
as .txt or .rtf. However, the error will be handled gracefully and the 
described vulnerability will no longer be exploitable.

Vendor Response:
This vulnerability is addressed in Microsoft Security Bulletin MS04-041 
available at: 
http://www.microsoft.com/technet/security/Bulletin/MS04-041.mspx

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0901> 
CAN-2004-0901

Disclosure Timeline:
09/22/2004 - Initial vendor notification
09/23/2004 - Initial vendor response
12/14/2004 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=162&type=vulnerabilities> 
http://www.idefense.com/application/poi/display?id=162&type=vulnerabilities



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041), SecuriTeam <=
Previous by Date:  [UNIX] Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability, SecuriTeam
Next by Date:  [NT] Buffer Overflow in HyperTerminal's .ht Files (MS04-043), SecuriTeam
Previous by Thread:  [UNIX] Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability, SecuriTeam
Next by Thread:  [NT] Buffer Overflow in HyperTerminal's .ht Files (MS04-043), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]