Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012)
Date: 23 Mar 2006 14:28:21 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012)
------------------------------------------------------------------------


SUMMARY

There exists a buffer overflow in Microsoft Word, Excel, PowerPoint, and 
Outlook in the parsing of the routing slip metadata.

The result is that when a user closes a malicious document, arbitrary code 
can be executed on the host in question.

DETAILS

Microsoft Office supports the concept of routing slips. These can be 
embedded within documents to ease the process of collaborative working. It 
was discovered that within the metadata of Microsoft's document format 
that there is both a length value and a null terminated string for the 
different sections of a routing slip. Upon further investigation it was 
discovered that the affected applications allocate memory based on the 
size contained within the length field, but then proceeds to copy the 
entire string up until the null termination.

The result in the case of Microsoft Word 2002 SP3 (fully patched), is that 
we overwrite the saved return address on the stack with a Unicode value. 
This can be used to obtain control of the execution within the program.

Microsoft Word, Excel, PowerPoint and Outlook all behave slightly 
differently and in the case of Office 2003, it appears that the values 
move from the stack to the heap which makes exploitation more complicated, 
yet not impossible.

Vendor Response:
The above vulnerability was addressed by  
<http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx> 
Microsoft Security Bulletin MS06-012.

Fix:
Apply the patch supplied by Microsoft.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0009> 
CVE-2006-0009


ADDITIONAL INFORMATION

The information has been provided by Symantec Security Advisory.
The original article can be found at:
 <http://www.securityfocus.com/bid/17000> 
http://www.securityfocus.com/bid/17000

References:
 <http://www.securiteam.com/windowsntfocus/5TP0B1FI0C.html> 
http://www.securiteam.com/windowsntfocus/5TP0B1FI0C.html
 <http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx> 
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Office Buffer Overflow in Routing Slip Metadata (MS06-012), SecuriTeam <=
Previous by Date:  [NT] Microsoft Internet Explorer DoS, SecuriTeam
Next by Date:  [UNIX] cURL Buffer Overflow (tftp URL), SecuriTeam
Previous by Thread:  [NT] Microsoft Internet Explorer DoS, SecuriTeam
Next by Thread:  [UNIX] cURL Buffer Overflow (tftp URL), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]