ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: MS Word Unchecked Boundary Condition Vulnerability



> -----Original Message-----
> From: naveed [mailto:naveedafzal@xxxxxxxxx] 
> Sent: Monday, July 10, 2006 7:47 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: MS Word Unchecked Boundary Condition Vulnerability
> 
> /*------------------------------------------------------------
>  *    Microsoft Word unchecked boundary condition vulnerability.
>  *  ---------------------------------------------------------
>  *    One of the functions in mso.dll (older versions mso9.dll)
>  *    cannot properly handle the specially crafted files causing
>  *    invalid memory acess and in some cases arbitrary overwrites.
>  *    The exported function LsCreateLine (entry : mso_203) 
> contains a boundary
>  *    error while parsing certain specially crafted .DOC 
> files,resulting in
>  *    an invalid memory access.
>  *
>  *    Following proof of concept code generates a .doc file , opening
>  *    the file will cause an access violation, in mso.dll.
>  *    Code execution is possible if 4-bytes of arbitrary memory
>  *    is overwritten. Apparently this is not specific to MS Word
>  *    only but other Office products are also vulnerable 
> which use these
>  *    functions. No other user interaction required in order to
> trigger the vulnerability.
>  *
>  *    Affected Products: Microsoft Office
>  *    Tested against : Microsoft Word 2003,2002,2000
>  *
>  *    // naveed afzal
>  *------------------------------------------------------------*/
> 
> A proof of concept code is available here
> 
> http://www.bsdpakistan.org/downloads/wordPOC.c
> 




 




Copyright © Lexa Software, 1996-2009.