TUCoPS :: Windows Apps :: b06-4112.htm

Microsoft PowerPoint Malformed Record Memory Corruption
Microsoft PowerPoint Malformed Record Memory Corruption
Microsoft PowerPoint Malformed Record Memory Corruption


Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability


By Sowhat of Nevis Labs
2006.08.08

http://www.nevisnetworks.com 
http://secway.org/advisory/AD20060808.txt 



Vendor
Microsoft Inc.

Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Office PowerPoint 2003
PowerPoint 2004 for Mac
PowerPoint 2004 v. X for Mac


Remote: YES
Exploitable: maybe ;)

CVE: CVE-2006-3449



Overview:

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .PPT file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .PPT file.


Details:

The specific flaw exists within the parsing of the BIFF(?) file format used
by Microsoft PowerPoint.


There will be a memory corruption during the analysis of a malformed PPT Record.


The disassembly code:


3009a818 3945fc           cmp     [ebp-0x4],eax
3009a81b 7703             ja      POWERPNT+0x9a820 (3009a820)
3009a81d 8b45fc           mov     eax,[ebp-0x4]
3009a820 8b7308           mov     esi,[ebx+0x8]
3009a823 8b7d08           mov     edi,[ebp+0x8]
3009a826 2945fc           sub     [ebp-0x4],eax
3009a829 014508           add     [ebp+0x8],eax
3009a82c 8bc8             mov     ecx,eax
3009a82e 8bd1             mov     edx,ecx
3009a830 c1e902           shr     ecx,0x2
3009a833 f3a5             rep     movsd						----> Access violation here. :)
3009a835 8bca             mov     ecx,edx
3009a837 83e103           and     ecx,0x3
3009a83a f3a4             rep     movsb
3009a83c 014308           add     [ebx+0x8],eax
3009a83f 014318           add     [ebx+0x18],eax
3009a842 837dfc00         cmp     dword ptr [ebp-0x4],0x0
3009a846 75b7             jnz     POWERPNT+0x9a7ff (3009a7ff)
3009a848 8b450c           mov     eax,[ebp+0xc]
3009a84b 5f               pop     edi
3009a84c 5e               pop     esi
3009a84d 5b               pop     ebx
3009a84e c9               leave
3009a84f c20800           ret     0x8


Code execution may possible.


POC:

No POC will be supplied


Fix:

Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx 


Vendor Response:

2006.07.14 Vendor notified via secure@microsoft.com 
2006.07.15 Vendor responded
2006.08.08 Vendor released MS06-048 patch
2006.08.08 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.


        CVE-2006-3449




Greetings to Becky PhD. ;)


Reference:

1. http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx 
2. http://secway.org/vuln.htm 



-- 
Sowhat
http://secway.org 
"Life is like a bug, Do you know how to exploit it ?"

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH