TUCoPS :: Windows Apps :: hack8022.htm

Microsoft Office XP Remote Buffer Overflow vuln
Finjan Security Advisory: Microsoft Office XP Remote Buffer Overflow Vulnerability

Finjan Security Advisory
Microsoft Office XP Remote Buffer Overflow Vulnerability


Introduction

Finjan has discovered a new vulnerability in Microsoft Word
XP that would allow a hacker to launch a buffer overflow attack.
This attack could occur when a user opened a Word document using
Internet Explorer.


Technical Description

When a ".doc" file is opened inside Internet Explorer, Microsoft
Word XP "takes over" and opens that doc file. The problem appears
when sending a doc file request that contains a null byte (parser)
at the end of the doc filename (the rtf extension is also vulnerable).

For example:
http://www.myhost.com/myfile.doc is a valid request. 

However This:
http://www.myhost.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa... aa.doc
is an invalid request. Such a request will be sent to the server
hosting the doc file.

Most servers like IIS and Apache will truncate the characters before
the %00 while sending the filename to Internet Explorer. 
At this stage, Internet Explorer will hand over the string to Microsoft
Word XP, which will now receive a long string. This string causes an
exploitable buffer overflow, allowing remote code execution.


The Code (Proof of Concept)




Vulnerability Status

Microsoft was notified on July 13, 2004.
The bug is now fixed. For further details please refer to Microsoft
security bulletin MS05-004.


Credit 

Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.


-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH