Thread-topic: MS Word Unchecked Boundary Condition Vulnerability
> -----Original Message-----
> From: naveed [mailto:naveedafzal@xxxxxxxxx]
> Sent: Monday, July 10, 2006 7:47 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: MS Word Unchecked Boundary Condition Vulnerability
>
> /*------------------------------------------------------------
> * Microsoft Word unchecked boundary condition vulnerability.
> * ---------------------------------------------------------
> * One of the functions in mso.dll (older versions mso9.dll)
> * cannot properly handle the specially crafted files causing
> * invalid memory acess and in some cases arbitrary overwrites.
> * The exported function LsCreateLine (entry : mso_203)
> contains a boundary
> * error while parsing certain specially crafted .DOC
> files,resulting in
> * an invalid memory access.
> *
> * Following proof of concept code generates a .doc file , opening
> * the file will cause an access violation, in mso.dll.
> * Code execution is possible if 4-bytes of arbitrary memory
> * is overwritten. Apparently this is not specific to MS Word
> * only but other Office products are also vulnerable
> which use these
> * functions. No other user interaction required in order to
> trigger the vulnerability.
> *
> * Affected Products: Microsoft Office
> * Tested against : Microsoft Word 2003,2002,2000
> *
> * // naveed afzal
> *------------------------------------------------------------*/
>
> A proof of concept code is available here
>
>
>
