[VulnWatch] Finjan Security Advisory: Microsoft Office XP Remote Buffer Overflow Vulnerability

From: Rafel Ivgi (rivgi@private)
Date: Tue Feb 08 2005 - 16:18:45 PST

Finjan Security Advisory
Microsoft Office XP Remote Buffer Overflow Vulnerability


Finjan has discovered a new vulnerability in Microsoft Word
XP that would allow a hacker to launch a buffer overflow attack.
This attack could occur when a user opened a Word document using
Internet Explorer.

Technical Description

When a ".doc" file is opened inside Internet Explorer, Microsoft
Word XP "takes over" and opens that doc file. The problem appears
when sending a doc file request that contains a null byte (parser)
at the end of the doc filename (the rtf extension is also vulnerable).

For example:
http://www.myhost.com/myfile.doc is a valid request.

However This:
is an invalid request. Such a request will be sent to the server
hosting the doc file.

Most servers like IIS and Apache will truncate the characters before
the %00 while sending the filename to Internet Explorer. 
At this stage, Internet Explorer will hand over the string to Microsoft
Word XP, which will now receive a long string. This string causes an
exploitable buffer overflow, allowing remote code execution.

The Code (Proof of Concept)

var mylongstring,myjunk;
mylongstring ="";
  mylongstring = mylongstring + myjunk;

Vulnerability Status

Microsoft was notified on July 13, 2004.
The bug is now fixed. For further details please refer to Microsoft
security bulletin MS05-004.


Rafel Ivgi, Malicious Code Research Center (MCRC), Finjan Software Ltd.

This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

This archive was generated by hypermail 2.1.3 : Tue Feb 08 2005 - 17:56:57 PST