From customerservice@idefense.com Tue Dec 14 18:18:57 2004 From: customer service mailbox To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Tue, 14 Dec 2004 14:10:37 -0500 Subject: iDEFENSE Security Advisory 12.14.04 - Microsoft Word 6.0/95 Document Converter Buffer Overflow Vulnerability Microsoft Word 6.0/95 Document Converter Buffer Overflow Vulnerability iDEFENSE Security Advisory 12.14.04 www.idefense.com/application/poi/display?id=162&type=vulnerabilities December 14, 2004 I. BACKGROUND WordPad is a word processing application that uses the MFC rich edit control classes. It is installed by default on most Windows platforms, and contains filters for converting from other filetypes into RTF (Rich Text Format). II. DESCRIPTION Remote exploitation of a buffer overflow vulnerability in Microsoft Corp.'s Word 6.0/95 Document Converter could allow attackers to exploit arbitrary code under the privileges of the target user. The Microsoft Word 6.0/95 Document Converter (MSWRD632.WPC) is a module that is utilized by WordPad and potentially other applications to convert Microsoft Word format files into the Rich Text Format natively handled by WordPad. The module is installed by default in C:\Program Files\Common Files\Microsoft Shared\TextConv The problem specifically exists when a specially crafted file is opened by WordPad or another application that utilizes the vulnerable library and results in a buffer overflow. The overflow is caused by copying a length tagged segment of a file into a fixed length stack buffer of smaller size. The following instruction sequence is found within ConvertForeignToRtf(): 0150eba6 8bd1 mov edx, ecx 0150eba8 83e203 and edx, 0x3 0150ebab c1e902 shr ecx, 0x2 0150ebae f3a5 rep movsd edi, esi This instruction sequence will copy bytes from the memory region pointed to by ESI into the memory region pointed to by EDI. Due to a lack of bounds checking, an overflow occurs directly overwriting the stored return address and frame pointer on the stack and allowing for the eventual execution of arbitrary code. III. ANALYSIS Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the target user that opened the malicious document. WordPad, a vulnerable application, is installed by default and will open WRI and large TXT files. If Microsoft Word is not installed, WordPad will also be the default application for opening DOC and RTF files. In order for this vulnerability to be exploited, a user would need to open an attacker-supplied file with a vulnerable application. IV. DETECTION The following operating systems appear to be impacted by this vulnerability in their default configuration: Windows XP Windows 2000 Windows 2003 Windows NT 4.0 Windows ME Windows 98 iDEFENSE Labs has confirmed that MSWRD632.WPC, file version 1999.8.7.0 is vulnerable. Any application that utilizes this module to convert Word documents may be considered vulnerable. This includes wordpad.exe, which is the default application for opening files with the .wri extension, and .doc and .rtf files if Microsoft Word is not installed. It does not seem to be possible to exploit Microsoft Word itself with this vulnerability, as it does not appear to use this library. As this module comes with Windows by default, even if you have Word installed, WordPad is still vulnerable to exploitation from files with the .wri extension, or by opening an affected file from within WordPad. V. WORKAROUND User awareness is the best defense against this class of attack. Users should be aware of the existence of such attacks and proceed with caution when following links or opening attachments from suspicious and/or unsolicited e-mail. Alternatively, concerned users can remove the affected converter module, MSWRD632.WPC. This will prevent the user from opening Word for Windows files, but will still allow other supported file types to be opened such as .txt or .rtf. However, the error will be handled gracefully and the described vulnerability will no longer be exploitable. VI. VENDOR RESPONSE This vulnerability is addressed in Microsoft Security Bulletin MS04-041 available at: http://www.microsoft.com/technet/security/Bulletin/MS04-041.mspx VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0901 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/22/2004 Initial vendor notification 09/23/2004 Initial vendor response 12/14/2004 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Lord Yup. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.