Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability

2010.09.22
Risk: Low
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Advisory Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability CVE: 2010-3200 Version Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3 Details : A null pointer dereference vulnerability has been noticed in MS Word.The exception results in the MSO.dll library which fails to handle the special crafted buffer in a file.The issue can be potentially triggered by openinga malicious word file which resulted in a null pointer exception due to invalid memory read. Note: It has intermediate impact because if system is running (n) number of instance of MS Word , opening of this malicious doc file results in crash of all the instances thereby completely subverting the functionality of word. The following state of registers and frames were noticed eax=00000000 ebx=00000000 ecx=02711d68 edx=00000000 esi=00000000 edi=008c1b1c eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210282 mso!Ordinal1033+0x3f4: 30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch] ds:0023:0000001c=???????? 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0013ccb4 30f16d61 mso!Ordinal1033+0x3f4 0013ccdc 30ef266f mso!Ordinal2272+0xad 0013cdc8 30f16951 mso!Ordinal233+0x596 00000000 00000000 mso!Ordinal1307+0xc0e 0:000> u mso!Ordinal1033+0x3f4: 30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch] 30f91fda f6c101 test cl,1 30f91fdd 0f85f3b20900 jne mso!Ordinal2868+0x2eb87 (3102d2d6) 30f91fe3 8b701c mov esi,dword ptr [eax+1Ch] 30f91fe6 83e601 and esi,1 30f91fe9 753a jne mso!Ordinal1033+0x442 (30f92025) 30f91feb 8b4848 mov ecx,dword ptr [eax+48h] 30f91fee 2bd1 sub edx,ecx Basic Block: 30f91fd7 mov ecx,dword ptr [eax+1ch] Tainted Input Operands: eax 30f91fda test cl,1 Tainted Input Operands: cl 30f91fdd jne mso!ordinal2868+0x2eb87 (3102d2d6) Tainted Input Operands: ZeroFlag Proof of Concept The required proof of concept is available on below mentioned link http://www.secniche.org/word_crash_11.8326.8324_poc.zip Vendor Response: The vulnerability was reported to Microsoft. Due to the nature of inherent crash no separate bulletin will be released. In the next release of development this issue will be patched or corrected. Regards Aditya K Sood

References:

http://www.securityfocus.com/archive/1/archive/1/513679/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top