Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-0235 to a friend New vulnerability? New tool? Tell us	CVE-2009-0235 Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010)     Credit: The information has been provided by Jun Mao and Sean Larsson. The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=783 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-0235 Details Check for CVE-2009-0235 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Microsoft Wordpad on Windows 2000 SP4 Immune Systems:  * Windows XP SP3  * Windows Vista  * Windows Server 2008 The vulnerability occurs when parsing the content of a Word97 format file. When reading in the data, the code uses a 32-bit integer from the file to check a buffer length while using the lower 16-bit value to do the actual copy. This results in a stack buffer overflow. This stack buffer is overwritten with data from the file. Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user opening the file. To exploit this vulnerability, an attacker needs to convince a user to open a malicious file. Usually, WordPad is associated with the .DOC file extension unless Microsoft Word is installed. However, by renaming the .doc file to a .wri extension, it is possible to make WordPad open the file simply by double clicking it regardless of Microsoft Word being installed or not. Patch Availability: Microsoft has released a patch which addresses this issue. This patch removes the vulnerability by changing the way that the WordPad Text Converters handle opening specially crafted Word 97 files. For more information, consult their advisory at the following URL: http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx Workaround It is possible to disable access to the converter by changing the ACLs on the file. This can be accomplished as follows, depending on the version of Windows being used: echo y| cacls "%ProgramFiles%\Common Files\Microsoft Shared\TextConv\mswrd832.cnv" /E /P everyone:N echo y| cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\mswrd832.cnv" /E /P everyone:N echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd864.wpc" /E /P everyone:N echo y| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N CVE Information: CVE-2009-0235 Disclosure Timeline: 12/19/2008 - Initial Contact 12/31/2008 - PoC Request 01/06/2009 - PoC Sent 01/07/2009 - PoC Rcpt. ACK 02/19/2009 - Vendor Status Update 03/31/2009 - CVE Assigned 04/14/2009 - Coordinated Public Disclosure  Comments on CVE-2009-0235:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®