Microsoft PowerPoint Viewer 2003 Cstring Integer Overflow Vulnerability (MS08-051)
13 Aug. 2008
Summary
Microsoft Corp.'s PowerPoint Viewer is "a viewer for full-featured presentations created in PowerPoint 97 and later versions". Remote exploitation of an integer overflow vulnerability in Microsoft Corp.'s PowerPoint Viewer 2003 could allow an attacker to execute arbitrary code in the context of the user running the application.
Vulnerable Systems:
* pptview.exe file version 11.0.5703.0 (as included in Microsoft Office 2003 SP2)
* pptview.exe file version 11.0.6566.0 (as included in Microsoft Office 2003 SP2)
Immune Systems:
* pptview.exe file version 11.0.8164.0 (as included in Microsoft Office 2003 SP3)
This vulnerability specifically exists when handling CString objects embedded in a PowerPoint presentation file. An issue in this object results in a very small amount of buffer being allocated while a very large amount of data is copied into it. This leads to an exploitable heap-based buffer overflow.
Analysis:
Exploitation allows an attacker to execute arbitrary code in the context of a user opening a malicious presentation using Microsoft PowerPoint Viewer 2003. In order to exploit this vulnerability, an attacker must persuade, or otherwise force, a targeted user to open such a document. This could be accomplished using a direct URL, an e-mail, an instant message, or even by hijacking a trusted site.
