iDefense Security Advisory 04.14.09: Microsoft Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability

2009-04-1400:00:00

vulners.com

JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 04.14.09
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 14, 2009

I. BACKGROUND

Word 2000 is a word processing application included with the Microsoft
Office 2000 software. The WordPerfect Converter is a tool used by Word
2000 to import documents from WordPerfect files and convert them for
editing in Word 2000 format.

II. DESCRIPTION

Exploitation of a stack corruption vulnerability in Microsoft Corp.'s
Word 2000 WordPerfect 6.x Converter could allow an attacker to execute
code in the context of the current user.

Microsoft Word is able to open documents created in other applications
by transparently applying a filter module which converts them to a
format Word can use. The WordPerfect 6.x converter from Office 2000
fails to perform sufficient sanity checking on input files. A
maliciously constructed WordPerfect document can cause potentially
exploitable stack corruption.

III. ANALYSIS

Successful remote exploitation of this vulnerability would allow an
attacker to execute arbitrary code in the context of the currently
logged in user. One possible attack vector is to put a maliciously
constructed document on a website and attempt to convince a user to
download it. By default, Word 2000 will open Word Documents in the
browser without prompting.

The vulnerability is triggered by conversion code not properly
validating a counter against the allocated length of a structure before
processing it. Depending on the contents of the data file, control
structures on the stack may be modified as a result, potentially
allowing the execution of arbitrary code.

One mitigating factor in the severity of this vulnerability is that, by
default, the converter is not installed until the first time you go to
use it. Often though, a complete install is done or the converter is
explicitly requested in a custom install.

WordPerfect 6.x documents will be opened using the affected WordPerfect
6.x Converter if they have an extension which is handled by Word. For
example, if a WordPerfect document is renamed from EVIL.WPD to
EVIL.DOC, it may not be obvious that the file is a WordPerfect
document.

IV. DETECTION

iDefense Labs have confirmed that the WordPerfect 6.x converter
(WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000
Service Pack 3 is vulnerable. However, the version of this converter
installed with Word 2003 is not affected by this vulnerability.

V. WORKAROUND

The following workaround mitigates exposure to the vulnerability:

? Uninstall the WordPerfect 6.x Converter. &#40;Doing this will cause an
inability to open WordPerfect 6.x documents within the affected
Microsoft applications&#41;

VI. VENDOR RESPONSE

Microsoft has released a patch which addresses this issue. For more
information, consult their advisory at the following URL:

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-0088 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/28/2006 - Initial Contact
06/29/2006 - PoC Requested
06/29/2006 - PoC Sent
10/05/2006 - Vendor Status Update
01/24/2007 - Vendor Status Update
02/12/2008 - Vendor Status Update
03/31/2009 - CVE Assigned
04/14/2009 - Coordinated Public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail [email protected] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ5N0Sbjs6HoxIfBkRAup3AJ0aD7NnDw6DZ59Fyrxbf6M4xBF3rgCfbmXk
eO3eL8c14xVdNKB8mPp0uug=
=WeP5
-----END PGP SIGNATURE-----