MS Word Unchecked Boundary Condition Vulnerability

[naveed <naveedafzal () gmail com>]

/*------------------------------------------------------------
*    Microsoft Word unchecked boundary condition vulnerability.
*  ---------------------------------------------------------
*    One of the functions in mso.dll (older versions mso9.dll)
*    cannot properly handle the specially crafted files causing
*    invalid memory acess and in some cases arbitrary overwrites.
*    The exported function LsCreateLine (entry : mso_203) contains a boundary
*    error while parsing certain specially crafted .DOC files,resulting in
*    an invalid memory access.
*
*    Following proof of concept code generates a .doc file , opening
*    the file will cause an access violation, in mso.dll.
*    Code execution is possible if 4-bytes of arbitrary memory
*    is overwritten. Apparently this is not specific to MS Word
*    only but other Office products are also vulnerable which use these
*    functions. No other user interaction required in order to
trigger the vulnerability.
*
*    Affected Products: Microsoft Office
*    Tested against : Microsoft Word 2003,2002,2000
*
*    // naveed afzal
*------------------------------------------------------------*/

A proof of concept code is available here

http://www.bsdpakistan.org/downloads/wordPOC.c