/*------------------------------------------------------------ * Microsoft Word unchecked boundary condition vulnerability. * --------------------------------------------------------- * One of the functions in mso.dll (older versions mso9.dll) * cannot properly handle the specially crafted files causing * invalid memory acess and in some cases arbitrary overwrites. * The exported function LsCreateLine (entry : mso_203) contains a boundary * error while parsing certain specially crafted .DOC files,resulting in * an invalid memory access. * * Following proof of concept code generates a .doc file , opening * the file will cause an access violation, in mso.dll. * Code execution is possible if 4-bytes of arbitrary memory * is overwritten. Apparently this is not specific to MS Word * only but other Office products are also vulnerable which use these * functions. No other user interaction required in order to trigger the vulnerability. * * Affected Products: Microsoft Office * Tested against : Microsoft Word 2003,2002,2000 * * // naveed afzal *------------------------------------------------------------*/ A proof of concept code is available here http://www.bsdpakistan.org/downloads/wordPOC.c
