[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2010-3200 : Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability

Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability

CVE: 2010-3200

Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3

Details :

A null pointer dereference vulnerability has been noticed in MS Word.The
exception results in the MSO.dll library which fails to handle the
special crafted buffer in a file.The issue can be potentially triggered
by openinga malicious word file which resulted in a null pointer
exception due to invalid memory read.

Note: It has intermediate impact because if system is running (n) number
of instance of MS Word , opening of this malicious doc file results in
crash of all the instances thereby completely subverting the
functionality of word.

The following state of registers and frames were noticed

eax=00000000 ebx=00000000 ecx=02711d68 edx=00000000 esi=00000000
eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0         nv up ei ng nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
30f91fd7 8b481c          mov     ecx,dword ptr [eax+1Ch]

0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
0013ccb4 30f16d61 mso!Ordinal1033+0x3f4
0013ccdc 30ef266f mso!Ordinal2272+0xad
0013cdc8 30f16951 mso!Ordinal233+0x596
00000000 00000000 mso!Ordinal1307+0xc0e

0:000> u
30f91fd7 8b481c          mov     ecx,dword ptr [eax+1Ch]
30f91fda f6c101          test    cl,1
30f91fdd 0f85f3b20900    jne     mso!Ordinal2868+0x2eb87 (3102d2d6)
30f91fe3 8b701c          mov     esi,dword ptr [eax+1Ch]
30f91fe6 83e601          and     esi,1
30f91fe9 753a            jne     mso!Ordinal1033+0x442 (30f92025)
30f91feb 8b4848          mov     ecx,dword ptr [eax+48h]
30f91fee 2bd1            sub     edx,ecx

Basic Block:
    30f91fd7 mov ecx,dword ptr [eax+1ch]
       Tainted Input Operands: eax
    30f91fda test cl,1
       Tainted Input Operands: cl
    30f91fdd jne mso!ordinal2868+0x2eb87 (3102d2d6)
       Tainted Input Operands: ZeroFlag

Proof of Concept
The required proof of concept is available on below mentioned link

Vendor Response:
The vulnerability was reported to Microsoft. Due to the nature of
inherent crash no separate bulletin will be released. In the next
release of development this issue will be patched or corrected.

Aditya K Sood