CVE-2006-3449
CVSS7.5
发布时间 :2006-08-08 20:04:00
修订时间 :2008-09-05 17:07:10
NMCOPS    

[原文]Unspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbitrary commands via a malformed record in the BIFF file format used in a PPT file, a different issue than CVE-2006-1540, aka "Microsoft PowerPoint Malformed Record Vulnerability."


[CNNVD]Microsoft PowerPoint畸形记录处理代码执行漏洞(MS06-048)(CNNVD-200608-116)

        Microsoft PowerPoint是微软发布的非常流行的文档演示工具。
        Microsoft PowerPoint在解析畸形的PPT记录时存在内存破坏漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        反汇编代码如下:
        3009a818 3945fc cmp [ebp-0x4],eax
        3009a81b 7703 ja POWERPNT+0x9a820 (3009a820)
        3009a81d 8b45fc mov eax,[ebp-0x4]
        3009a820 8b7308 mov esi,[ebx+0x8]
        3009a823 8b7d08 mov edi,[ebp+0x8]
        3009a826 2945fc sub [ebp-0x4],eax
        3009a829 014508 add [ebp+0x8],eax
        3009a82c 8bc8 mov ecx,eax
        3009a82e 8bd1 mov edx,ecx
        3009a830 c1e902 shr ecx,0x2
        3009a833 f3a5 rep movsd ---> Access violation here. :)
        3009a835 8bca mov ecx,edx
        3009a837 83e103 and ecx,0x3
        3009a83a f3a4 rep movsb
        3009a83c 014308 add [ebx+0x8],eax
        3009a83f 014318 add [ebx+0x18],eax
        3009a842 837dfc00 cmp dword ptr [ebp-0x4],0x0
        3009a846 75b7 jnz POWERPNT+0x9a7ff (3009a7ff)
        3009a848 8b450c mov eax,[ebp+0xc]
        3009a84b 5f pop edi
        3009a84c 5e pop esi
        3009a84d 5b pop ebx
        3009a84e c9 leave
        3009a84f c20800 ret 0x8
        如果用户受骗打开了有畸形记录的PPT文件时就会触发这个漏洞,导致执行任意代码。
        
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:powerpoint:2000:::chinese
cpe:/a:microsoft:powerpoint:2002:sp1Microsoft PowerPoint 2002 sp1
cpe:/a:microsoft:powerpoint:2000:sp2Microsoft PowerPoint 2000 sp2
cpe:/a:microsoft:powerpoint:2001::macos
cpe:/a:microsoft:powerpoint:2000:sr1Microsoft PowerPoint 2000 sr1
cpe:/a:microsoft:powerpoint:2003Microsoft PowerPoint 2003
cpe:/a:microsoft:powerpoint:2000Microsoft PowerPoint 2000
cpe:/a:microsoft:powerpoint:2000:::korean
cpe:/a:microsoft:powerpoint:2002Microsoft PowerPoint 2002
cpe:/a:microsoft:powerpoint:2002:sp3Microsoft PowerPoint 2002 Service Pack 3
cpe:/a:microsoft:powerpoint:2000:sp3Microsoft PowerPoint 2000 sp3
cpe:/a:microsoft:powerpoint:2002:sp2Microsoft PowerPoint 2002 sp2
cpe:/a:microsoft:powerpoint:2000:::japanese

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:348Microsoft PowerPoint Malformed Records Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3449
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3449
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200608-116
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-220A.html
(PATCH)  CERT  TA06-220A
http://www.kb.cert.org/vuls/id/884252
(PATCH)  CERT-VN  VU#884252
http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
(PATCH)  MS  MS06-048
http://www.securityfocus.com/archive/1/archive/1/442592/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060808 Microsoft PowerPoint Malformed Record Memory Corruption
http://secway.org/advisory/AD20060808.txt
(UNKNOWN)  MISC  http://secway.org/advisory/AD20060808.txt
http://www.securityfocus.com/bid/19341
(UNKNOWN)  BID  19341
http://securitytracker.com/id?1016657
(UNKNOWN)  SECTRACK  1016657
http://securityreason.com/securityalert/1342
(UNKNOWN)  SREASON  1342

- 漏洞信息

Microsoft PowerPoint畸形记录处理代码执行漏洞(MS06-048)
高危 缓冲区溢出
2006-08-08 00:00:00 2006-08-10 00:00:00
远程  
        Microsoft PowerPoint是微软发布的非常流行的文档演示工具。
        Microsoft PowerPoint在解析畸形的PPT记录时存在内存破坏漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
        反汇编代码如下:
        3009a818 3945fc cmp [ebp-0x4],eax
        3009a81b 7703 ja POWERPNT+0x9a820 (3009a820)
        3009a81d 8b45fc mov eax,[ebp-0x4]
        3009a820 8b7308 mov esi,[ebx+0x8]
        3009a823 8b7d08 mov edi,[ebp+0x8]
        3009a826 2945fc sub [ebp-0x4],eax
        3009a829 014508 add [ebp+0x8],eax
        3009a82c 8bc8 mov ecx,eax
        3009a82e 8bd1 mov edx,ecx
        3009a830 c1e902 shr ecx,0x2
        3009a833 f3a5 rep movsd ---> Access violation here. :)
        3009a835 8bca mov ecx,edx
        3009a837 83e103 and ecx,0x3
        3009a83a f3a4 rep movsb
        3009a83c 014308 add [ebx+0x8],eax
        3009a83f 014318 add [ebx+0x18],eax
        3009a842 837dfc00 cmp dword ptr [ebp-0x4],0x0
        3009a846 75b7 jnz POWERPNT+0x9a7ff (3009a7ff)
        3009a848 8b450c mov eax,[ebp+0xc]
        3009a84b 5f pop edi
        3009a84c 5e pop esi
        3009a84d 5b pop ebx
        3009a84e c9 leave
        3009a84f c20800 ret 0x8
        如果用户受骗打开了有畸形记录的PPT文件时就会触发这个漏洞,导致执行任意代码。
        
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx

- 漏洞信息 (F49124)

AD20060808.txt (PacketStormID:F49124)
2006-08-18 00:00:00
Sowhat  nevisnetworks.com
advisory,remote,arbitrary
CVE-2006-3449
[点击下载]

A vulnerability Microsoft Powerpoint allows remote attackers to execute arbitrary code in the context of the logged in user. An array boundary condition may be violated by a malicious .PPT file in order to redirect execution into attacker-supplied data. Exploitation requires that the attacker coerce or persuade the victim to open a malicious .PPT file.

Microsoft PowerPoint Malformed Record Memory Corruption Vulnerability


By Sowhat of Nevis Labs
2006.08.08

http://www.nevisnetworks.com
http://secway.org/advisory/AD20060808.txt



Vendor
Microsoft Inc.

Microsoft PowerPoint 2000
Microsoft PowerPoint 2002
Microsoft Office PowerPoint 2003
PowerPoint 2004 for Mac
PowerPoint 2004 v. X for Mac


Remote: YES
Exploitable: maybe ;)

CVE: CVE-2006-3449



Overview:

This vulnerability allows remote attackers to execute arbitrary code in
the context of the logged in user. An array boundary condition may be
violated by a malicious .PPT file in order to redirect execution into
attacker-supplied data. Exploitation requires that the attacker coerce or
persuade the victim to open a malicious .PPT file.


Details:

The specific flaw exists within the parsing of the BIFF(?) file format used
by Microsoft PowerPoint.


There will be a memory corruption during the analysis of a malformed PPT Record.


The disassembly code:


3009a818 3945fc           cmp     [ebp-0x4],eax
3009a81b 7703             ja      POWERPNT+0x9a820 (3009a820)
3009a81d 8b45fc           mov     eax,[ebp-0x4]
3009a820 8b7308           mov     esi,[ebx+0x8]
3009a823 8b7d08           mov     edi,[ebp+0x8]
3009a826 2945fc           sub     [ebp-0x4],eax
3009a829 014508           add     [ebp+0x8],eax
3009a82c 8bc8             mov     ecx,eax
3009a82e 8bd1             mov     edx,ecx
3009a830 c1e902           shr     ecx,0x2
3009a833 f3a5             rep     movsd						----> Access violation here. :)
3009a835 8bca             mov     ecx,edx
3009a837 83e103           and     ecx,0x3
3009a83a f3a4             rep     movsb
3009a83c 014308           add     [ebx+0x8],eax
3009a83f 014318           add     [ebx+0x18],eax
3009a842 837dfc00         cmp     dword ptr [ebp-0x4],0x0
3009a846 75b7             jnz     POWERPNT+0x9a7ff (3009a7ff)
3009a848 8b450c           mov     eax,[ebp+0xc]
3009a84b 5f               pop     edi
3009a84c 5e               pop     esi
3009a84d 5b               pop     ebx
3009a84e c9               leave
3009a84f c20800           ret     0x8


Code execution may possible.


POC:

No POC will be supplied


Fix:

Microsoft has released an update for Microsoft Office which is
set to address this issue. This can be downloaded from:

http://www.microsoft.com/technet/security/bulletin/MS06-048.mspx


Vendor Response:

2006.07.14 Vendor notified via secure@microsoft.com
2006.07.15 Vendor responded
2006.08.08 Vendor released MS06-048 patch
2006.08.08 Advisory released


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


        CVE-2006-3449




Greetings to Becky PhD. ;)


Reference:

1. http://www.microsoft.com/technet/security/Bulletin/MS06-048.mspx
2. http://secway.org/vuln.htm



-- 
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
    

- 漏洞信息

29143
Microsoft PowerPoint PPT Malformed BIFF File Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity, Loss of Availability Workaround, Patch / RCS
Exploit Unknown Vendor Verified

- 漏洞描述

A Local overflow exists in Microsoft PowerPoint. Powerpoint fails to parse crafted powerpoint file resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary commands via a malformed record in the BIFF file format used in a PPT file resulting in a loss of confidentiality, integrity, and availability.

- 时间线

2006-08-09 2006-08-09
Unknow 2006-08-08

- 解决方案

Microsoft has released a patch to address this issue. Additionally, it is possible to correct the flaw by implementing the following workaround(s): Do not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Powerpoint Remote Code Execution Vulnerability
Boundary Condition Error 19341
Yes No
2006-08-08 12:00:00 2006-08-24 08:49:00
Shih-hao Weng of Information & Communication Security Technology Center has been credited with the discovery of this vulnerability.

- 受影响的程序版本

Microsoft PowerPoint 2004 for Mac 0
Microsoft PowerPoint 2003 SP2
+ Microsoft Office 2003 SP2
Microsoft PowerPoint 2003 SP1
+ Microsoft Office 2003 SP1
Microsoft PowerPoint 2002 SP3
Microsoft PowerPoint 2000 SP3
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP6
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Professional SP1
- Microsoft Windows XP Professional

- 漏洞讨论

Microsoft PowerPoint is prone to a remote code-execution vulnerability.

This issue occurs when the application handles malformed record data within a presentation file.

A successful exploit of this issue will let attackers execute arbitrary code in the context of the targeted user.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Microsoft has released a security bulletin to address this issue. Please see the attached security bulletin for details on obtaining fixes.


Microsoft PowerPoint 2004 for Mac 0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站