Microsoft Office Word sprmCMajority Record Parsing Remote Code Execution Vulnerability

ID ZDI-10-150
Type zdi
Reporter L.W.Z of team509
Modified 2010-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Word. User interaction is required to exploit this vulnerability in that the target must open a malicious document.

The specific flaw exists in the parsing of sprmCMajority records in a Word document. Due to the lack of parameter checking when processing sprmCMajority sprm groups it is possible to arbitrarily control the amount of data being written to a stack based buffer resulting in a stack overflow vulnerability which can overwrite critical exception structures. Successful exploitation can lead to remote code execution under the credentials of the currently logged in user.