Public Vulnerability Reports

Microsoft Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability

14.04.09

BACKGROUND

Word 2000 is a word processing application included with the Microsoft Office 2000 software. The WordPerfect Converter is a tool used by Word 2000 to import documents from WordPerfect files and convert them for editing in Word 2000 format.

DESCRIPTION

Exploitation of a stack corruption vulnerability in Microsoft Corp.'s Word 2000 WordPerfect 6.x Converter could allow an attacker to execute code in the context of the current user.

Microsoft Word is able to open documents created in other applications by transparently applying a filter module which converts them to a format Word can use. The WordPerfect 6.x converter from Office 2000 fails to perform sufficient sanity checking on input files. A maliciously constructed WordPerfect document can cause potentially exploitable stack corruption.

ANALYSIS

Successful remote exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the currently logged in user. One possible attack vector is to put a maliciously constructed document on a website and attempt to convince a user to download it. By default, Word 2000 will open Word Documents in the browser without prompting.

The vulnerability is triggered by conversion code not properly validating a counter against the allocated length of a structure before processing it. Depending on the contents of the data file, control structures on the stack may be modified as a result, potentially allowing the execution of arbitrary code.

One mitigating factor in the severity of this vulnerability is that, by default, the converter is not installed until the first time you go to use it. Often though, a complete install is done or the converter is explicitly requested in a custom install.

WordPerfect 6.x documents will be opened using the affected WordPerfect 6.x Converter if they have an extension which is handled by Word. For example, if a WordPerfect document is renamed from EVIL.WPD to EVIL.DOC, it may not be obvious that the file is a WordPerfect document.

DETECTION

iDefense Labs have confirmed that the WordPerfect 6.x converter (WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000 Service Pack 3 is vulnerable. However, the version of this converter installed with Word 2003 is not affected by this vulnerability.

WORKAROUND

The following workaround mitigates exposure to the vulnerability:

 � Uninstall the WordPerfect 6.x Converter. (Doing this will cause an inability to open WordPerfect 6.x documents within the affected Microsoft applications) 

VENDOR RESPONSE

Microsoft has released a patch which addresses this issue. For more information, consult their advisory at the following URL:

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0088 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

06/28/2006 - Initial Contact
06/29/2006 - PoC Requested
06/29/2006 - PoC Sent
10/05/2006 - Vendor Status Update
01/24/2007 - Vendor Status Update
02/12/2008 - Vendor Status Update
03/31/2009 - CVE Assigned
04/14/2009 - Coordinated Public Disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2009 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.