Vulnerabilities > CVE-2002-1056 - Unspecified vulnerability in Microsoft Outlook and Word

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
NVD
Published: 2002-05-16
Updated: 2018-10-12

Summary

Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.

Vulnerable Configurations

Part Description Count
Application
Microsoft
6

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS02-021.NASL
descriptionOutlook 2000 and 2002 provide the option to use Microsoft Word as the email editor when creating and editing email in RTF or HTML. There is a flaw in some versions of Word that could allow an attacker to execute arbitrary code when the user replies to a specially formed message using Word. An attacker could use this flaw to execute arbitrary code on this host.
last seen2020-06-01
modified2020-06-02
plugin id11325
published2003-03-06
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11325
titleMS02-021: Word Mail Reply Arbitrary Script Execution (321804)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11325);
 script_version("1.47");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2002-1056");
 script_bugtraq_id(4397);
 script_xref(name:"MSFT", value:"MS02-021");
 script_xref(name:"MSKB", value:"321804");

 script_name(english:"MS02-021: Word Mail Reply Arbitrary Script Execution (321804)");
 script_summary(english:"Determines the version of WinWord.exe");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Word.");
 script_set_attribute(attribute:"description", value:
"Outlook 2000 and 2002 provide the option to use Microsoft Word as the
email editor when creating and editing email in RTF or HTML.

There is a flaw in some versions of Word that could allow an attacker to
execute arbitrary code when the user replies to a specially formed
message using Word.

An attacker could use this flaw to execute arbitrary code on this host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-021");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Office 2000 and 2002.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/31");
 script_set_attribute(attribute:"patch_publication_date", value:"2002/04/25");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/06");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:outlook");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_nt_ms02-031.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports("SMB/Office/Word/Version", "Host/patch_management_checks");

 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS02-021';
kb       = '321804';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

list = get_kb_list_or_exit("SMB/Office/Word/*/ProductPath");

port = kb_smb_transport();


vuln = 0;
foreach item (keys(list))
{
  v = item - 'SMB/Office/Word/' - '/ProductPath';
  if(strlen(v))
  {
    if(ereg(pattern:"^9\..*", string:v))
    {
      # Word 2000 - patched in WinWord 9.0.6328
      middle =  ereg_replace(pattern:"^9\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
      minor =   ereg_replace(pattern:"^9\.[0-9]*\.([0-9]*)$", string:v, replace:"\1");
      if(middle == 0 && minor < 6328) {
        vuln++;
        hotfix_add_report(bulletin:bulletin, kb:kb);
      }
    }
    else if(ereg(pattern:"^10\..*", string:v))
    {
      # Word 2002 - updated in 10.0.4009.3501

      middle =  ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
      minor  =  ereg_replace(pattern:"^10\.0\.[0-9]*\.([0-9]*)$", string:v, replace:"\1");
      if(middle < 4009) {
        vuln++;
        hotfix_add_report(bulletin:bulletin, kb:kb);
      }
      else if(middle == 4009 && minor < 3501) {
        vuln++;
        hotfix_add_report(bulletin:bulletin, kb:kb);
      }
    }
  }
}
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

  • accepted2012-05-28T04:01:27.874-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.
    familywindows
    idoval:org.mitre.oval:def:205
    statusaccepted
    submitted2004-09-06T12:00:00.000-04:00
    titleMS Outlook (Word 2000) RTF/HTML Script Execution Vulnerability
    version6
  • accepted2012-05-28T04:01:43.568-04:00
    classvulnerability
    contributors
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameMatthew Wojcik
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.
    familywindows
    idoval:org.mitre.oval:def:429
    statusaccepted
    submitted2004-08-24T12:00:00.000-04:00
    titleMS Outlook (Word 2002) RTF/HTML Script Execution Vulnerability
    version8

References