Vulnerabilities > CVE-2004-0901 - Unspecified vulnerability in Microsoft products

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus

Summary

Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-041.NASL
descriptionThe remote host contains a version of Microsoft WordPad that is vulnerable to two security flaws. To exploit these flaws an attacker would need to send a malformed Word file to a victim on the remote host and wait for him to open the file using WordPad. Opening the file with WordPad will trigger a buffer overflow that could allow an attacker to execute arbitrary code on the remote host with the privileges of the user.
last seen2020-06-01
modified2020-06-02
plugin id15966
published2004-12-14
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15966
titleMS04-041: Vulnerabilities in WordPad (885836)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(15966);
 script_version("1.31");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2004-0571", "CVE-2004-0901");
 script_bugtraq_id(11927, 11929);
 script_xref(name:"MSFT", value:"MS04-041");
 script_xref(name:"MSKB", value:"885836");

 script_name(english:"MS04-041: Vulnerabilities in WordPad (885836)");
 script_summary(english:"Checks the remote registry for MS04-041");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host through WordPad.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of Microsoft WordPad that is
vulnerable to two security flaws.

To exploit these flaws an attacker would need to send a malformed Word
file to a victim on the remote host and wait for him to open the file
using WordPad.

Opening the file with WordPad will trigger a buffer overflow that could
allow an attacker to execute arbitrary code on the remote host with the
privileges of the user.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-041");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/12/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/12/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-041';
kb = '885836';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

path = hotfix_get_programfilesdir();
if (!path) exit(1, "Failed to get the Program Files directory.");

share = hotfix_path2share(path:path);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

path += "\Windows NT\Accessories";

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Wordpad.exe", version:"5.2.3790.224", path:path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Wordpad.exe", version:"5.1.2600.1606", path:path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Mswrd6.wpc", version:"10.0.803.2", path:path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Wordpad.exe", version:"5.0.2195.6991", path:path, bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Wordpad.exe", version:"4.0.1381.7312", path:path, bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2014-06-30T04:00:23.792-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:1241
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (Windows 2000)
    version13
  • accepted2014-06-30T04:05:59.997-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:1655
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (Server 2003)
    version12
  • accepted2014-06-30T04:10:59.986-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:3310
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (NT 4.0)
    version30
  • accepted2014-06-30T04:11:00.334-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:3882
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (32-bit XP)
    version17
  • accepted2005-04-27T12:07:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameIngrid Skoog
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameClifford Farrugia
      organizationGFI Software
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:4076
    statusdeprecated
    submitted2005-01-05T12:00:00.000-04:00
    titleSuppressed: Duplicate of OVAL1655
    version7
  • accepted2014-06-30T04:11:00.652-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:4576
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (NT Terminal Server)
    version29
  • accepted2005-02-23T09:25:00.000-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameClifford Farrugia
      organizationGFI Software
    • nameDragos Prisaca
      organizationGideon Technologies, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:4749
    statusdeprecated
    submitted2005-01-05T12:00:00.000-04:00
    titleSuppressed: Duplicate of OVAL3882
    version13
  • accepted2014-06-30T04:11:01.564-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameRobert L. Hollis
      organizationThreatGuard, Inc.
    • nameJosh Turpin
      organizationSymantec Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    descriptionMicrosoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.
    familywindows
    idoval:org.mitre.oval:def:539
    statusaccepted
    submitted2005-01-05T12:00:00.000-04:00
    titleMS Word 6.0 Font Conversion Vulnerability (64-bit XP)
    version18