Vulnerabilities > CVE-2004-0963 - Unspecified vulnerability in Microsoft Word 2002

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microsoft
critical
nessus

Summary

Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-023.NASL
descriptionThe remote host is running a version of Microsoft Word that could allow arbitrary code to be run. To succeed, the attacker would have to send a rogue Word file to a user of the remote computer and have it open it. Then the macros contained in the Word file would bypass the security model of Word, and would be executed.
last seen2020-06-01
modified2020-06-02
plugin id18026
published2005-04-12
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/18026
titleMS05-023: Vulnerability in Word May Lead to Code Execution (890169)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(18026);
 script_version("1.38");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2004-0963", "CVE-2005-0558");
 script_bugtraq_id(13122, 13119);
 script_xref(name:"MSFT", value:"MS05-023");
 script_xref(name:"MSKB", value:"887978");
 script_xref(name:"MSKB", value:"891067");

 script_name(english:"MS05-023: Vulnerability in Word May Lead to Code Execution (890169)");
 script_summary(english:"Determines the version of WinWord.exe");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through Word.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Microsoft Word that could allow
arbitrary code to be run.

To succeed, the attacker would have to send a rogue Word file to a user
of the remote computer and have it open it.  Then the macros contained
in the Word file would bypass the security model of Word, and would be
executed.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-023");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Word 2000, 2002 and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/10/08");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/04/12");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/04/12");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_nt_ms02-031.nasl", "smb_nt_ms05-035.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");

include("misc_func.inc");
include("audit.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-023';
kbs = make_list("887978", "891067");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
port = get_kb_item("SMB/transport");

if (get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Updates/KB903672")) exit(0);

vuln = 0;
list = get_kb_list_or_exit("SMB/Office/Word/*/ProductPath");
foreach item (keys(list))
{
  v = item - 'SMB/Office/Word/' - '/ProductPath';
  if(ereg(pattern:"^11\..*", string:v))
  {
    # Word 2003 - updated in 11.0.6425.0
    middle =  ereg_replace(pattern:"^11\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
    if(middle != v && int(middle) < 6425) {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:'891067');
    }
  }
  else if(ereg(pattern:"^10\..*", string:v))
  {
    # Word 2002 - updated in 10.0.6754.0
    middle =  ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
    if(middle != v && int(middle) < 6754 ) {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:'887978');
    }
  }
  else if(ereg(pattern:"^9\..*", string:v))
  {
    # Word 2000 - fixed in 9.00.00.8929
    sub =  ereg_replace(pattern:"^9\.00?\.00?\.([0-9]*)$", string:v, replace:"\1");
    if(sub != v && int(sub) < 8929) {
      vuln++;
      hotfix_add_report(bulletin:bulletin, kb:'887978');
    }
  }
}
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

  • accepted2012-05-28T04:01:23.493-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.
    familywindows
    idoval:org.mitre.oval:def:1795
    statusaccepted
    submitted2005-09-15T04:00:00.000-04:00
    titleWord 2003 Malicious .doc Buffer Overflow
    version5
  • accepted2012-05-28T04:01:29.768-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.
    familywindows
    idoval:org.mitre.oval:def:2105
    statusaccepted
    submitted2005-09-15T04:00:00.000-04:00
    titleWord 2002 Malicious .doc Buffer Overflow
    version5
  • accepted2012-05-28T04:01:32.140-04:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameShane Shaffer
      organizationG2, Inc.
    descriptionBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.
    familywindows
    idoval:org.mitre.oval:def:2216
    statusaccepted
    submitted2005-09-15T04:00:00.000-04:00
    titleWord 2000 Malicious .doc Buffer Overflow
    version5
  • accepted2013-02-18T04:00:19.351-05:00
    classvulnerability
    contributors
    • nameMatthew Burton
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameChris Wood
      organizationAssuria Ltd.
    • nameSharath S
      organizationSecPod Technologies
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSergey Artykhov
      organizationALTX-SOFT
    descriptionBuffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.
    familywindows
    idoval:org.mitre.oval:def:420
    statusaccepted
    submitted2005-09-15T04:00:00.000-04:00
    titleWord 2003 (wordview) Malicious .doc Buffer Overflow
    version11