Vulnerabilities > CVE-2008-1455 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
microsoft
CWE-399
nessus

Summary

A "memory calculation error" in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP2, and 2007 through SP1; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 through SP1; and Office 2004 for Mac allows remote attackers to execute arbitrary code via a PowerPoint file with crafted list values that trigger memory corruption, aka "Parsing Overflow Vulnerability."

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS08-051.NASL
    descriptionThe remote host is running a version of Microsoft PowerPoint which is subject to a flaw that could allow arbitrary code to be run. An attacker may use this to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it open it. Then a bug in the font parsing handler would result in code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id33880
    published2008-08-13
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33880
    titleMS08-051: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(33880);
     script_version("1.30");
     script_cvs_date("Date: 2018/11/15 20:50:30");
    
     script_cve_id("CVE-2008-0120", "CVE-2008-0121", "CVE-2008-1455");
     script_bugtraq_id(30552, 30554, 30579);
    
     script_xref(name:"MSFT", value:"MS08-051");
     script_xref(name:"MSKB", value:"948988");
     script_xref(name:"MSKB", value:"948995");
     script_xref(name:"MSKB", value:"949007");
     script_xref(name:"MSKB", value:"949041");
     script_xref(name:"MSKB", value:"951338");
    
     script_name(english:"MS08-051: Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)");
     script_summary(english:"Determines the version of PowerPoint.exe");
    
     script_set_attribute(attribute:"synopsis", value:
    "Arbitrary code can be executed on the remote host through Microsoft
    PowerPoint.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of Microsoft PowerPoint which is
    subject to a flaw that could allow arbitrary code to be run.
    
    An attacker may use this to execute arbitrary code on this host.
    
    To succeed, the attacker would have to send a rogue file to a user of
    the remote computer and have it open it.  Then a bug in the font parsing
    handler would result in code execution.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-051");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for PowerPoint 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(399);
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/12");
     script_set_attribute(attribute:"patch_publication_date", value:"2008/08/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:powerpoint_viewer");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_compatibility_pack");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
    
     exit(0);
    }
    
    include("smb_func.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("misc_func.inc");
    include("audit.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS08-051';
    kbs = make_list("948988", "948995", "949007", "949041", "951338");
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    port = get_kb_item("SMB/transport");
    
    #
    # PowerPoint
    #
    list = get_kb_list("SMB/Office/PowerPoint/*/ProductPath");
    if (!isnull(list))
    {
      foreach item (keys(list))
      {
        v = item - 'SMB/Office/PowerPoint/' - '/ProductPath';
        if(ereg(pattern:"^9\..*", string:v))
        {
          # PowerPoint 2000 - fixed in 9.0.0.8969
          office_sp = get_kb_item("SMB/Office/2000/SP");
          if (!isnull(office_sp) && office_sp == 3)
          {
            sub =  ereg_replace(pattern:"^9\.00?\.00?\.([0-9]*)$", string:v, replace:"\1");
            if(sub != v && int(sub) < 8969 ) {
              vuln++;
              kb = '949007';
              hotfix_add_report(bulletin:bulletin, kb:kb);
            }
          }
        }
        else if(ereg(pattern:"^10\..*", string:v))
        {
          # PowerPoint XP - fixed in 10.0.6842.0
          office_sp = get_kb_item("SMB/Office/XP/SP");
          if (!isnull(office_sp) && office_sp == 3)
          {
            middle =  ereg_replace(pattern:"^10\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
            if(middle != v && int(middle) < 6842) {
              vuln++;
              kb = '948995';
              hotfix_add_report(bulletin:bulletin, kb:kb);
            }
          }
        }
        else if(ereg(pattern:"^11\..*", string:v))
        {
          # PowerPoint 2003 - fixed in 11.0.8227.0
          office_sp = get_kb_item("SMB/Office/2003/SP");
          if (!isnull(office_sp) && (office_sp == 2 || office_sp == 3))
          {
            middle =  ereg_replace(pattern:"^11\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
            if(middle != v && int(middle) < 8227 ) {
              vuln++;
              kb = '948988';
              hotfix_add_report(bulletin:bulletin, kb:kb);
            }
          }
        }
        else if(ereg(pattern:"^12\..*", string:v))
        {
          # PowerPoint 2007 - fixed in 12.0.6300.5000
          office_sp = get_kb_item("SMB/Office/2007/SP");
          if (!isnull(office_sp) && (office_sp == 0 || office_sp == 1))
          {
            middle =  ereg_replace(pattern:"^12\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
            if(middle != v && int(middle) < 6300 ) {
              vuln++;
              kb = '951338';
              hotfix_add_report(bulletin:bulletin, kb:kb);
            }
          }
        }
      }
    }
    
    list = get_kb_list("SMB/Office/PowerPointViewer/*/ProductPath");
    if (!isnull(list))
    {
      foreach item (keys(list))
      {
        v = item - 'SMB/Office/PowerPointViewer/' - '/ProductPath';
        if(ereg(pattern:"^11\..*", string:v))
        {
          # PowerPointViewer 2003 - fixed in 11.0.8164.0
          middle =  ereg_replace(pattern:"^11\.0\.([0-9]*)\.[0-9]*$", string:v, replace:"\1");
          if(middle != v && int(middle) < 8164 ) {
            kb = '949041';
            hotfix_add_report(bulletin:bulletin, kb:kb);
          }
        }
      }
    }
    if (vuln)
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, 'affected');
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_MS_OFFICE_AUG2008.NASL
    descriptionThe remote Mac OS X host is running a version of Microsoft Office that is affected by several vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted Excel or PowerPoint file, these issues could be leveraged to execute arbitrary code subject to the user
    last seen2020-03-18
    modified2010-10-20
    plugin id50058
    published2010-10-20
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50058
    titleMS08-043 / MS08-051: Vulnerabilities in Microsoft Could Allow Remote Code Execution (954066 / 949785) (Mac OS X)
    code
    #TRUSTED 4e2b48695f9a51bbff8dc924e9535b83695f9c951de474ffbeb0e78a50a6c4866b5acf9cf387235efd19b20682505033bf860c2bc24e0c94c7fef763135c8f2d72852f8925faf33add695049d4119def762ea1c27dda67964f546ff3499a4c5fc5569a91c7dec6ffbc77ebbc14bcb02130f0172d96773458fed56027770a87cfd8b5c8f2bb4ac6d654c90c24fdf6997fa026aeab72c3abd561c1bdce3a69ef141bc91874730aadac15babd1aca6e6da4e38ce6487b1452f1a4f9f5749fe3e845a8ae0257a7493acc90be9dcc41948e29b54fd809c6f7da6e820f52760402d3c533ab3824ba9c8641b1aed0962fa60e2e90ac68ad0165ed57b9218c4d2f9a3660d7ab2feaad182d596fe3f25729ee4d360b9c33d9c4c77e572520c8f3995337ea87ae868b1e1d32e9944872071998e76c0f92e52dbaa4744eff0058a61eb7a61e2f56afd90e502ae233ac61543b2fc10597a15f6310be8b73e4aebf7cb48b8375c56d52c664c254abaaac4b755ecfa836fe7772a48113b8701d68f84d4f514ec2db03bf2481390e5fbfbd06aa54b80853fd76b123cd843d40bb695abdbbc80419b09289003db8e951dee7b65f45151fed516cf208017147dc1f01cf0d85d7bb81de8b45f16881513e2eebec466a4429b0bb1d342abc09279a5b226a27c08b904eef7e7458cb47bbabf59a373a56b34d72bfe62fdf9df1228243215f20fdfcb458
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(50058);
      script_version("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");
    
      script_cve_id(
        "CVE-2008-1455",
        "CVE-2008-3003",
        "CVE-2008-3004",
        "CVE-2008-3005",
        "CVE-2008-3006"
      );
      script_bugtraq_id(30579, 30638, 30639, 30640, 30641);
      script_xref(name:"MSFT", value:"MS08-043");
      script_xref(name:"MSFT", value:"MS08-051");
      script_xref(name:"MSKB", value:"949785");
      script_xref(name:"MSKB", value:"954066");
      script_xref(name:"MSKB", value:"956343");
      script_xref(name:"MSKB", value:"956344");
    
      script_name(english:"MS08-043 / MS08-051: Vulnerabilities in Microsoft Could Allow Remote Code Execution (954066 / 949785) (Mac OS X)");
      script_summary(english:"Check version of Microsoft Office");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote Mac OS X host is affected by
    multiple remote code execution vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Mac OS X host is running a version of Microsoft Office that
    is affected by several vulnerabilities.
    
    If an attacker can trick a user on the affected host into opening a
    specially crafted Excel or PowerPoint file, these issues could be
    leveraged to execute arbitrary code subject to the user's privileges.");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms08-043");
      script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/security/bulletin/ms08-051");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Office 2004 for Mac and
    Office 2008 for Mac.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2008/08/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2004::mac");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office:2008::mac");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
    
      exit(0);
    }
    
    
    include("misc_func.inc");
    include("ssh_func.inc");
    include("macosx_func.inc");
    
    
    
    if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
      enable_ssh_wrappers();
    else disable_ssh_wrappers();
    
    function exec(cmd)
    {
      local_var buf, ret;
    
      if (islocalhost())
        buf = pread(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
      else
      {
        ret = ssh_open_connection();
        if (!ret) exit(1, "ssh_open_connection() failed.");
        buf = ssh_cmd(cmd:cmd);
        ssh_close_connection();
      }
      return buf;
    }
    
    
    packages = get_kb_item("Host/MacOSX/packages");
    if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    if (!egrep(pattern:"Darwin.*", string:uname)) exit(1, "The host does not appear to be using the Darwin sub-system.");
    
    
    # Gather version info.
    info = '';
    installs = make_array();
    
    prod = 'Office 2008 for Mac';
    plist = "/Applications/Microsoft Office 2008/Office/MicrosoftComponentPlugin.framework/Versions/12/Resources/Info.plist";
    cmd =  'cat \'' + plist + '\' | ' +
      'grep -A 1 CFBundleShortVersionString | ' +
      'tail -n 1 | ' +
      'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\'';
    version = exec(cmd:cmd);
    if (version && version =~ "^[0-9]+\.")
    {
      version = chomp(version);
      if (version !~ "^12\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
    
      installs[prod] = version;
    
      ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
      fixed_version = '12.1.2';
      fix = split(fixed_version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(fix); i++)
        fix[i] = int(fix[i]);
    
      for (i=0; i<max_index(fix); i++)
        if ((ver[i] < fix[i]))
        {
          info +=
            '\n  Product           : ' + prod +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          break;
        }
        else if (ver[i] > fix[i])
          break;
    }
    
    prod = 'Office 2004 for Mac';
    cmd = GetCarbonVersionCmd(file:"Microsoft Component Plugin", path:"/Applications/Microsoft Office 2004/Office");
    version = exec(cmd:cmd);
    if (version && version =~ "^[0-9]+\.")
    {
      version = chomp(version);
      if (version !~ "^11\.") exit(1, "Failed to get the version for "+prod+" - '"+version+"'.");
    
      installs[prod] = version;
    
      ver = split(version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(ver); i++)
        ver[i] = int(ver[i]);
    
      fixed_version = '11.5.1';
      fix = split(fixed_version, sep:'.', keep:FALSE);
      for (i=0; i<max_index(fix); i++)
        fix[i] = int(fix[i]);
    
      for (i=0; i<max_index(fix); i++)
        if ((ver[i] < fix[i]))
        {
          info +=
            '\n  Product           : ' + prod +
            '\n  Installed version : ' + version +
            '\n  Fixed version     : ' + fixed_version + '\n';
          break;
        }
        else if (ver[i] > fix[i])
          break;
    }
    
    
    # Report findings.
    if (info)
    {
      gs_opt = get_kb_item("global_settings/report_verbosity");
      if (gs_opt && gs_opt != 'Quiet') security_hole(port:0, extra:info);
      else security_hole(0);
    
      exit(0);
    }
    else
    {
      if (max_index(keys(installs)) == 0) exit(0, "Office for Mac is not installed.");
      else
      {
        msg = 'The host has ';
        foreach prod (sort(keys(installs)))
          msg += prod + ' ' + installs[prod] + ' and ';
        msg = substr(msg, 0, strlen(msg)-1-strlen(' and '));
    
        msg += ' installed and thus is not affected.';
    
        exit(0, msg);
      }
    }
    

Oval

accepted2014-06-30T04:11:02.469-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationSecure Elements, Inc.
  • nameDragos Prisaca
    organizationSecure Elements, Inc.
  • namePradeep R B
    organizationSecPod Technologies
  • nameShane Shaffer
    organizationG2, Inc.
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft PowerPoint 2000 is installed
    ovaloval:org.mitre.oval:def:696
  • commentMicrosoft PowerPoint 2002 is installed
    ovaloval:org.mitre.oval:def:305
  • commentMicrosoft PowerPoint 2003 is installed
    ovaloval:org.mitre.oval:def:666
  • commentMicrosoft PowerPoint 2007 is installed
    ovaloval:org.mitre.oval:def:5937
  • commentMicrosoft Office Compatibility Pack is installed
    ovaloval:org.mitre.oval:def:1853
descriptionA "memory calculation error" in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP2, and 2007 through SP1; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 through SP1; and Office 2004 for Mac allows remote attackers to execute arbitrary code via a PowerPoint file with crafted list values that trigger memory corruption, aka "Parsing Overflow Vulnerability."
familywindows
idoval:org.mitre.oval:def:5555
statusaccepted
submitted2008-08-13T09:28:00
titleParsing Overflow Vulnerability
version25