Vulnerabilities > CVE-2008-3018 - Code Injection vulnerability in Microsoft Office, Office Converter Pack and Works

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-94
critical
nessus

Summary

Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 do not properly parse the length of a PICT file, which allows remote attackers to execute arbitrary code via a crafted PICT file, aka the "Malformed PICT Filter Vulnerability," a different vulnerability than CVE-2008-3021.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1
Application
Microsoft
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-044.NASL
descriptionThe remote host is running a version of some Microsoft Office filters that are subject to various flaws that could allow arbitrary code to be run. An attacker may use these to execute arbitrary code on this host. To succeed, the attacker would have to send a rogue file to a user of the remote computer and have it import it with Microsoft Office.
last seen2020-06-01
modified2020-06-02
plugin id33873
published2008-08-13
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/33873
titleMS08-044: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)

Oval

accepted2015-08-10T04:01:00.118-04:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameAkihito Nakamura
    organizationAIST
  • nameDragos Prisaca
    organizationG2, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Office 2000 is installed
    ovaloval:org.mitre.oval:def:93
  • commentMicrosoft Office XP is installed
    ovaloval:org.mitre.oval:def:663
  • commentMicrosoft Office 2003 is installed
    ovaloval:org.mitre.oval:def:233
  • commentMicrosoft Project 2002 SP1 is installed
    ovaloval:org.mitre.oval:def:707
  • commentMicrosoft Office Converter Pack is installed
    ovaloval:org.mitre.oval:def:28520
descriptionMicrosoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 do not properly parse the length of a PICT file, which allows remote attackers to execute arbitrary code via a crafted PICT file, aka the "Malformed PICT Filter Vulnerability," a different vulnerability than CVE-2008-3021.
familywindows
idoval:org.mitre.oval:def:5879
statusaccepted
submitted2008-08-13T09:28:00
titleMicrosoft Malformed PICT Filter Vulnerability
version15

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30595,30597 CVE(CAN) ID: CVE-2008-3019,CVE-2008-3018 Microsoft Office是非常流行的办公软件套件。 Microsoft Office过滤器处理畸形图像的方式中存在远程执行代码漏洞,攻击者可以通过构建特制封装的PostScript(EPS)或PICT文件来利用此漏洞。如果用户使用Office应用程序打开该文件,可能允许远程执行代码。此类特制文件可能包括在电子邮件附件中,或者宿主在恶意网站或受危害网站上。成功利用此漏洞的攻击者可以完全控制受影响的系统。不过,要利用此漏洞,需要进行大量用户交互。 Microsoft Office XP SP3 Microsoft Office 2003 Service Pack 2 Microsoft Office 2000 SP3 Microsoft Works 8.0 临时解决方法: * 修改存取控制表以拒绝所有用户对EPSIMP32.FLT的访问 注册表方法 1. 单击“开始”,单击“运行”,键入regedit.exe,然后单击“确定”。 2. 导航到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import\EPS 3. 记下Path的值。在资源管理器中,导航到作为Path值列出的EPSIMP32.FLT文件。 4. 右键单击EPSIMP32.FLT文件并选择“属性”。 5. 在“安全”选项卡上单击“高级”。 6. 取消选择“允许可继承的权限从父对象传送到此对象...”并单击“删除”。 7. 单击“确定”、“是”和“确定”。 脚本方法 对于Windows XP的所有受支持的32位版本,通过命令提示符运行以下命令: cacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /E /P everyone:N 对于Windows XP的所有受支持的基于x64的版本,通过命令提示符运行以下命令: cacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /E /P everyone:N 对于Windows Vista和Windows Server 2008的所有受支持的32位版本,以管理员身份通过命令提示符运行下列命令: takeown /f &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; icacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /save %TEMP%\ EPSIMP32 _ACL.TXT icacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /deny everyone:(F) 对于Windows Vista和Windows Server 2008的所有受支持的基于x64的版本,以管理员身份通过命令提示符运行下列命令: takeown /f &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; icacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /save %TEMP%\ EPSIMP32 _ACL.TXT icacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT&quot; /deny everyone:(F) * 修改存取控制表以拒绝所有用户对PICTIM32.FLT的访问 注册表方法 1. 单击“开始”,单击“运行”,键入regedit.exe,然后单击“确定”。 2. 导航到HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import\PICT 3. 记下Path的值。在资源管理器中,导航到作为Path的值列出的PICTIM32.FLT文 件。 4. 右键单击PICTIM32.FLT文件并选择“属性”。 5. 在“安全”选项卡上单击“高级”。 6. 取消选择“允许可继承的权限从父对象传送到此对象...”并单击“删除”。 7. 单击“确定”、“是”和“确定”。 脚本方法 对于Windows XP的所有受支持的32位版本,通过命令提示符运行以下命令: cacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /E /P everyone:N 对于Windows XP的所有受支持的基于x64的版本,通过命令提示符运行以下命令: cacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /E /P everyone:N 对于Windows Vista和Windows Server 2008的所有受支持的32位版本,以管理员身份通过命令提示符运行下列命令: takeown /f &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; icacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /save %TEMP%\ PICTIM32 _ACL.TXT icacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /deny everyone:(F) 对于Windows Vista和Windows Server 2008的所有受支持的基于x64的版本,以管理员身份通过命令提示符运行下列命令: takeown /f &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; icacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /save %TEMP%\ PICTIM32 _ACL.TXT icacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\GRPHFLT\PICTIM32.FLT&quot; /deny everyone:(F) * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-044)以及相应补丁: MS08-044:Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/MS08-044.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/bulletin/MS08-044.mspx?pf=true</a>
idSSV:3867
last seen2017-11-19
modified2008-08-19
published2008-08-19
reporterRoot
titleMicrosoft Office畸形EPS/PICT过滤器远程代码执行漏洞(MS08-044)