Vulnerabilities > CVE-2008-4841 - Unspecified vulnerability in Microsoft Wordpad Unknown

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

nessus

exploit available

NVD

Published: 2008-12-10

Updated: 2024-11-21

Summary

The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Wordpad * Microsoft Wordpad Unknown	2
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows Server 2003 * Microsoft Windows XP *	4

Exploit-Db

description	MS Windows Wordpad .doc File Local Denial of Service PoC. CVE-2008-4841,CVE-2009-0259. Dos exploit for windows platform
file	exploits/windows/dos/6560.txt
id	EDB-ID:6560
last seen	2016-02-01
modified	2008-09-25
platform	windows
port
published	2008-09-25
reporter	securfrog
source	https://www.exploit-db.com/download/6560/
title	Microsoft Windows Wordpad - .doc File Local Denial of Service PoC
type	dos

Msbulletin

bulletin_id	MS09-010
bulletin_url
date	2009-04-14T00:00:00
impact	Remote Code Execution
knowledgebase_id	960477
knowledgebase_url
severity	Critical
title	Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-010.NASL
description	The remote host contains a version of the Microsoft WordPad and/or Microsoft Office text converters that could allow remote code execution if a specially crafted file is opened.
last seen	2020-06-01
modified	2020-06-02
plugin id	36148
published	2009-04-15
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/36148
title	MS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(36148); script_version("1.32"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id( "CVE-2008-4841", "CVE-2009-0087", "CVE-2009-0088", "CVE-2009-0235" ); script_bugtraq_id(29769, 32718, 34469, 34470); script_xref(name:"IAVA", value:"2009-A-0032"); script_xref(name:"MSFT", value:"MS09-010"); script_xref(name:"MSKB", value:"921606"); script_xref(name:"MSKB", value:"923561"); script_xref(name:"MSKB", value:"933399"); script_xref(name:"MSKB", value:"960476"); script_xref(name:"EDB-ID", value:"6560"); script_name(english:"MS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)"); script_summary(english:"Checks for the presence of update 960477"); script_set_attribute(attribute:"synopsis", value: "It is possible to execute arbitrary code on the remote Windows host using a text converter."); script_set_attribute(attribute:"description", value: "The remote host contains a version of the Microsoft WordPad and/or Microsoft Office text converters that could allow remote code execution if a specially crafted file is opened."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-010"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Office 2000 and XP as well as the Office 2003 File Converter Pack."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(20, 119, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/09"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_converter_pack"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-010'; kbs = make_list("921606", "923561", "933399", "960476"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); path = hotfix_get_programfilesdir() + "\Windows NT\Accessories"; share = hotfix_path2share(path:path); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); vuln = 0; if ( # Windows 2003 hotfix_is_vulnerable(os:"5.2", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561") \|\| # Windows XP hotfix_is_vulnerable(os:"5.1", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561") \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561") ) vuln++; office_versions = hotfix_check_office_version(); if ( office_versions["10.0"] \|\| office_versions["9.0"] ) { path = hotfix_get_commonfilesdir() + "\Microsoft Shared\TextConv"; share = hotfix_path2share(path:path); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"960476") \|\| hotfix_is_vulnerable(os:"5.1", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"933399") \|\| hotfix_is_vulnerable(os:"5.0", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"921606") ) vuln++; } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2014-06-30T04:11:13.782-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Brendan Miles
organization The MITRE Corporation
name Josh Turpin
organization Symantec Corporation
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP (x86) SP2 is installed
oval oval:org.mitre.oval:def:754
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP Professional x64 Edition SP1 is installed
oval oval:org.mitre.oval:def:720
comment Microsoft Windows Server 2003 SP1 (x64) is installed
oval oval:org.mitre.oval:def:4386
comment Microsoft Windows Server 2003 SP1 (x86) is installed
oval oval:org.mitre.oval:def:565
comment Microsoft Windows Server 2003 SP1 for Itanium is installed
oval oval:org.mitre.oval:def:1205
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442

description

family

windows

oval:org.mitre.oval:def:6050

status

accepted

submitted

2009-04-14T16:00:00

title

WordPad Word 97 Text Converter Stack Overflow Vulnerability

version

Saint

bid	32718
description	Microsoft WordPad Word 97 text converter XST buffer overflow
id	win_patch_word97
osvdb	50567
title	ms_wordpad_word97_conv_xst
type	client

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 32718 CVE(CAN) ID: CVE-2008-4841 写字板是Windows操作系统中附件所提供的简单文本编辑工具。对于没有安装Word的用户，可以使用写字板的文本转换器来打开.doc格式文档。如果用户使用转换器打开了特制的.doc、.wri或.rtf格式文档的话，就可能触发内存破坏，导致执行任意代码。目前这个漏洞正在被积极的利用。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 Microsoft --------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： <a href=http://www.microsoft.com/technet/security/ target=_blank>http://www.microsoft.com/technet/security/</a>
id	SSV:4559
last seen	2017-11-19
modified	2008-12-11
published	2008-12-11
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-4559
title	Microsoft写字板文件转换器远程代码执行漏洞

Summary

Vulnerable Configurations

Exploit-Db

Msbulletin

Nessus

Oval

Saint

Seebug

References