Vulnerabilities > CVE-2009-0087 - Unspecified vulnerability in Microsoft products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
critical
nessus
NVD
Published: 2009-04-15
Updated: 2018-10-30

Summary

Unspecified vulnerability in the Word 6 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and the Word 6 text converter in Microsoft Office Word 2000 SP3 and 2002 SP3; allows remote attackers to execute arbitrary code via a crafted Word 6 file that contains malformed data, aka "WordPad and Office Text Converter Memory Corruption Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
2
OS
Microsoft
11

Msbulletin

bulletin_idMS09-010
bulletin_url
date2009-04-14T00:00:00
impactRemote Code Execution
knowledgebase_id960477
knowledgebase_url
severityCritical
titleVulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-010.NASL
descriptionThe remote host contains a version of the Microsoft WordPad and/or Microsoft Office text converters that could allow remote code execution if a specially crafted file is opened.
last seen2020-06-01
modified2020-06-02
plugin id36148
published2009-04-15
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/36148
titleMS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(36148);
  script_version("1.32");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id(
    "CVE-2008-4841",
    "CVE-2009-0087",
    "CVE-2009-0088",
    "CVE-2009-0235"
  );
  script_bugtraq_id(29769, 32718, 34469, 34470);
  script_xref(name:"IAVA", value:"2009-A-0032");
  script_xref(name:"MSFT", value:"MS09-010");
  script_xref(name:"MSKB", value:"921606");
  script_xref(name:"MSKB", value:"923561");
  script_xref(name:"MSKB", value:"933399");
  script_xref(name:"MSKB", value:"960476");
  script_xref(name:"EDB-ID", value:"6560");

  script_name(english:"MS09-010: Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)");
  script_summary(english:"Checks for the presence of update 960477");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to execute arbitrary code on the remote Windows host
using a text converter.");
  script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Microsoft WordPad and/or
Microsoft Office text converters that could allow remote code execution
if a specially crafted file is opened.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-010");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Office 2000 and XP as well
as the Office 2003 File Converter Pack.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(20, 119, 399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/12/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_converter_pack");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-010';

kbs = make_list("921606", "923561", "933399", "960476");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

path = hotfix_get_programfilesdir() + "\Windows NT\Accessories";

share = hotfix_path2share(path:path);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

vuln = 0;

if (
  # Windows 2003
  hotfix_is_vulnerable(os:"5.2", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561") ||

  # Windows XP
  hotfix_is_vulnerable(os:"5.1", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561") ||

  # Windows 2000
  hotfix_is_vulnerable(os:"5.0", file:"Mswrd8.wpc", version:"10.0.803.10", path:path, bulletin:bulletin, kb:"923561")
) vuln++;


office_versions = hotfix_check_office_version();
if ( office_versions["10.0"] || office_versions["9.0"] )
{
  path = hotfix_get_commonfilesdir() + "\Microsoft Shared\TextConv";
  share = hotfix_path2share(path:path);
  if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

  if (
     hotfix_is_vulnerable(os:"5.2", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"960476") ||
     hotfix_is_vulnerable(os:"5.1", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"933399") ||
     hotfix_is_vulnerable(os:"5.0", file:"Msconv97.dll", version:"2003.1100.8202.0", path:path, bulletin:bulletin, kb:"921606")
  ) vuln++;
}

if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-06-30T04:11:06.178-04:00
classvulnerability
contributors
  • nameDragos Prisaca
    organizationGideon Technologies, Inc.
  • nameBrendan Miles
    organizationThe MITRE Corporation
  • nameJ. Daniel Brown
    organizationDTCC
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameDragos Prisaca
    organizationG2, Inc.
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP Professional x64 Edition SP1 is installed
    ovaloval:org.mitre.oval:def:720
  • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
    ovaloval:org.mitre.oval:def:4386
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Windows Server 2003 SP1 for Itanium is installed
    ovaloval:org.mitre.oval:def:1205
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Word 2000 is installed
    ovaloval:org.mitre.oval:def:455
  • commentMicrosoft Word 2002 is installed
    ovaloval:org.mitre.oval:def:973
descriptionUnspecified vulnerability in the Word 6 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and the Word 6 text converter in Microsoft Office Word 2000 SP3 and 2002 SP3; allows remote attackers to execute arbitrary code via a crafted Word 6 file that contains malformed data, aka "WordPad and Office Text Converter Memory Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:5799
statusaccepted
submitted2009-04-14T16:00:00
titleWordPad and Office Text Converter Memory Corruption Vulnerability
version31

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 29769 CVE(CAN) ID: CVE-2009-0087 写字板是Windows操作系统中附件所提供的简单文本编辑工具。 如果用户打开了包含有畸形数据的特制Word 6文件的话,写字板和Microsoft Office中的内存破坏漏洞可能导致执行任意代码。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 Microsoft Word 2002 SP3 Microsoft Word 2000 SP3 临时解决方法: * 不要使用受影响版本的写字板或Microsoft Office打开或保持从不可信任来源接收到的或从可信任来源意外接收到的Microsoft Office文件。 * 通过限制访问禁用Word 6转换器: echo y| cacls &quot;%ProgramFiles%\Windows NT\Accessories\mswrd6.wpc&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\TextConv\mswrd632.wpc&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles%\Common Files\Microsoft Shared\TextConv\mswrd632.cnv&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\mswrd632.wpc&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\mswrd632.cnv&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles%\Windows NT\Accessories\mswrd664.wpc&quot; /E /P everyone:N echo y| cacls &quot;%ProgramFiles(x86)%\Windows NT\Accessories\mswrd6.wpc&quot; /E /P everyone:N 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-010)以及相应补丁: MS09-010:Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477) 链接:<a href=http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx?pf=true target=_blank rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx?pf=true</a>
idSSV:5103
last seen2017-11-19
modified2009-04-25
published2009-04-25
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-5103
titleMicrosoft写字板和Office文本转换器内存破坏漏洞(MS09-010)

References