2003

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-119

critical

nessus

NVD

Published: 2009-05-12

Updated: 2018-10-12

Summary

Multiple stack-based buffer overflows in the PowerPoint 4.0 importer (PP4X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via crafted formatting data for paragraphs in a file that uses a PowerPoint 4.0 native file format, related to (1) an incorrect calculation from a record header, or (2) an interget that is used to specify the number of bytes to copy, aka "Legacy File Format Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Office Powerpoint 2000 Microsoft Office Powerpoint 2002 Microsoft Office Powerpoint 2003	3

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_id	MS09-017
bulletin_url
date	2009-05-12T00:00:00
impact	Remote Code Execution
knowledgebase_id	967340
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-017.NASL
description	The remote Windows host is running a version of Microsoft PowerPoint, PowerPoint Viewer, or PowerPoint Converter that is affected by multiple vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted PowerPoint file, he could leverage these issues to execute arbitrary code subject to the user
last seen	2020-06-01
modified	2020-06-02
plugin id	38742
published	2009-05-13
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/38742
title	MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(38742); script_version("1.40"); script_cvs_date("Date: 2019/12/13"); script_cve_id( "CVE-2009-0220", "CVE-2009-0221", "CVE-2009-0222", "CVE-2009-0223", "CVE-2009-0224", "CVE-2009-0225", "CVE-2009-0226", "CVE-2009-0227", "CVE-2009-0556", "CVE-2009-1128", "CVE-2009-1129", "CVE-2009-1130", "CVE-2009-1131", "CVE-2009-1137" ); script_bugtraq_id( 34351, 34831, 34833, 34834, 34835, 34837, 34839, 34840, 34841, 34876, 34879, 34880, 34881, 34882 ); script_xref(name:"CERT", value:"627331"); script_xref(name:"MSFT", value:"MS09-017"); script_xref(name:"MSKB", value:"957781"); script_xref(name:"MSKB", value:"957784"); script_xref(name:"MSKB", value:"957789"); script_xref(name:"MSKB", value:"957790"); script_xref(name:"MSKB", value:"969615"); script_xref(name:"MSKB", value:"969618"); script_xref(name:"MSKB", value:"970059"); script_name(english:"MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)"); script_summary(english:"Checks version of PowerPoint"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft PowerPoint." ); script_set_attribute( attribute:"description", value: "The remote Windows host is running a version of Microsoft PowerPoint, PowerPoint Viewer, or PowerPoint Converter that is affected by multiple vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted PowerPoint file, he could leverage these issues to execute arbitrary code subject to the user's privileges." ); # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-017 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?514f3bd5"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-019/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-020/"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for PowerPoint 2000, 2002, 2003, and 2007, PowerPoint Viewer 2003 and 2007, as well as the Microsoft Office Compatibility Pack." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(94, 119, 189); script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/02"); script_set_attribute(attribute:"patch_publication_date", value:"2009/05/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-017'; kbs = make_list("957781", "957784", "957789", "957790", "969615", "969618", "970059"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); # PowerPoint. info = ""; pp_patched = FALSE; vuln = 0; kb = ""; installs = get_kb_list("SMB/Office/PowerPoint//ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPoint/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = "n/a"; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6500 \|\| (ver[2] == 6500 && ver[3] < 5000) ) ) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(office_sp) && (office_sp == 1 \|\| office_sp == 2)) { vuln++; kb = "957789"; info = '\n Product : PowerPoint 2007' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6500.5000\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8307) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957784"; info = '\n Product : PowerPoint 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8307.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2002. else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6853) { office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957781"; info = '\n Product : PowerPoint 2002' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 10.0.6853.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2000 - fixed in 9.0.0.8978 else if (ver[0] == 9 && ver[1] == 0 && ver[2] == 0 && ver[3] < 8978) { office_sp = get_kb_item("SMB/Office/2000/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957790"; info = '\n Product : PowerPoint 2000' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 9.0.0.8978\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } } } if (!vuln) pp_patched = TRUE; # PowerPoint Viewer. installs = get_kb_list("SMB/Office/PowerPointViewer//ProductPath"); if (!isnull(installs) && !pp_patched) { version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = 'n/a'; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint Viewer 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6502 \|\| (ver[2] == 6502 && ver[3] < 5000) ) ) { vuln++; kb = "970059"; info = '\n Product : PowerPoint Viewer 2007' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6502.5000\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } # Office PowerPoint Viewer 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8305) { kb = "969615"; info = '\n Product : Office PowerPoint Viewer 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8305.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint Converter. installs = get_kb_list("SMB/Office/PowerPointCnv/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = 'n/a'; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint 2007 converter. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6500 \|\| (ver[2] == 6500 && ver[3] < 5000) ) ) { vuln++; kb = "969618"; info = '\n Product : PowerPoint 2007 Converter' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6500.5000\n'; hotfix_add_report(info, kb:kb, bulletin:bulletin); } } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2012-05-28T04:01:56.462-04:00

class

vulnerability

contributors

name Kyle Key
organization Gideon Technologies, Inc.
name Brendan Miles
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment Microsoft PowerPoint 2000 is installed
oval oval:org.mitre.oval:def:696
comment Microsoft PowerPoint 2002 is installed
oval oval:org.mitre.oval:def:305
comment Microsoft PowerPoint 2003 is installed
oval oval:org.mitre.oval:def:666

description

family

windows

oval:org.mitre.oval:def:5610

status

accepted

submitted

2009-05-12T09:28:00

title

Legacy File Format Vulnerability

version

Seebug

bulletinFamily	exploit
description	CVE-2009-0220 CVE-2009-0221 CVE-2009-0222 CVE-2009-0223 CVE-2009-0224 CVE-2009-0225 CVE-2009-0226 CVE-2009-0227 CVE-2009-1128 CVE-2009-1129 CVE-2009-1130 CVE-2009-1131 CVE-2009-1137 Microsoft PowerPoint存在多个安全漏洞，它可以被恶意利用。 1 ）两个边界错误处理某些原子可以被利用来造成基于堆栈的缓冲区溢出通过一个特制的PowerPoint文件。 2 ）时出现错误剖析段落格式的数据可以被用来腐败内存通过特制的PowerPoint 4.0文件。 3 ）一个整数溢出错误解析无效记录类型可以利用腐败的记忆通过特制的PowerPoint文件。 4 ）时发生错误解析名单记录可以被用来腐败内存通过特制的PowerPoint文件。 5 ）时发生错误解析某些畸形结构价值观可以利用腐败的记忆通过特制的PowerPoint文件。 6 ）多错误剖析声音数据时，可以利用腐败的记忆通过特制的PowerPoint 4.0和95个文件。成功利用这些漏洞允许执行任意代码。 Microsoft Office 2000 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2004 for Mac Microsoft Office 2007 Microsoft Office 2008 for Mac Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office PowerPoint 2007 Microsoft Office PowerPoint Viewer 2003 Microsoft Office PowerPoint Viewer 2007 Microsoft Office XP Microsoft Open XML File Format Converter for Mac Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Powerpoint 2003 Microsoft Works 8.x Microsoft Works 9.x Microsoft Office PowerPoint 2000 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=f443312a-ac74-4ebc-a4ac-7a756aa67894" target="_blank">http://www.microsoft.com/downloads/de...=f443312a-ac74-4ebc-a4ac-7a756aa67894</a> Microsoft Office PowerPoint 2002 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49" target="_blank">http://www.microsoft.com/downloads/de...=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49</a> Microsoft Office PowerPoint 2003 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=ccfa978b-3340-40db-a45d-c880ba36b106" target="_blank">http://www.microsoft.com/downloads/de...=ccfa978b-3340-40db-a45d-c880ba36b106</a> Microsoft Office PowerPoint 2007 SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office PowerPoint 2007 SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office 2004 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Office 2008 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Open XML File Format Converter for Mac: According to the vendor, patches are still in development and will be released at a later stage. PowerPoint Viewer 2003: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=6a57e6ed-bd24-406f-87bb-117391e083e0" target="_blank">http://www.microsoft.com/downloads/de...=6a57e6ed-bd24-406f-87bb-117391e083e0</a> PowerPoint Viewer 2007 SP1/SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=141b8338-5c52-4326-a9e4-d2f2d8940d9c" target="_blank">http://www.microsoft.com/downloads/de...=141b8338-5c52-4326-a9e4-d2f2d8940d9c</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Works 8.5: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Works 9.0: According to the vendor, patches are still in development and will be released at a later stage.<br><b>Provided and/or discovered by</b>:<br>1) Carsten Eiram, Secunia Research. 2) The vendor credits an anonymous person via VeriSign iDefense Labs. 3) The vendor credits Sean Larsson, VeriSign iDefense Labs. 4) The vendor credits Sean Larsson, VeriSign iDefense Labs. 5) The vendor credits Ling and Wushi, team509 via ZDI and Sean Larsson, VeriSign iDefense Labs. 6) The vendor credits: * Marsu Pilami, VeriSign iDefense Labs. * Nicolas Joly, Vupen. * An anonymous person via VeriSign iDefense Labs.<br><b>Original Advisory</b>:<br>MS09-017 (KB957781, KB957784, KB957789, KB957790, KB967340, KB969615, KB969618, KB970059): <a href="http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx</a>
id	SSV:11282
last seen	2017-11-19
modified	2009-05-13
published	2009-05-13
reporter	Root
title	Microsoft PowerPoint多个安全漏洞

bulletinFamily	exploit
description	BUGTRAQ ID: 34833 CVE(CAN) ID: CVE-2009-0220 Microsoft PowerPoint是微软Office套件中的文档演示工具。 PowerPoint的PP4X32.DLL库所提供的PowerPoint 4.0格式文件导入器中存在多个栈溢出漏洞。第一个溢出出现在从文件读取记录头的过程中：由于错误的计算了缓冲区大小，可能会导致溢出；第二个溢出出现在从文件读取记录数据的过程中：从文件读取的整数被用于控制拷贝到固定大小栈缓冲区的字节数，这也可能会导致溢出。 Microsoft PowerPoint 2003 SP3 Microsoft PowerPoint 2002 SP3 Microsoft PowerPoint 2000 SP3 临时解决方法： * 在PowerPoint 2000或2002中限制对pp4x322.dll的访问。在32位版本的Windows 2000、Windows XP和Windows Server 2003上，从命令提示符运行以下命令： for /F "tokens=" %G IN ('dir /b /s ^"%programfiles%\Microsoft Office\pp4x322.dll^"') DO cacls "%G" /E /P everyone:N 在64位版本的Windows XP和Windows Server 2003上，从命令提示符运行以下命令： for /F "tokens=" %G IN ('dir /b /s ^"%programfiles(x86)%\Microsoft Office\pp4x322.dll^"') DO cacls "%G" /E /P everyone:N 在32位版本的Windows Vista和Windows Server 2008上，从命令提示符运行以下命令： for /F "tokens=" %G IN ('dir /b /s ^"%programfiles%\Microsoft Office\pp4x322.dll^"') DO cacls "%G" /E /P everyone:N 在64位版本的Windows Vista和Windows Server 2008上，从命令提示符运行以下命令： for /F "tokens=" %G IN ('dir /b /s ^"%programfiles(x86)%\Microsoft Office\pp4x322.dll^"') DO cacls "%G" /E /P everyone:N 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-017）以及相应补丁: MS09-017：Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340) 链接：<a href="http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true</a>
id	SSV:11301
last seen	2017-11-19
modified	2009-05-15
published	2009-05-15
reporter	Root
title	Microsoft PowerPoint PP4X32.DLL库多个栈溢出漏洞（MS09-017）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References