Vulnerabilities > CVE-2009-1130 - Buffer Errors vulnerability in Microsoft Office and Office Powerpoint

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
CWE-119
critical
nessus

Summary

Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted structure in a Notes container in a PowerPoint file that causes PowerPoint to read more data than was allocated when creating a C++ object, leading to an overwrite of a function pointer, aka "Heap Corruption Vulnerability."

Vulnerable Configurations

Part Description Count
Application
Microsoft
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_idMS09-017
bulletin_url
date2009-05-12T00:00:00
impactRemote Code Execution
knowledgebase_id967340
knowledgebase_url
severityCritical
titleVulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-017.NASL
descriptionThe remote Windows host is running a version of Microsoft PowerPoint, PowerPoint Viewer, or PowerPoint Converter that is affected by multiple vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted PowerPoint file, he could leverage these issues to execute arbitrary code subject to the user
last seen2020-06-01
modified2020-06-02
plugin id38742
published2009-05-13
reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/38742
titleMS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(38742);
  script_version("1.40");
  script_cvs_date("Date: 2019/12/13");

  script_cve_id(
    "CVE-2009-0220",
    "CVE-2009-0221",
    "CVE-2009-0222",
    "CVE-2009-0223",
    "CVE-2009-0224",
    "CVE-2009-0225",
    "CVE-2009-0226",
    "CVE-2009-0227",
    "CVE-2009-0556",
    "CVE-2009-1128",
    "CVE-2009-1129",
    "CVE-2009-1130",
    "CVE-2009-1131",
    "CVE-2009-1137"
  );
  script_bugtraq_id(
    34351,
    34831,
    34833,
    34834,
    34835,
    34837,
    34839,
    34840,
    34841,
    34876,
    34879,
    34880,
    34881,
    34882
  );
  script_xref(name:"CERT", value:"627331");
  script_xref(name:"MSFT", value:"MS09-017");
  script_xref(name:"MSKB", value:"957781");
  script_xref(name:"MSKB", value:"957784");
  script_xref(name:"MSKB", value:"957789");
  script_xref(name:"MSKB", value:"957790");
  script_xref(name:"MSKB", value:"969615");
  script_xref(name:"MSKB", value:"969618");
  script_xref(name:"MSKB", value:"970059");

  script_name(english:"MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)");
  script_summary(english:"Checks version of PowerPoint");

  script_set_attribute(
    attribute:"synopsis",
    value:
"Arbitrary code can be executed on the remote host through Microsoft
PowerPoint."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host is running a version of Microsoft PowerPoint,
PowerPoint Viewer, or PowerPoint Converter that is affected by
multiple vulnerabilities.  If an attacker can trick a user on the
affected host into opening a specially crafted PowerPoint file, he
could leverage these issues to execute arbitrary code subject to the
user's privileges."
  );
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-017
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?514f3bd5");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-019/");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-020/");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for PowerPoint 2000, 2002,
2003, and 2007, PowerPoint Viewer 2003 and 2007, as well as the
Microsoft Office Compatibility Pack."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_cwe_id(94, 119, 189);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/05/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("misc_func.inc");
include("audit.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-017';
kbs = make_list("957781", "957784", "957789", "957790", "969615", "969618", "970059");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


# PowerPoint.
info = "";
pp_patched = FALSE;
vuln = 0;
kb = "";
installs = get_kb_list("SMB/Office/PowerPoint/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPoint/' - '/ProductPath';
    path = installs[install];
    if (isnull(path)) path = "n/a";

    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);

    # PowerPoint 2007.
    if (
      ver[0] == 12 && ver[1] == 0 &&
      (
        ver[2] < 6500 ||
        (ver[2] == 6500 && ver[3] < 5000)
      )
    )
    {
      office_sp = get_kb_item("SMB/Office/2007/SP");
      if (!isnull(office_sp) && (office_sp == 1 || office_sp == 2))
      {
        vuln++;
        kb = "957789";
        info =
          '\n  Product           : PowerPoint 2007' +
          '\n  File              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 12.0.6500.5000\n';
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
    }
    # PowerPoint 2003.
    else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8307)
    {
      office_sp = get_kb_item("SMB/Office/2003/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        vuln++;
        kb = "957784";
        info =
          '\n  Product           : PowerPoint 2003' +
          '\n  File              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 11.0.8307.0\n';
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
    }
    # PowerPoint 2002.
    else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6853)
    {
      office_sp = get_kb_item("SMB/Office/XP/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        vuln++;
        kb = "957781";
        info =
          '\n  Product           : PowerPoint 2002' +
          '\n  File              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 10.0.6853.0\n';
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
    }
    # PowerPoint 2000 - fixed in 9.0.0.8978
    else if (ver[0] == 9 && ver[1] == 0 && ver[2] == 0 && ver[3] < 8978)
    {
      office_sp = get_kb_item("SMB/Office/2000/SP");
      if (!isnull(office_sp) && office_sp == 3)
      {
        vuln++;
        kb = "957790";
        info =
          '\n  Product           : PowerPoint 2000' +
          '\n  File              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : 9.0.0.8978\n';
        hotfix_add_report(info, bulletin:bulletin, kb:kb);
      }
    }
  }
}
if (!vuln) pp_patched = TRUE;

# PowerPoint Viewer.
installs = get_kb_list("SMB/Office/PowerPointViewer/*/ProductPath");
if (!isnull(installs) && !pp_patched)
{
  version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath';
  path = installs[install];
  if (isnull(path)) path = 'n/a';

  ver = split(version, sep:'.', keep:FALSE);
  for (i=0; i<max_index(ver); i++)
    ver[i] = int(ver[i]);

  # PowerPoint Viewer 2007.
  if (
    ver[0] == 12 && ver[1] == 0 &&
    (
      ver[2] < 6502 ||
      (ver[2] == 6502 && ver[3] < 5000)
    )
  )
  {
    vuln++;
    kb = "970059";
    info =
      '\n  Product           : PowerPoint Viewer 2007' +
      '\n  File              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 12.0.6502.5000\n';
    hotfix_add_report(info, bulletin:bulletin, kb:kb);
  }
  # Office PowerPoint Viewer 2003.
  else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8305)
  {
    kb = "969615";
    info =
      '\n  Product           : Office PowerPoint Viewer 2003' +
      '\n  File              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 11.0.8305.0\n';
    hotfix_add_report(info, bulletin:bulletin, kb:kb);
  }
}

# PowerPoint Converter.
installs = get_kb_list("SMB/Office/PowerPointCnv/*/ProductPath");
if (!isnull(installs))
{
  foreach install (keys(installs))
  {
    version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath';
    path = installs[install];
    if (isnull(path)) path = 'n/a';

    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);

    #  PowerPoint 2007 converter.
    if (
      ver[0] == 12 && ver[1] == 0 &&
      (
        ver[2] < 6500 ||
        (ver[2] == 6500 && ver[3] < 5000)
      )
    )
    {
      vuln++;
      kb = "969618";
      info =
        '\n  Product           : PowerPoint 2007 Converter' +
        '\n  File              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : 12.0.6500.5000\n';
      hotfix_add_report(info, kb:kb, bulletin:bulletin);
    }
  }
}
if (vuln)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  exit(0);
}
else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2012-05-28T04:02:00.939-04:00
classvulnerability
contributors
  • nameT.J. Butler
    organizationGideon Technologies, Inc.
  • nameBrendan Miles
    organizationThe MITRE Corporation
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft PowerPoint 2002 is installed
    ovaloval:org.mitre.oval:def:305
  • commentMicrosoft PowerPoint 2003 is installed
    ovaloval:org.mitre.oval:def:666
descriptionHeap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted structure in a Notes container in a PowerPoint file that causes PowerPoint to read more data than was allocated when creating a C++ object, leading to an overwrite of a function pointer, aka "Heap Corruption Vulnerability."
familywindows
idoval:org.mitre.oval:def:5961
statusaccepted
submitted2009-05-12T09:28:00
titleHeap Corruption Vulnerability
version4

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 34840 CVE(CAN) ID: CVE-2009-1130 Microsoft PowerPoint是微软Office套件中的文档演示工具。 PowerPoint在解析Notes容器中某些结构时存在堆溢出漏洞。在读取Notes容器传播C++对象过程中,Powerpoint对为覆盖对象函数指针所分配内存错误的读取了过多的数据,之后在mso.dll的调用中使用。通过向容器中注入超长值,就可以触发堆溢出。 Microsoft Office 2004 for Mac Microsoft PowerPoint 2003 SP3 Microsoft PowerPoint 2002 SP3 临时解决方法: * 在打开未知或不可信任来源的文件时,使用Microsoft Office隔离转换环境(MOICE)。 * 使用Microsoft Office文件阻断策略以防止打开未知或不可信任来源的Office2003及更早版本的文档。可使用以下注册表脚本为Office 2003设置文件阻断策略: Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] &quot;BinaryFiles&quot;=dword:00000001 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-017)以及相应补丁: MS09-017:Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340) 链接:<a href="http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true</a>
    idSSV:11306
    last seen2017-11-19
    modified2009-05-15
    published2009-05-15
    reporterRoot
    titleMicrosoft PowerPoint Notes容器堆溢出漏洞(MS09-017)
  • bulletinFamilyexploit
    descriptionCVE-2009-0220 CVE-2009-0221 CVE-2009-0222 CVE-2009-0223 CVE-2009-0224 CVE-2009-0225 CVE-2009-0226 CVE-2009-0227 CVE-2009-1128 CVE-2009-1129 CVE-2009-1130 CVE-2009-1131 CVE-2009-1137 Microsoft PowerPoint存在多个安全漏洞,它可以被恶意利用。 1 )两个边界错误处理某些原子可以被利用来造成基于堆栈的缓冲区溢出通过一个特制的PowerPoint文件。 2 )时出现错误剖析段落格式的数据可以被用来腐败内存通过特制的PowerPoint 4.0文件。 3 )一个整数溢出错误解析无效记录类型可以利用腐败的记忆通过特制的PowerPoint文件。 4 )时发生错误解析名单记录可以被用来腐败内存通过特制的PowerPoint文件。 5 )时发生错误解析某些畸形结构价值观可以利用腐败的记忆通过特制的PowerPoint文件。 6 )多错误剖析声音数据时,可以利用腐败的记忆通过特制的PowerPoint 4.0和95个文件。 成功利用这些漏洞允许执行任意代码。 Microsoft Office 2000 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2004 for Mac Microsoft Office 2007 Microsoft Office 2008 for Mac Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office PowerPoint 2007 Microsoft Office PowerPoint Viewer 2003 Microsoft Office PowerPoint Viewer 2007 Microsoft Office XP Microsoft Open XML File Format Converter for Mac Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Powerpoint 2003 Microsoft Works 8.x Microsoft Works 9.x Microsoft Office PowerPoint 2000 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=f443312a-ac74-4ebc-a4ac-7a756aa67894" target="_blank">http://www.microsoft.com/downloads/de...=f443312a-ac74-4ebc-a4ac-7a756aa67894</a> Microsoft Office PowerPoint 2002 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49" target="_blank">http://www.microsoft.com/downloads/de...=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49</a> Microsoft Office PowerPoint 2003 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=ccfa978b-3340-40db-a45d-c880ba36b106" target="_blank">http://www.microsoft.com/downloads/de...=ccfa978b-3340-40db-a45d-c880ba36b106</a> Microsoft Office PowerPoint 2007 SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office PowerPoint 2007 SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office 2004 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Office 2008 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Open XML File Format Converter for Mac: According to the vendor, patches are still in development and will be released at a later stage. PowerPoint Viewer 2003: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=6a57e6ed-bd24-406f-87bb-117391e083e0" target="_blank">http://www.microsoft.com/downloads/de...=6a57e6ed-bd24-406f-87bb-117391e083e0</a> PowerPoint Viewer 2007 SP1/SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=141b8338-5c52-4326-a9e4-d2f2d8940d9c" target="_blank">http://www.microsoft.com/downloads/de...=141b8338-5c52-4326-a9e4-d2f2d8940d9c</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Works 8.5: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Works 9.0: According to the vendor, patches are still in development and will be released at a later stage.<br><b>Provided and/or discovered by</b>:<br>1) Carsten Eiram, Secunia Research. 2) The vendor credits an anonymous person via VeriSign iDefense Labs. 3) The vendor credits Sean Larsson, VeriSign iDefense Labs. 4) The vendor credits Sean Larsson, VeriSign iDefense Labs. 5) The vendor credits Ling and Wushi, team509 via ZDI and Sean Larsson, VeriSign iDefense Labs. 6) The vendor credits: * Marsu Pilami, VeriSign iDefense Labs. * Nicolas Joly, Vupen. * An anonymous person via VeriSign iDefense Labs.<br><b>Original Advisory</b>:<br>MS09-017 (KB957781, KB957784, KB957789, KB957790, KB967340, KB969615, KB969618, KB970059): <a href="http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx</a>
    idSSV:11282
    last seen2017-11-19
    modified2009-05-13
    published2009-05-13
    reporterRoot
    titleMicrosoft PowerPoint多个安全漏洞