Vulnerabilities > CVE-2009-1130 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Office and Office Powerpoint

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

microsoft

CWE-119

nessus

NVD

Published: 2009-05-12

Updated: 2024-11-21

Summary

Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted structure in a Notes container in a PowerPoint file that causes PowerPoint to read more data than was allocated when creating a C++ object, leading to an overwrite of a function pointer, aka "Heap Corruption Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Office Powerpoint 2003 Microsoft Office Powerpoint 2002 Microsoft Office 2004	3

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_id	MS09-017
bulletin_url
date	2009-05-12T00:00:00
impact	Remote Code Execution
knowledgebase_id	967340
knowledgebase_url
severity	Critical
title	Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-017.NASL
description	The remote Windows host is running a version of Microsoft PowerPoint, PowerPoint Viewer, or PowerPoint Converter that is affected by multiple vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted PowerPoint file, he could leverage these issues to execute arbitrary code subject to the user
last seen	2020-06-01
modified	2020-06-02
plugin id	38742
published	2009-05-13
reporter	This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/38742
title	MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(38742); script_version("1.40"); script_cvs_date("Date: 2019/12/13"); script_cve_id( "CVE-2009-0220", "CVE-2009-0221", "CVE-2009-0222", "CVE-2009-0223", "CVE-2009-0224", "CVE-2009-0225", "CVE-2009-0226", "CVE-2009-0227", "CVE-2009-0556", "CVE-2009-1128", "CVE-2009-1129", "CVE-2009-1130", "CVE-2009-1131", "CVE-2009-1137" ); script_bugtraq_id( 34351, 34831, 34833, 34834, 34835, 34837, 34839, 34840, 34841, 34876, 34879, 34880, 34881, 34882 ); script_xref(name:"CERT", value:"627331"); script_xref(name:"MSFT", value:"MS09-017"); script_xref(name:"MSKB", value:"957781"); script_xref(name:"MSKB", value:"957784"); script_xref(name:"MSKB", value:"957789"); script_xref(name:"MSKB", value:"957790"); script_xref(name:"MSKB", value:"969615"); script_xref(name:"MSKB", value:"969618"); script_xref(name:"MSKB", value:"970059"); script_name(english:"MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340)"); script_summary(english:"Checks version of PowerPoint"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft PowerPoint." ); script_set_attribute( attribute:"description", value: "The remote Windows host is running a version of Microsoft PowerPoint, PowerPoint Viewer, or PowerPoint Converter that is affected by multiple vulnerabilities. If an attacker can trick a user on the affected host into opening a specially crafted PowerPoint file, he could leverage these issues to execute arbitrary code subject to the user's privileges." ); # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-017 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?514f3bd5"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-019/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-09-020/"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for PowerPoint 2000, 2002, 2003, and 2007, PowerPoint Viewer 2003 and 2007, as well as the Microsoft Office Compatibility Pack." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(94, 119, 189); script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/02"); script_set_attribute(attribute:"patch_publication_date", value:"2009/05/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("misc_func.inc"); include("audit.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-017'; kbs = make_list("957781", "957784", "957789", "957790", "969615", "969618", "970059"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); # PowerPoint. info = ""; pp_patched = FALSE; vuln = 0; kb = ""; installs = get_kb_list("SMB/Office/PowerPoint//ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPoint/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = "n/a"; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6500 \|\| (ver[2] == 6500 && ver[3] < 5000) ) ) { office_sp = get_kb_item("SMB/Office/2007/SP"); if (!isnull(office_sp) && (office_sp == 1 \|\| office_sp == 2)) { vuln++; kb = "957789"; info = '\n Product : PowerPoint 2007' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6500.5000\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8307) { office_sp = get_kb_item("SMB/Office/2003/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957784"; info = '\n Product : PowerPoint 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8307.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2002. else if (ver[0] == 10 && ver[1] == 0 && ver[2] < 6853) { office_sp = get_kb_item("SMB/Office/XP/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957781"; info = '\n Product : PowerPoint 2002' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 10.0.6853.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint 2000 - fixed in 9.0.0.8978 else if (ver[0] == 9 && ver[1] == 0 && ver[2] == 0 && ver[3] < 8978) { office_sp = get_kb_item("SMB/Office/2000/SP"); if (!isnull(office_sp) && office_sp == 3) { vuln++; kb = "957790"; info = '\n Product : PowerPoint 2000' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 9.0.0.8978\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } } } if (!vuln) pp_patched = TRUE; # PowerPoint Viewer. installs = get_kb_list("SMB/Office/PowerPointViewer//ProductPath"); if (!isnull(installs) && !pp_patched) { version = install - 'SMB/Office/PowerPointViewer/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = 'n/a'; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint Viewer 2007. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6502 \|\| (ver[2] == 6502 && ver[3] < 5000) ) ) { vuln++; kb = "970059"; info = '\n Product : PowerPoint Viewer 2007' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6502.5000\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } # Office PowerPoint Viewer 2003. else if (ver[0] == 11 && ver[1] == 0 && ver[2] < 8305) { kb = "969615"; info = '\n Product : Office PowerPoint Viewer 2003' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 11.0.8305.0\n'; hotfix_add_report(info, bulletin:bulletin, kb:kb); } } # PowerPoint Converter. installs = get_kb_list("SMB/Office/PowerPointCnv/*/ProductPath"); if (!isnull(installs)) { foreach install (keys(installs)) { version = install - 'SMB/Office/PowerPointCnv/' - '/ProductPath'; path = installs[install]; if (isnull(path)) path = 'n/a'; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # PowerPoint 2007 converter. if ( ver[0] == 12 && ver[1] == 0 && ( ver[2] < 6500 \|\| (ver[2] == 6500 && ver[3] < 5000) ) ) { vuln++; kb = "969618"; info = '\n Product : PowerPoint 2007 Converter' + '\n File : ' + path + '\n Installed version : ' + version + '\n Fixed version : 12.0.6500.5000\n'; hotfix_add_report(info, kb:kb, bulletin:bulletin); } } } if (vuln) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); exit(0); } else audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted

2012-05-28T04:02:00.939-04:00

class

vulnerability

contributors

name T.J. Butler
organization Gideon Technologies, Inc.
name Brendan Miles
organization The MITRE Corporation
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment Microsoft PowerPoint 2002 is installed
oval oval:org.mitre.oval:def:305
comment Microsoft PowerPoint 2003 is installed
oval oval:org.mitre.oval:def:666

description

family

windows

oval:org.mitre.oval:def:5961

status

accepted

submitted

2009-05-12T09:28:00

title

Heap Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 34840 CVE(CAN) ID: CVE-2009-1130 Microsoft PowerPoint是微软Office套件中的文档演示工具。 PowerPoint在解析Notes容器中某些结构时存在堆溢出漏洞。在读取Notes容器传播C++对象过程中，Powerpoint对为覆盖对象函数指针所分配内存错误的读取了过多的数据，之后在mso.dll的调用中使用。通过向容器中注入超长值，就可以触发堆溢出。 Microsoft Office 2004 for Mac Microsoft PowerPoint 2003 SP3 Microsoft PowerPoint 2002 SP3 临时解决方法： * 在打开未知或不可信任来源的文件时，使用Microsoft Office隔离转换环境（MOICE）。 * 使用Microsoft Office文件阻断策略以防止打开未知或不可信任来源的Office2003及更早版本的文档。可使用以下注册表脚本为Office 2003设置文件阻断策略： Office 2003 Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Excel\Security\FileOpenBlock] "BinaryFiles"=dword:00000001 * 不要打开或保存从不受信任来源或从受信任来源意外收到的Microsoft Office文件。厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-017）以及相应补丁: MS09-017：Vulnerabilities in Microsoft Office PowerPoint Could Allow Remote Code Execution (967340) 链接：<a href="http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx?pf=true</a>
id	SSV:11306
last seen	2017-11-19
modified	2009-05-15
published	2009-05-15
reporter	Root
title	Microsoft PowerPoint Notes容器堆溢出漏洞（MS09-017）

bulletinFamily	exploit
description	CVE-2009-0220 CVE-2009-0221 CVE-2009-0222 CVE-2009-0223 CVE-2009-0224 CVE-2009-0225 CVE-2009-0226 CVE-2009-0227 CVE-2009-1128 CVE-2009-1129 CVE-2009-1130 CVE-2009-1131 CVE-2009-1137 Microsoft PowerPoint存在多个安全漏洞，它可以被恶意利用。 1 ）两个边界错误处理某些原子可以被利用来造成基于堆栈的缓冲区溢出通过一个特制的PowerPoint文件。 2 ）时出现错误剖析段落格式的数据可以被用来腐败内存通过特制的PowerPoint 4.0文件。 3 ）一个整数溢出错误解析无效记录类型可以利用腐败的记忆通过特制的PowerPoint文件。 4 ）时发生错误解析名单记录可以被用来腐败内存通过特制的PowerPoint文件。 5 ）时发生错误解析某些畸形结构价值观可以利用腐败的记忆通过特制的PowerPoint文件。 6 ）多错误剖析声音数据时，可以利用腐败的记忆通过特制的PowerPoint 4.0和95个文件。成功利用这些漏洞允许执行任意代码。 Microsoft Office 2000 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2004 for Mac Microsoft Office 2007 Microsoft Office 2008 for Mac Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Microsoft Office PowerPoint 2007 Microsoft Office PowerPoint Viewer 2003 Microsoft Office PowerPoint Viewer 2007 Microsoft Office XP Microsoft Open XML File Format Converter for Mac Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Powerpoint 2003 Microsoft Works 8.x Microsoft Works 9.x Microsoft Office PowerPoint 2000 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=f443312a-ac74-4ebc-a4ac-7a756aa67894" target="_blank">http://www.microsoft.com/downloads/de...=f443312a-ac74-4ebc-a4ac-7a756aa67894</a> Microsoft Office PowerPoint 2002 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49" target="_blank">http://www.microsoft.com/downloads/de...=a24ec7ab-c1c7-4ddb-8b6e-107f1af67f49</a> Microsoft Office PowerPoint 2003 SP3: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=ccfa978b-3340-40db-a45d-c880ba36b106" target="_blank">http://www.microsoft.com/downloads/de...=ccfa978b-3340-40db-a45d-c880ba36b106</a> Microsoft Office PowerPoint 2007 SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office PowerPoint 2007 SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=11f8380f-ffb6-4c22-a89c-3dc55d0f9834" target="_blank">http://www.microsoft.com/downloads/de...=11f8380f-ffb6-4c22-a89c-3dc55d0f9834</a> Microsoft Office 2004 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Office 2008 for Mac: According to the vendor, patches are still in development and will be released at a later stage. Open XML File Format Converter for Mac: According to the vendor, patches are still in development and will be released at a later stage. PowerPoint Viewer 2003: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=6a57e6ed-bd24-406f-87bb-117391e083e0" target="_blank">http://www.microsoft.com/downloads/de...=6a57e6ed-bd24-406f-87bb-117391e083e0</a> PowerPoint Viewer 2007 SP1/SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=141b8338-5c52-4326-a9e4-d2f2d8940d9c" target="_blank">http://www.microsoft.com/downloads/de...=141b8338-5c52-4326-a9e4-d2f2d8940d9c</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2: <a href="http://www.microsoft.com/downloads/details.aspx?familyid=e1d3a4c3-538a-4f98-8d60-250803a80e2a" target="_blank">http://www.microsoft.com/downloads/de...=e1d3a4c3-538a-4f98-8d60-250803a80e2a</a> Microsoft Works 8.5: According to the vendor, patches are still in development and will be released at a later stage. Microsoft Works 9.0: According to the vendor, patches are still in development and will be released at a later stage.<br><b>Provided and/or discovered by</b>:<br>1) Carsten Eiram, Secunia Research. 2) The vendor credits an anonymous person via VeriSign iDefense Labs. 3) The vendor credits Sean Larsson, VeriSign iDefense Labs. 4) The vendor credits Sean Larsson, VeriSign iDefense Labs. 5) The vendor credits Ling and Wushi, team509 via ZDI and Sean Larsson, VeriSign iDefense Labs. 6) The vendor credits: * Marsu Pilami, VeriSign iDefense Labs. * Nicolas Joly, Vupen. * An anonymous person via VeriSign iDefense Labs.<br><b>Original Advisory</b>:<br>MS09-017 (KB957781, KB957784, KB957789, KB957790, KB967340, KB969615, KB969618, KB970059): <a href="http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx" target="_blank">http://www.microsoft.com/technet/security/Bulletin/MS09-017.mspx</a>
id	SSV:11282
last seen	2017-11-19
modified	2009-05-13
published	2009-05-13
reporter	Root
title	Microsoft PowerPoint多个安全漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References