Vulnerabilities > CVE-2009-1533 - Buffer Errors vulnerability in Microsoft Office, Office XP and Works

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-119

critical

nessus

NVD

Published: 2009-06-10

Updated: 2018-10-12

Summary

Buffer overflow in the Works for Windows document converters in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP3, Office 2007 SP1, and Works 8.5 and 9 allows remote attackers to execute arbitrary code via a crafted Works .wps file that triggers memory corruption, aka "File Converter Buffer Overflow Vulnerability."

Vulnerable Configurations

Part	Description	Count
Application	Microsoft Microsoft Office 2000 Microsoft Office 2003 Microsoft Office XP Sp3 Microsoft Works 8.5 Microsoft Works 9.0	5

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Msbulletin

bulletin_id	MS09-024
bulletin_url
date	2009-06-09T00:00:00
impact	Remote Code Execution
knowledgebase_id	957632
knowledgebase_url
severity	Critical
title	Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-024.NASL
description	The remote host is running a version of Microsoft Works for Windows document converters that is affected by a buffer overflow vulnerability. If an attacker can trick a user on the affected host into opening a specially crafted Works file, this issue could be leveraged to run arbitrary code on the host subject to the user
last seen	2020-06-01
modified	2020-06-02
plugin id	39346
published	2009-06-10
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/39346
title	MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(39346); script_version("1.26"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-1533"); script_bugtraq_id(35184); script_xref(name:"IAVB", value:"2009-B-0025"); script_xref(name:"MSFT", value:"MS09-024"); script_xref(name:"MSKB", value:"967044"); script_xref(name:"MSKB", value:"969559"); script_name(english:"MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)"); script_summary(english:"Checks file version of the converters"); script_set_attribute( attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through Microsoft Office."); script_set_attribute( attribute:"description", value: "The remote host is running a version of Microsoft Works for Windows document converters that is affected by a buffer overflow vulnerability. If an attacker can trick a user on the affected host into opening a specially crafted Works file, this issue could be leveraged to run arbitrary code on the host subject to the user's privileges."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-024"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Office 2000, 2003 and XP as well as 2007 Microsoft Office System, Works 8.5 and Works 9."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2009/06/09"); script_set_attribute(attribute:"patch_publication_date", value:"2009/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:works"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("audit.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-024'; kbs = make_list("967044", "969559"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); commonfiles = hotfix_get_officecommonfilesdir(); if (!commonfiles) exit(1, "Error getting Office Common Files directory."); office_versions = hotfix_check_office_version(); vuln = FALSE; checkedfiles = make_array(); foreach ver (keys(office_versions)) { if (ver == '9.0' \|\| ver == '10.0' \|\| ver == '11.0' \|\| ver == '12.0') { if (typeof(commonfiles) == 'array') path = commonfiles[ver] + "\Microsoft Shared\TextConv"; else path = commonfiles + "\Microsoft Shared\TextConv"; share = hotfix_path2share(path:path); # Office 2007 if (ver == "12.0") { file = path + "\Works623.cnv"; if (!checkedfiles[file]) { if (hotfix_check_fversion(file:"Works632.cnv", version:"9.07.0613.0", path:path, bulletin:bulletin, kb:"969559") == HCF_OLDER) vuln = TRUE; checkedfiles[file] = 1; } } # Office 2003 else if (ver == "11.0") { file1 = path + "\Wkcvqd01.dll"; file2 = path + "\Wkcvqr01.dll"; if (!checkedfiles[file1] && !checkedfiles[file2]) { # Office 2003 is only vulnerable if Works 6-9 converter is installed # (vanilla install = version 9.7.621.0) if ( hotfix_check_fversion(file:"Wkcvqd01.dll", version:"9.8.1117.0", min_version:"9.7.621.0", path:path, bulletin:bulletin, kb:"968326") == HCF_OLDER \|\| hotfix_check_fversion(file:"Wkcvqr01.dll", version:"9.8.1117.0", min_version:"9.7.621.0", path:path, bulletin:bulletin, kb:"968326") == HCF_OLDER ) vuln = TRUE; checkedfiles[file1] = 1; checkedfiles[file2] = 1; } } # Office XP. else if (ver == "10.0") { file = path + "\Works432.cnv"; if (!checkedfiles[file]) { if (hotfix_check_fversion(file:"Works432.cnv", version:"2008.9.808.0", path:path, bulletin:bulletin, kb:"957646") == HCF_OLDER) vuln = TRUE; checkedfiles[file] = 1; } } # Office 2000. else if (ver == "9.0") { file = path + "\Works432.cnv"; if (!checkedfiles[file]) { if (hotfix_check_fversion(file:"Works432.cnv", version:"2008.9.808.0", path:path, bulletin:bulletin, kb:"957646") == HCF_OLDER) vuln = TRUE; checkedfiles[file] = 1; } } } } if (hotfix_check_works_installed()) { if ( # Works 9. hotfix_check_fversion(file:"Wkcvqd01.dll", version:"9.8.1117.0", min_version:"9.0.0.0", path:path, bulletin:bulletin, kb:"967044") == HCF_OLDER \|\| hotfix_check_fversion(file:"Wkcvqr01.dll", version:"9.8.1117.0", min_version:"9.0.0.0", path:path, bulletin:bulletin, kb:"967044") == HCF_OLDER \|\| # Works 8. hotfix_check_fversion(file:"Wkcvqd01.dll", version:"8.7.216.0", min_version:"8.0.0.0", path:path, bulletin:bulletin, kb:"967043") == HCF_OLDER \|\| hotfix_check_fversion(file:"Wkcvqr01.dll", version:"8.7.216.0", min_version:"8.0.0.0", path:path, bulletin:bulletin, kb:"967043") == HCF_OLDER ) { vuln = TRUE; } } if (vuln) { set_kb_item(name:"SMB/Missing/MS09-024", value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2009-07-21T07:46:07.774-04:00

class

vulnerability

contributors

name	Dragos Prisaca
organization	Gideon Technologies, Inc.

definition_extensions

comment Microsoft Word 2000 is installed
oval oval:org.mitre.oval:def:455
comment Microsoft Word 2002 is installed
oval oval:org.mitre.oval:def:973
comment Microsoft Word 2003 is installed
oval oval:org.mitre.oval:def:475
comment Microsoft Word 2007 is installed
oval oval:org.mitre.oval:def:2074

description

family

windows

oval:org.mitre.oval:def:6292

status

accepted

submitted

2009-06-09T14:00:00

title

File Converter Buffer Overflow Vulnerability

version

Saint

bid	35184
description	Microsoft Works File Converter FontName buffer overflow
id	win_patch_msworkscnv
osvdb	54939
title	microsoft_works_file_conv_fontname
type	client

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 35184 CVE(CAN) ID: CVE-2009-1533 Works是微软的家用综合软件，提供基本的能提高生活效率的工具，如简单的文档处理、数据库、电子表格的入门级办公包功能。 Windows文件转换器的Works处理特制Works文件的方式中存在栈溢出漏洞。如果用户打开了包含有超长字体名的特制.wps文件，就可以触发这个溢出，导致执行任意代码。 Microsoft Office XP SP3 Microsoft Office 2007 SP1 Microsoft Office 2003 Service Pack 3 Microsoft Office 2000 SP3 Microsoft Works 9.0 Microsoft Works 8.5 临时解决方法： * 对于Word 2000和Word 2002，通过限制访问来禁用Works 4.x转换器。对于Microsoft Windows 2000、Windows XP和Windows Server 2003，通过命令提示符运行以下命令： cacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works432.cnv" /E /P everyone:N cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works432.cnv" /E /P everyone:N 对于Vista/Server 2008，从提升的命令提示符处运行下列命令： takeown /f "%CommonProgramFiles%\Microsoft Shared\TextConv\works432.cnv" icacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works432.cnv" /save works432_ACL.TXT icacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works432.cnv" /deny everyone:(F) takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works432.cnv" icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works432.cnv" /save works432_ACL.TXT icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works432.cnv" /deny everyone:(F) * 对于安装了Microsoft Works 6–9文件转换器的Word 2003和Word 2007，通过限制访问来禁用Works 6-9转换器。对于Microsoft Windows 2000、Windows XP和Windows Server 2003，通过命令提示符运行以下命令： cacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works632.cnv" /E /P everyone:N cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works632.cnv" /E /P everyone:N 对于Windows Vista和Windows Server 2008，从提升的命令提示符处运行下列命令： takeown /f "%CommonProgramFiles%\Microsoft Shared\TextConv\works632.cnv" icacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works632.cnv" /save works632_ACL.TXT icacls "%CommonProgramFiles%\Microsoft Shared\TextConv\works632.cnv" /deny everyone:(F) takeown /f "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works632.cnv" icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works632.cnv" /save works632_ACL.TXT icacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\works632.cnv" /deny everyone:(F) 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-024）以及相应补丁: MS09-024：Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632) 链接：<a href="http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx?pf=true" target="_blank" rel=external nofollow>http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx?pf=true</a>
id	SSV:11604
last seen	2017-11-19
modified	2009-06-13
published	2009-06-13
reporter	Root
title	Microsoft Office Works文件转换器栈溢出漏洞(MS09-024)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Saint

Seebug

References