Vulnerabilities > CVE-2009-2506 - Numeric Errors vulnerability in Microsoft products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

microsoft

CWE-189

critical

nessus

NVD

Published: 2009-12-09

Updated: 2019-02-26

Summary

Integer overflow in the text converters in Microsoft Office Word 2002 SP3 and 2003 SP3; Works 8.5; Office Converter Pack; and WordPad in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a DOC file with an invalid number of property names in the DocumentSummaryInformation stream, which triggers a heap-based buffer overflow.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows Server 2003 * Microsoft Windows XP *	5
Application	Microsoft Microsoft Office Converter Pack * Microsoft Office Word 2002 Microsoft Office Word 2003 Microsoft Wordpad * Microsoft Works 8.5	5

Common Weakness Enumeration (CWE)

CWE-189 - Numeric Errors

Msbulletin

bulletin_id	MS09-073
bulletin_url
date	2009-12-08T00:00:00
impact	Remote Code Execution
knowledgebase_id	975539
knowledgebase_url
severity	Important
title	Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS09-073.NASL
description	The remote host contains a vulnerable version of Microsoft WordPad, Office, or Office Converter Pack. Opening a specially crafted Word 97 file can result in the execution of arbitrary code. A remote attacker could exploit this by tricking a user into opening a malicious Word file.
last seen	2020-06-01
modified	2020-06-02
plugin id	43065
published	2009-12-08
reporter	This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/43065
title	MS09-073: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(43065); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:30"); script_cve_id("CVE-2009-2506"); script_bugtraq_id(37216); script_xref(name:"IAVA", value:"2009-A-0128"); script_xref(name:"MSFT", value:"MS09-073"); script_xref(name:"MSKB", value:"973904"); script_name(english:"MS09-073: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)"); script_summary(english:"Checks version of Mswrd832.cnv / Mswrd632.wpc"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host through opening a Microsoft Word file."); script_set_attribute(attribute:"description", value: "The remote host contains a vulnerable version of Microsoft WordPad, Office, or Office Converter Pack. Opening a specially crafted Word 97 file can result in the execution of arbitrary code. A remote attacker could exploit this by tricking a user into opening a malicious Word file."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-073"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows 2000, XP, 2003, Microsoft Office XP, 2003, and Office Converter Pack."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:works"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office_converter_pack"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("smb_nt_ms02-031.nasl", "office_installed.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("audit.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS09-073'; kbs = make_list("973904"); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); arch = get_kb_item_or_exit("SMB/ARCH"); if (!get_kb_item("SMB/WindowsVersion")) exit(1, "The 'SMB/WindowsVersion' KB item is missing."); if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); office_versions = hotfix_check_office_version(); x86_path = hotfix_get_commonfilesdir(); if (!x86_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Common Files'); x86_path += "\Microsoft Shared\TextConv"; x64_path = hotfix_get_programfilesdirx86(); if (arch == 'x64' && !x64_path) audit(AUDIT_PATH_NOT_DETERMINED, 'Program Files (x86)'); if (x64_path) x64_path += "\Common Files\Microsoft Shared\TextConv"; officexp_sp = get_kb_item("SMB/Office/XP/SP"); office2k3_sp = get_kb_item("SMB/Office/2003/SP"); if ( # Windows 2003 / XP SP2 x64 hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x64", file:"Mswrd632.wpc", path:x64_path, version:"2009.10.31.10", bulletin:bulletin, kb:'973904') \|\| # Windows 2003 x86 hotfix_is_vulnerable(os:"5.2", sp:2, arch:"x86", file:"Mswrd632.wpc", path:x86_path, version:"2009.10.31.10", bulletin:bulletin, kb:'973904') \|\| # Windows XP x86 hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86", file:"Mswrd632.wpc", path:x86_path, version:"2009.10.31.10", bulletin:bulletin, kb:'973904') \|\| hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Mswrd632.wpc", path:x86_path, version:"2009.10.31.10", bulletin:bulletin, kb:'973904') \|\| # Windows 2000 hotfix_is_vulnerable(os:"5.0", file:"Mswrd632.wpc", path:x86_path, version:"2009.10.31.10", bulletin:bulletin, kb:'973904') \|\| # Office XP SP3 ( (office_versions["10.0"] && (!isnull(officexp_sp) && officexp_sp == 3)) && ( hotfix_is_vulnerable(file:"Mswrd832.cnv", version:"2003.1100.8313.0", path:x86_path, bulletin:bulletin, kb:'975008') \|\| hotfix_is_vulnerable(file:"Mswrd832.cnv", arch:"x64", version:"2003.1100.8313.0", path:x64_path, bulletin:bulletin, kb:'975008') ) ) \|\| # Office 2003 SP3 ( (office_versions["11.0"] && (!isnull(office2k3_sp) && office2k3_sp == 3)) && ( hotfix_is_vulnerable(file:"Mswrd832.cnv", version:"2003.1100.8313.0", path:x86_path, bulletin:bulletin, kb:'975051') \|\| hotfix_is_vulnerable(file:"Mswrd832.cnv", arch:"x64", version:"2003.1100.8313.0", path:x64_path, bulletin:bulletin, kb:'975051') ) ) ) { set_kb_item(name:"SMB/Missing/MS09-073", value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2015-08-10T04:00:59.443-04:00

class

vulnerability

contributors

name Dragos Prisaca
organization Gideon Technologies, Inc.
name Dragos Prisaca
organization Gideon Technologies, Inc.
name Dragos Prisaca
organization Gideon Technologies, Inc.
name Rachana Shetty
organization SecPod Technologies
name Maria Kedovskaya
organization ALTX-SOFT
name Dragos Prisaca
organization G2, Inc.
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Microsoft Windows 2000 SP4 or later is installed
oval oval:org.mitre.oval:def:229
comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Office Converter Pack is installed
oval oval:org.mitre.oval:def:28520
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442
comment Microsoft Office Converter Pack is installed
oval oval:org.mitre.oval:def:28520
comment Microsoft Word 2002 is installed
oval oval:org.mitre.oval:def:973
comment Microsoft Word 2003 is installed
oval oval:org.mitre.oval:def:475
comment Microsoft Works 8.5 is installed
oval oval:org.mitre.oval:def:6721
comment Microsoft Office Converter Pack is installed
oval oval:org.mitre.oval:def:28520
comment Microsoft Office 2003 is installed
oval oval:org.mitre.oval:def:233

description

family

windows

oval:org.mitre.oval:def:5846

status

accepted

submitted

2009-12-08T13:00:00

title

WordPad and Office Text converter Memory Corruption Vulnerability

version

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 37216 CVE ID: CVE-2009-2506 写字板是Windows操作系统中附件所提供的简单文本编辑工具。当用户打开特制的Word 97文件时，Microsoft写字板和Word文本转换器中的内存破坏漏洞可能导致执行任意代码。在解析DOC文件中的 DocumentSummaryInformation流时会触发这个漏洞。这个流用于提供有关文档作者、创建日期等信息，其中的部分数据是属性名称和数值对序列。在读取这些属性的名称时，代码使用代表名称数目的文件中的32位整数执行了计算。由于没有对所使用的值执行边界检查，这可能触发整数溢出，导致对存储属性数据分配了不充分的堆缓冲区。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000SP4 Microsoft Word 2003 SP3 Microsoft Word 2002 SP3 Microsoft Works 8.5 临时解决方法： * 通过限制对转换器文件的访问禁用Word 97的写字板文本转换器，从管理员命令提示符运行以下命令： echo y\| cacls "%ProgramFiles%\Common Files\Microsoft Shared\TextConv\mswrd832.cnv" /E /P everyone:N echo y\| cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\TextConv\mswrd832.cnv" /E /P everyone:N echo y\| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N echo y\| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd864.wpc" /E /P everyone:N echo y\| cacls "%ProgramFiles(x86)%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（MS09-073）以及相应补丁: MS09-073：Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539) 链接：http://www.microsoft.com/technet/security/bulletin/MS09-073.mspx?pf=true
id	SSV:15051
last seen	2017-11-19
modified	2009-12-12
published	2009-12-12
reporter	Root
title	Microsoft写字板和Office文本转换器Word 97文件解析远程代码执行漏洞（MS09-073）

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Msbulletin

Nessus

Oval

Seebug

References