‘Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability’


A null pointer dereference vulnerability has been noticed in Microsoft Word 2003.’


‘The original article can be found at: http://seclists.org/bugtraq/2010/Sep/100


Vulnerable Systems:
 * Microsoft Word 2003 (SP3) 11.8326.11.8324 on Windows XP SP2
 * Microsoft Word 2003 (SP3) 11.8326.11.8324 on Windows XP SP3

The exception results in the MSO.dll library which fails to handle the special crafted buffer in a file.The issue can be potentially triggered by openinga malicious word file which resulted in a null pointer exception due to invalid memory read. Note: It has intermediate impact because if system is running (n) number of instance of MS Word , opening of this malicious doc file results in crash of all the instances thereby completely subverting the functionality of word.

The following state of registers and frames were noticed:

eax=00000000 ebx=00000000 ecx=02711d68 edx=00000000 esi=00000000
eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0 nv up ei ng nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch]

0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
0013ccb4 30f16d61 mso!Ordinal1033+0x3f4
0013ccdc 30ef266f mso!Ordinal2272+0xad
0013cdc8 30f16951 mso!Ordinal233+0x596
00000000 00000000 mso!Ordinal1307+0xc0e

0:000> u
30f91fd7 8b481c mov ecx,dword ptr [eax+1Ch]
30f91fda f6c101 test cl,1
30f91fdd 0f85f3b20900 jne mso!Ordinal2868+0x2eb87 (3102d2d6)
30f91fe3 8b701c mov esi,dword ptr [eax+1Ch]
30f91fe6 83e601 and esi,1
30f91fe9 753a jne mso!Ordinal1033+0x442 (30f92025)
30f91feb 8b4848 mov ecx,dword ptr [eax+48h]
30f91fee 2bd1 sub edx,ecx

Patch Availability:
The vulnerability was reported to Microsoft. Due to the nature of inherent crash no separate bulletin will be released. In the next release of development this issue will be patched or corrected.

CVE Information:

Disclosure Timeline:

Categories: Windows