http://labs.idefense.com/intelligence/vulnerabilities/
Dec 08, 2009
I. BACKGROUND
WordPad is the default text editing application included with nearly all
Windows versions since Windows 95. The Word97 converter is used to
convert Word documents into the format used by WordPad, and is present
in all current versions of WordPad except Vista and Server 2008.
II. DESCRIPTION
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 14, 2009
I. BACKGROUND
WordPad is a word processing application included with Microsoft
Windows. The Word97 converter is used to convert Word97 format
documents into RTF format used by WordPad, and is present in all
current versions of WordPad except Vista and Server 2008.
II. DESCRIPTION
Affected Software:
Microsoft Wordpad on Windows XP SP3
Description of Vulnerability:
Microsoft Wordpad (on Windows XP SP3) contains a vulnerability that can allow an attacker to cause a denial of service.
The vulnerability is due to a memory exhaustion error when a user tries to view a malicious .RTF file.
An attacker can exploit the vulnerability by creating a malicious RTF file that will allocate large amounts of
memory and cause a denial of service condition.
Vulnerable version:
appliance—for greater flexibility and lower costs.
File Types Supported
* Recognizes and processes 300+ file types
* Microsoft Office files including Office 2007: Microsoft Word, Excel,
PowerPoint, Outlook email; Lotus 1-2-3, OpenOffice, RTF, Wordpad, Text, etc.
* Graphics files: Visio, Postscript, PDF, TIFF, etc.
* Software/engineering files: C/C++, JAVA, Verilog, AutoCAD, etc.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO,
GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc.
existing HTTP request, both the URL and the downloaded file use a
trusted domain.
Some variants of the attack are surprisingly simple:
http://yourcompany.com/download?fn=attack.bat%0d%0a%0d%0awordpad
When the response for this attack arrives at the victim's browser, the
malicious file is named "attack.bat" and contains the command "wordpad"
inside. The injected file is opened as if it was a legitimate download
from the trusted domain. The attacker can inject any filename (.exe,
able to specify an address to call.
III. ANALYSIS
Exploitation of this vulnerability will result in the execution of
arbitrary code. Attack vectors include Internet Explorer, WordPad,
Microsoft Office, and any other program that loads arbitrary
persistence data.
IV. DETECTION
III. ANALYSIS
Exploitation of the above vulnerabilities will result in the disclosure
of memory contents, potentially including sensitive information. The
attack vectors include Internet Explorer, WordPad, Microsoft Office,
and any other program that loads arbitrary persistence data and gives
the attacker an opportunity to read back the data.
IV. DETECTION
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of various Microsoft products including Word,
Outlook and WordPad. User interaction is required to exploit this
vulnerability in that the target must visit a malicious page, open a
malicious e-mail, or open a malicious file.
The specific flaw exists within the parsing of RTF documents containing
multiple drawing object tags. First, code within wwlib.dll allocates a
