Microsoft PowerPoint Freelance布局解析堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182581 漏洞类型 代码注入
发布时间 2009-06-10 更新时间 2009-06-10
CVE编号 CVE-2009-0202 CNNVD-ID CNNVD-200906-205
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/35275
https://cxsecurity.com/issue/WLB-2009060027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-205
|漏洞详情
MicrosoftPowerPoint是微软Office套件中的文档演示工具。PowerPoint的FreelanceWindows2.1Translator(FL21WIN.DLL)在解析布局信息时存在数组索引错误,如果用户受骗打开了恶意的PPT文件就可能触发堆溢出,导致执行任意指令。安装了MS09-017更新的系统默认下会禁用对Freelance文件的支持,但可在注册表中手动重新启用。
|漏洞EXP
====================================================================== 

                     Secunia Research 10/06/2009

    - Microsoft PowerPoint Freelance Layout Parsing Vulnerability -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* Microsoft Office PowerPoint 2000
* Microsoft Office PowerPoint 2002

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately critical
Impact: System compromise
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"Microsoft Office PowerPoint 2007 enables users to quickly create
high-impact, dynamic presentations, while integrating workflow and 
ways to easily share information. From the Microsoft Office Fluent 
user interface to the new graphics and formatting capabilities, Office
PowerPoint 2007 puts the control in your hands to create great-looking
presentations.".

Product Link:
http://office.microsoft.com/powerpoint

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Microsoft 
PowerPoint, which can be exploited by malicious people to compromise 
a user's system.

The vulnerability is caused by an array-indexing error in the 
Microsoft PowerPoint Freelance Windows 2.1 Translator (FL21WIN.DLL) 
when parsing layout information and can be exploited to cause a 
heap-based buffer overflow.

Successful exploitation allows execution of arbitrary code.

NOTE: On systems with MS09-017 applied, support for Freelance files 
is disabled by default, but can be re-enabled via a key in the
registry.

====================================================================== 
5) Solution 

Microsoft states that no fix will be issued. However, installations 
with MS09-017 applied block opening of Freelance files by default.

Users having enabled Freelance file support should not open Freelance
files from untrusted sources.

====================================================================== 
6) Time Table 

22/05/2009 - Vendor notified.
23/05/2009 - Vendor response.
03/06/2009 - Vendor informs that no security bulletin will be issued
             as Freelance files are blocked by default after applying
             MS09-017.
04/06/2009 - Vendor informed that Secunia agrees that a new security
             bulletin is not required. It is, however, recommended to
             update MS09-017 to inform users that Freelance support 
             has been disabled by default and should not be re-enabled
             as the translator is affected by a critical 
             vulnerability.
10/06/2009 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Carsten Eiram, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2009-0202 for the vulnerability.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-29/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

|受影响的产品
Microsoft PowerPoint 2002 + Microsoft Office XP - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 20
|参考资料

来源:XF
名称:ms-powerpoint-freelance-bo(51034)
链接:http://xforce.iss.net/xforce/xfdb/51034
来源:BID
名称:35275
链接:http://www.securityfocus.com/bid/35275
来源:BUGTRAQ
名称:20090610SecuniaResearch:MicrosoftPowerPointFreelanceLayoutParsingVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/504215/100/0/threaded
来源:OSVDB
名称:54961
链接:http://www.osvdb.org/54961
来源:SECTRACK
名称:1022369
链接:http://securitytracker.com/id?1022369
来源:MISC
链接:http://secunia.com/secunia_research/2009-29/
来源:SECUNIA
名称:35184
链接:http://secunia.com/advisories/35184