lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <F808E76B-F707-4595-99D3-E7F802709BFF@tippingpoint.com>
Date: Tue, 13 May 2008 13:48:36 -0500
From: DVLabs <dvlabs@...pingpoint.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: dvlabs@...pingpoint.com, zdi-disclosures@...pingpoint.com
Subject: TPTI-08-04: Microsoft Office Jet Database Engine Column Parsing Stack Overflow Vulnerability

TPTI-08-04: Microsoft Office Jet Database Engine Column Parsing Stack  
Overflow Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-08-04
May 13, 2008

-- CVE ID:
CVE-2007-6026

-- Affected Vendors:
Microsoft

-- Affected Products:
Microsoft Office Word
Microsoft Office Access

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6040, 6041.
For further product information on the TippingPoint IPS, visit:

     http://www.tippingpoint.com

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Microsoft Office. Exploitation requires that
the target opens an Office file that contains malicious Jet DB Engine
objects.

The specific flaw exists within the parsing of a column structure. The
DWORD value from the structure that specifies the column count is
trusted. If this value is changed, an inline memcpy to the stack can
overflow while reading a column name. Typically Jet DB structures are
used within MDB files which are considered unsafe. However, it is
possible to embed such files within a trusted format, such as an Office
Document (.doc). This issue allows for remote code execution under the
context of the currently logged in user.

-- Vendor Response:
Microsoft has issued an update to correct this vulnerability. More
details can be found at:

http://www.microsoft.com/technet/security/Bulletin/ms08-028.mspx

-- Disclosure Timeline:
2008-04-19 - Vulnerability reported to vendor
2008-05-13 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
     * Aaron Portnoy, TippingPoint DVLabs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ