Vulnerabilities Of Non Executable File Formats In The Wild
Several vulnerabilities of non executable file formats used in the wild recently. A proof of concept of a new bug that affects Windows Explorer has been reported in the wild on the milw0rm Web site. The bug affects the code that parses Word documents in order to extract and display summary information (for example, document type, author, title, etc.). A malformed property record in the “DocumentSummaryInformation” stream of the Word document will cause Explorer to access an invalid pointer when parsing the file, causing the process to crash because of a memory access violation. Microsoft Word XP, currently updated with SP3 and the latest patches, seems to be vulnerable to this bug, which causes Word to crash due to a “divide by zero” exception. Note that other versions of Word don’t seem to be affected.
The bug seems to only cause a denial-of-service (DoS), which occurs when the corrupted document is either opened with Word or browsed from Windows Explorer. At this stage, it seems to be very unlikely that this bug can be used to run malicious code, and it’s simply crashing the applications.
Proof-of-concept .doc posted on milw0rm shows that the problem lies in the DocumentSummaryInformation container of a Word document stream. This object contains information about the document, such as the title and the author, and Windows Explorer will display this information when needed. When a document selected from Explorer with the status bar visible, this information will be displayed on the status bar. This means that Explorer parses the document, reads the DocumentSummaryInformation, and parses the information stored inside. Unfortunately, the function of OLE32.DLL, which is responsible for this, does not correctly validate the size of a property. As a result, this size is mistakenly added to a pointer, resulting in access to an invalid memory area.
There was a number of malicious Trojans exploiting file formats in the last year. Word (.doc) seems to still be the preferred attack vector, but recently some other vectors were discovered, such as .xls, .pdf, and also Ichitaro documents (.jtd), which are popular in Japan.
Once again, be extremely careful when opening any type of email attachment, even when they arrive with a file format considered “safe” and non-executable. The exploits in a Microsoft Excel file format and in MSJET vulnerability (currently unpatched) that affects MS Access files are detected as Trojan.Mdropper.AA family.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.