Microsoft Works Converter section length header code execution (CompoundFile_Works_Converter_Overflow)

About this signature or vulnerability

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects a specially crafted Works file that can result in the execution of arbitrary code when processed by the Microsoft Works 6 File Converter.


Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2160, IBM Security Server Protection for Windows: 2.0.252.2160, Proventia Network IDS: XPU 28.020, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network MFS: XPU 28.020, RealSecure Server Sensor: XPU 28.020, RealSecure Network: XPU 28.020, BlackICE Server Protection: 3.6.cqv, BlackICE PC Protection: 3.6cqv, Proventia Desktop: 2160, Proventia Network IPS: XPU 28.020, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.020

Systems affected

Microsoft Office: 2003 SP2, Microsoft Works: 2005, Microsoft Works: 8.0, Microsoft Works 6 File Converter, Microsoft Office: 2003 SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Works Converter could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of section length headers when converting Works (.wps) documents to Rich Text Format (.rtf). By persuading a victim to open a specially-crafted .wps file using an affected version of Microsoft Office or Microsoft Works, a remote attacker could execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-011. See References.

References

Microsoft Security Bulletin MS08-011
Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)
http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx

iDefense Labs PUBLIC ADVISORY: 02.12.08
Microsoft Office Works Converter Heap Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=659

ISS X-Force
Microsoft Works Converter section length header code execution
http://www.iss.net/security_center/static/40095.php

CVE
CVE-2007-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0216