Microsoft Works Converter section length header code execution (CompoundFile_Works_Converter_Overflow)

About this signature or vulnerability

Proventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection:

This signature detects a specially crafted Works file that can result in the execution of arbitrary code when processed by the Microsoft Works 6 File Converter.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Server IPS for Microsoft Windows technology: 1.0.914.2160, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2160, Proventia Network MFS: XPU 28.020, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Desktop: 2160, Proventia Network IPS: XPU 28.020, Proventia Server IPS for Linux technology: 28.020, RealSecure Network: XPU 28.020, RealSecure Server Sensor: XPU 28.020, BlackICE PC Protection: 3.6cqv, BlackICE Server Protection: 3.6.cqv

Systems affected

Microsoft Works 6: File Converter, Microsoft Office: 2003 SP3, Microsoft Works: 8.0, Microsoft Works: 2005, Microsoft Office: 2003 SP2

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Works Converter could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of section length headers when converting Works (.wps) documents to Rich Text Format (.rtf). By persuading a victim to open a specially-crafted .wps file using an affected version of Microsoft Office or Microsoft Works, a remote attacker could execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-011. See References.

References

Microsoft Security Bulletin MS08-011
Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)
http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx

iDefense Labs PUBLIC ADVISORY: 02.12.08
Microsoft Office Works Converter Heap Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=659

ISS X-Force
Microsoft Works Converter section length header code execution
http://www.iss.net/security_center/static/40095.php

CVE
CVE-2007-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0216