Microsoft Works Converter section length header code execution (CompoundFile_Works_Converter_Overflow)

About this signature or vulnerability

Proventia Network IPS, Proventia Desktop, RealSecure Server Sensor, RealSecure Network, BlackICE PC Protection, BlackICE Server Protection, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects a specially crafted Works file that can result in the execution of arbitrary code when processed by the Microsoft Works 6 File Converter.


Default risk level

High risk vulnerability  High

Sensors that have this signature

Proventia Network IPS: XPU 28.020, Proventia Desktop: 2160, RealSecure Server Sensor: XPU 28.020, RealSecure Network: XPU 28.020, BlackICE PC Protection: 3.6cqv, BlackICE Server Protection: 3.6.cqv, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network IDS: XPU 28.020, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.252.2160, IBM Security Server Protection for Windows: 1.0.914.2160, Proventia Network MFS: XPU 28.020, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.020

Systems affected

Microsoft Office: 2003 SP2, Microsoft Works: 2005, Microsoft Works: 8.0, Microsoft Works 6 File Converter, Microsoft Office: 2003 SP3

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Works Converter could allow a remote attacker to execute arbitrary code on the system, caused by improper validation of section length headers when converting Works (.wps) documents to Rich Text Format (.rtf). By persuading a victim to open a specially-crafted .wps file using an affected version of Microsoft Office or Microsoft Works, a remote attacker could execute arbitrary code on the system.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS08-011. See References.

References

Microsoft Security Bulletin MS08-011
Vulnerabilities in Microsoft Works File Converter Could Allow Remote Code Execution (947081)
http://www.microsoft.com/technet/security/bulletin/ms08-011.mspx

iDefense Labs PUBLIC ADVISORY: 02.12.08
Microsoft Office Works Converter Heap Overflow Vulnerability
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=659

ISS X-Force
Microsoft Works Converter section length header code execution
http://www.iss.net/security_center/static/40095.php

CVE
CVE-2007-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0216