Microsoft Word Macro名处理缓冲区溢出漏洞

发布时间：2003-10-15
更新时间：2003-10-15
严重程度：中
威胁程度：权限提升
错误类型：边界检查错误
利用方式：客户机模式

BUGTRAQ ID：8835

受影响系统

Microsoft Word 2000 SR1a
   + Microsoft Office 2000
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Microsoft Word 2000 SR1
   + Microsoft Office 2000
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Microsoft Word 2000 SP3
   + Microsoft Office 2000 SP3
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Professional SP3
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows ME
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
   - Microsoft Windows XP Home
   - Microsoft Windows XP Home SP1
   - Microsoft Windows XP Professional
   - Microsoft Windows XP Professional SP1
Microsoft Word 2000 SP2
   + Microsoft Office 2000
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Microsoft Word 2000
   + Microsoft Office 2000
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows 2000 Workstation SP1
   - Microsoft Windows 2000 Workstation SP2
   - Microsoft Windows 95
   - Microsoft Windows 98
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Microsoft Word 2000 Chinese Version
Microsoft Word 2000 Japanese Version
Microsoft Word 2000 Korean Version
Microsoft Word 97 SR2
Microsoft Word 97 SR1
Microsoft Word 97
   + Microsoft Office 97
Microsoft Word 97 Chinese Version
Microsoft Word 97 Japanese Version
Microsoft Word 97 Korean Version
Microsoft Word 98
Microsoft Word 98 Chinese Version
Microsoft Word 98 Japanese Version
Microsoft Word 98 Korean Version

未影响系统

Microsoft Office XP SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Professional SP3
   - Microsoft Windows 98
   - Microsoft Windows 98SE
   - Microsoft Windows ME
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
   - Microsoft Windows XP Home
   - Microsoft Windows XP Home SP1
   - Microsoft Windows XP Professional
   - Microsoft Windows XP Professional SP1
Microsoft Office XP SP1
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 98
   - Microsoft Windows ME
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
   - Microsoft Windows XP Home
   - Microsoft Windows XP Professional
Microsoft Office XP
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 98
   - Microsoft Windows ME
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
   - Microsoft Windows XP Home
   - Microsoft Windows XP Professional

详细描述
Microsoft Word存在缓冲区溢出问题。

问题是由于对宏名的处理函数对名称缺少充分的边界缓冲区检查，当把宏名拷贝到缓冲区时，可出发缓冲区溢出。宏结构包含内部和外部宏名称，在处理Unicode字符拷贝到固定缓冲区(256字符)时存在问题。

攻击者可以构造恶意WORD文件，诱骗用户打开而已触发漏洞。

解决方案
尚无

相关信息
SpAmC0der <roman2_@_inbox.ru>.
参考：http://www.security.nnov.ru/search/document.asp?docid=5243

最近严重漏洞

Microsoft Word Macro名处理缓冲区溢出漏洞