[39932] in bugtraq
Shared section vulnerability when opening microsoft office
daemon@ATHENA.MIT.EDU (sylvain.roger@solucom.fr)
Wed Jul 27 12:39:42 2005
Date: 27 Jul 2005 07:36:46 -0000
Message-ID: <20050727073646.21882.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: sylvain.roger@solucom.fr
To: bugtraq@securityfocus.com
There is a shared section vulnerability in office products when trying to open
an office document with firefox. For example try to open a word document
attached in a webmail. firefox.exe process will create a son winword.exe
process (it only appears when the process is created with firefox not svchosts). When creating this process a shared section is created called
\BaseNameObjects\Mso97SharedDgXXXXXXXX (the number may change I am not sure at
the present time). The rights on this shared section are put on "everyone" for
delete/synchronise/query/modify. this allows to write arbitrary data and to
perform a Dos against ALL Office open applications.
I do not manage to know if it is a firefox or Microsoft office vulnerability
