cbcvebase.
CVE-2006-1540
published 2006-03-30

CVE-2006-1540: MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via…

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.66%
98.6th percentile
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.

Affected

9 ranges
VendorProductVersion rangeFixed in
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftoffice
microsoftpowerpoint
microsoftpowerpoint
microsoftpowerpoint
microsoftpowerpoint

Detection & IOCsextracted from sources · hover to see the quote

processwinword.exe
processpowerpnt.exe
bytes
FF FF FF FF at offset 0x0000120C in OLE2 stream (replacing 01 00 00 00) to trigger Access Violation in OLE32.DLL via XLS
bytes
FF FF FF 00 at offsets 0x0000013D-0x00000140 in XLW SELECTION record to trigger Access Violation in excel.exe
bytes
SELECTION record payload: 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 triggering mso.dll write at DS:[EAX+EBP-2]
  • Monitor for Office processes (excel.exe, winword.exe, powerpnt.exe) crashing or faulting inside mso.dll or ole32.dll when opening XLS/XLW/DOC/PPT files — indicative of malformed OLE2 stream with FF FF FF FF substituted for a valid count/index field.
  • Detect XLS/XLW files containing FF FF FF FF at the OLE2 stream offset where a valid entry-count DWORD is expected (offset +0x0C in the affected OLE2 block starting with FE FF 00 00 05 01 02 00).
  • Detect XLW files with a SELECTION record (record ID 0x001D) whose cell-range address list contains oversized/sentinel values such as FF FF FF FF, which causes an out-of-bounds array index in excel.exe.
  • Inspect PPT files for the OLE2 compound-document header block (FE FF 00 00 05 01 02 00 …) where bytes at relative offset +0x10 are FF FF FF FF instead of a valid CLSID prefix — this triggers the mso.dll fault at offset 0x0011300d.
  • Alert on mso.dll fault offset 0x0001b411 in winword.exe crash reports, and offset 0x0011300d in powerpnt.exe crash reports, as these correspond to the known vulnerable code paths for this CVE.
  • ·The PoC covers Microsoft Office versions 10.0.2614.0 through 11.0.5612.0 (Office XP / Office 2003); the NVD entry for the related CVE-2006-3590 references PowerPoint 2000 through 2003, so detection rules should be scoped to those version ranges.
  • ·The NVD source document describes CVE-2006-3590 (mso.dll / PPT shape container corruption / Trojan.PPDropper.B), which is explicitly noted as a DIFFERENT issue from CVE-2006-1540; IOCs from that source should not be conflated with CVE-2006-1540 indicators.
  • ·The exploit-db PoC is a proof-of-concept crash trigger (Access Violation), not a weaponised exploit; the byte-signature patterns indicate the trigger condition but may require additional shellcode/heap-spray stages in a real attack.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.