CVE-2006-1540
published 2006-03-30CVE-2006-1540: MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via…
PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.66%
98.6th percentile
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | powerpoint | — | — |
| microsoft | powerpoint | — | — |
| microsoft | powerpoint | — | — |
| microsoft | powerpoint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
FF FF FF FF at offset 0x0000120C in OLE2 stream (replacing 01 00 00 00) to trigger Access Violation in OLE32.DLL via XLS
bytes↗
FF FF FF 00 at offsets 0x0000013D-0x00000140 in XLW SELECTION record to trigger Access Violation in excel.exe
bytes↗
SELECTION record payload: 03 00 00 00 00 00 00 FF FF FF FF FF FF 00 00 triggering mso.dll write at DS:[EAX+EBP-2]
- →Monitor for Office processes (excel.exe, winword.exe, powerpnt.exe) crashing or faulting inside mso.dll or ole32.dll when opening XLS/XLW/DOC/PPT files — indicative of malformed OLE2 stream with FF FF FF FF substituted for a valid count/index field. ↗
- →Detect XLS/XLW files containing FF FF FF FF at the OLE2 stream offset where a valid entry-count DWORD is expected (offset +0x0C in the affected OLE2 block starting with FE FF 00 00 05 01 02 00). ↗
- →Detect XLW files with a SELECTION record (record ID 0x001D) whose cell-range address list contains oversized/sentinel values such as FF FF FF FF, which causes an out-of-bounds array index in excel.exe. ↗
- →Inspect PPT files for the OLE2 compound-document header block (FE FF 00 00 05 01 02 00 …) where bytes at relative offset +0x10 are FF FF FF FF instead of a valid CLSID prefix — this triggers the mso.dll fault at offset 0x0011300d. ↗
- →Alert on mso.dll fault offset 0x0001b411 in winword.exe crash reports, and offset 0x0011300d in powerpnt.exe crash reports, as these correspond to the known vulnerable code paths for this CVE. ↗
- ·The PoC covers Microsoft Office versions 10.0.2614.0 through 11.0.5612.0 (Office XP / Office 2003); the NVD entry for the related CVE-2006-3590 references PowerPoint 2000 through 2003, so detection rules should be scoped to those version ranges. ↗
- ·The NVD source document describes CVE-2006-3590 (mso.dll / PPT shape container corruption / Trojan.PPDropper.B), which is explicitly noted as a DIFFERENT issue from CVE-2006-1540; IOCs from that source should not be conflated with CVE-2006-1540 indicators. ↗
- ·The exploit-db PoC is a proof-of-concept crash trigger (Access Violation), not a weaponised exploit; the byte-signature patterns indicate the trigger condition but may require additional shellcode/heap-spray stages in a real attack. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-94cj-9f3f-7q8j: MSO
ghsa_unreviewed·2022-05-01
CVE-2006-1540 [HIGH] CWE-94 GHSA-94cj-9f3f-7q8j: MSO
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated
GHSA
GHSA-46j2-ph3p-g234: Unspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbi
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3449 [CRITICAL] GHSA-46j2-ph3p-g234: Unspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbi
Unspecified vulnerability in Microsoft PowerPoint 2000 through 2003, possibly a buffer overflow, allows user-assisted remote attackers to execute arbitrary commands via a malformed record in the BIFF file format used in a PPT file, a different issue than CVE-2006-1540, aka "Microsoft PowerPoint Malformed Record Vulnerability."
GHSA
GHSA-rh8h-gpvg-vg6q: mso
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3590 [CRITICAL] GHSA-rh8h-gpvg-vg6q: mso
mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.
VulnCheck
Microsoft PowerPoint Mso.dll Vulnerability
vulncheck·2006·CVSS 9.3
CVE-2006-3590 [CRITICAL] Microsoft PowerPoint Mso.dll Vulnerability
Microsoft PowerPoint Mso.dll Vulnerability
mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.
Affected: Microsoft PowerPoint
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-048
VulnCheck
Microsoft Office Improper Control of Generation of Code ('Code Injection')
vulncheck·2006·CVSS 9.3
CVE-2006-1540 [CRITICAL] Microsoft Office Improper Control of Generation of Code ('Code Injection')
Microsoft Office Improper Control of Generation of Code ('Code Injection')
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in po
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/21012http://securitytracker.com/id?1015855http://www.kb.cert.org/vuls/id/609868http://www.osvdb.org/27150http://www.securityfocus.com/archive/1/439697/100/0/threadedhttp://www.securityfocus.com/bid/17252http://www.securityfocus.com/bid/18889http://www.us-cert.gov/cas/techalerts/TA06-192A.htmlhttp://www.vupen.com/english/advisories/2006/2756https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-038https://exchange.xforce.ibmcloud.com/vulnerabilities/27607https://exchange.xforce.ibmcloud.com/vulnerabilities/27609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A639https://www.exploit-db.com/exploits/1615http://secunia.com/advisories/21012http://securitytracker.com/id?1015855http://www.kb.cert.org/vuls/id/609868http://www.osvdb.org/27150http://www.securityfocus.com/archive/1/439697/100/0/threadedhttp://www.securityfocus.com/bid/17252http://www.securityfocus.com/bid/18889http://www.us-cert.gov/cas/techalerts/TA06-192A.htmlhttp://www.vupen.com/english/advisories/2006/2756https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-038https://exchange.xforce.ibmcloud.com/vulnerabilities/27607https://exchange.xforce.ibmcloud.com/vulnerabilities/27609https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A639https://www.exploit-db.com/exploits/1615
2006-03-30
Published
Exploited in the wild