CVE-2006-3493
published 2006-07-10CVE-2006-3493: Buffer overflow in LsCreateLine function (mso_203) in mso.dll and mso9.dll, as used by Microsoft Word and possibly other products in Microsoft Office 2003…
PriorityP431medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
40.41%
98.5th percentile
Buffer overflow in LsCreateLine function (mso_203) in mso.dll and mso9.dll, as used by Microsoft Word and possibly other products in Microsoft Office 2003, 2002, and 2000, allows remote user-assisted attackers to cause a denial of service (crash) via a crafted Word DOC or other Office file type. NOTE: this issue was originally reported to allow code execution, but on 20060710 Microsoft stated that code execution is not possible, and the original researcher agrees.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | powerpoint | — | — |
| microsoft | powerpoint | — | — |
| microsoft | powerpoint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
D0 CF 11 E0 A1 B1 1A E1
- →CVE-2006-3590 (related issue) was exploited in the wild by Trojan.PPDropper.B via a malformed shape container in a PPT file leading to memory corruption in mso.dll; hunt for PPT files with anomalous shape container structures. ↗
- →The proof-of-concept .DOC file uses a Compound Document (OLE2) header magic bytes D0 CF 11 E0 A1 B1 1A E1 with embedded EMBED Equation.3 objects; detect .DOC files containing multiple 'EMBED Equation.3' field instructions as a suspicious indicator. ↗
- →No user interaction beyond opening the file is required to trigger the vulnerability; alert on mso.dll access violations spawned from winword.exe or powerpnt.exe process context. ↗
CVSS provenance
nvdv2.05.1MEDIUMAV:N/AC:H/Au:N/C:P/I:P/A:P
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rh8h-gpvg-vg6q: mso
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2006-3590 [CRITICAL] GHSA-rh8h-gpvg-vg6q: mso
mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.
GHSA
GHSA-f8c7-wfvw-q6v3: Buffer overflow in LsCreateLine function (mso_203) in mso
ghsa_unreviewed·2022-05-01
CVE-2006-3493 [MEDIUM] GHSA-f8c7-wfvw-q6v3: Buffer overflow in LsCreateLine function (mso_203) in mso
Buffer overflow in LsCreateLine function (mso_203) in mso.dll and mso9.dll, as used by Microsoft Word and possibly other products in Microsoft Office 2003, 2002, and 2000, allows remote user-assisted attackers to cause a denial of service (crash) via a crafted Word DOC or other Office file type. NOTE: this issue was originally reported to allow code execution, but on 20060710 Microsoft stated that code execution is not possible, and the original researcher agrees.
VulnCheck
Microsoft PowerPoint Mso.dll Vulnerability
vulncheck·2006·CVSS 9.3
CVE-2006-3590 [CRITICAL] Microsoft PowerPoint Mso.dll Vulnerability
Microsoft PowerPoint Mso.dll Vulnerability
mso.dll, as used by Microsoft PowerPoint 2000 through 2003, allows user-assisted attackers to execute arbitrary commands via a malformed shape container in a PPT file that leads to memory corruption, as exploited by Trojan.PPDropper.B, a different issue than CVE-2006-1540 and CVE-2006-3493.
Affected: Microsoft PowerPoint
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-048
No detection rules found.
No writeups or analysis indexed.
http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspxhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047732.htmlhttp://marc.info/?l=full-disclosure&m=115231380526820&w=2http://marc.info/?l=full-disclosure&m=115261598510657&w=2http://securitytracker.com/id?1016453http://www.securityfocus.com/archive/1/439649/100/0/threadedhttp://www.securityfocus.com/archive/1/439878/100/0/threadedhttp://www.securityfocus.com/bid/18905http://www.vupen.com/english/advisories/2006/2720https://exchange.xforce.ibmcloud.com/vulnerabilities/27617http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspxhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047732.htmlhttp://marc.info/?l=full-disclosure&m=115231380526820&w=2http://marc.info/?l=full-disclosure&m=115261598510657&w=2http://securitytracker.com/id?1016453http://www.securityfocus.com/archive/1/439649/100/0/threadedhttp://www.securityfocus.com/archive/1/439878/100/0/threadedhttp://www.securityfocus.com/bid/18905http://www.vupen.com/english/advisories/2006/2720https://exchange.xforce.ibmcloud.com/vulnerabilities/27617
2006-07-10
Published