CVE-2008-4841
published 2008-12-10CVE-2008-4841: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary…
PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.03%
98.6th percentile
The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | wordpad | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
| openoffice | openoffice.org | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious files targeting CVE-2008-4841 use crafted Word 97 format files with extensions .doc, .wri, or .rtf that trigger memory corruption in the WordPad Text Converter on Windows 2000 SP4, XP SP2, and Server 2003 SP1/SP2. ↗
- →The vulnerability was exploited in the wild in December 2008; hunt for suspicious .doc, .wri, or .rtf files delivered during that period or referencing the known PoC filename 2008-crash.doc.rar. ↗
- →A similar memory corruption issue (CVE-2009-0259) also affects OpenOffice.org 1.1.2 through 1.1.5 with the same file types; the same malicious documents may trigger both vulnerabilities. ↗
- ·Affected Windows platforms are specifically Windows 2000 SP4, XP SP2, and Server 2003 SP1/SP2 via the WordPad Text Converter. Newer or fully patched systems are not listed as affected. ↗
- ·Red Hat assessed the related OpenOffice.org issue (CVE-2009-0259) as only causing a crash (DoS), not arbitrary code execution, and did not treat it as a security vulnerability. ↗
- ·The relationship between the original WordPad PoC (2008-crash.doc.rar, disclosed 2008-09-25) and the December 2008 in-the-wild exploitation of CVE-2008-4841 was noted as unclear at the time of disclosure. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xq3-88jm-ph6c: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arb
ghsa_unreviewed·2022-05-14
CVE-2008-4841 [HIGH] GHSA-8xq3-88jm-ph6c: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arb
The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.
GHSA
GHSA-x8fv-7pqq-qwxw: The Word processor in OpenOffice
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2009-0259 [CRITICAL] GHSA-x8fv-7pqq-qwxw: The Word processor in OpenOffice
The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841.
VulnCheck
OpenOffice.org 1.1.2 through 1.1.5 Memory Corruption
vulncheck·2009·CVSS 9.3
CVE-2009-0259 [CRITICAL] OpenOffice.org 1.1.2 through 1.1.5 Memory Corruption
OpenOffice.org 1.1.2 through 1.1.5 Memory Corruption
The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841.
Affected: openoffice openoffice.org
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.openwall.com/lists/oss-security/2009/01/21/9; https://www.cve.org/CVERecord?id=CVE-2009-0259
VulnCheck
WordPad Word 97 Text Converter Stack Overflow Vulnerability
vulncheck·2008·CVSS 9.3
CVE-2008-4841 [CRITICAL] WordPad Word 97 Text Converter Stack Overflow Vulnerability
WordPad Word 97 Text Converter Stack Overflow Vulnerability
The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.
Affected: Microsoft WordPad
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/
Red Hat
openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
vendor_redhat·2008-12-09·CVSS 9.3
CVE-2009-0259 [CRITICAL] openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
openoffice.org: text converter memory corruption via a crafted (1) .doc, (2) .wri, or (3) .rtf Word97 file
The Word processor in OpenOffice.org 1.1.2 through 1.1.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008, as demonstrated by 2008-crash.doc.rar, and a similar issue to CVE-2008-4841.
Statement: This issue can only result in an OpenOffice.org crash, not allowing arbitrary code execution. Red Hat does not consider a crash of a client application such as OpenOffice.org to be a security issue.
No detection rules found.
http://milw0rm.com/sploits/2008-crash.doc.rarhttp://secunia.com/advisories/32997http://securityreason.com/securityalert/4711http://securitytracker.com/id?1021376http://www.microsoft.com/technet/security/advisory/960906.mspxhttp://www.securityfocus.com/bid/31399http://www.securityfocus.com/bid/32718http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2008/3390http://www.vupen.com/english/advisories/2009/1024https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-010https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6050https://www.exploit-db.com/exploits/6560http://milw0rm.com/sploits/2008-crash.doc.rarhttp://secunia.com/advisories/32997http://securityreason.com/securityalert/4711http://securitytracker.com/id?1021376http://www.microsoft.com/technet/security/advisory/960906.mspxhttp://www.securityfocus.com/bid/31399http://www.securityfocus.com/bid/32718http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2008/3390http://www.vupen.com/english/advisories/2009/1024https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-010https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6050https://www.exploit-db.com/exploits/6560
2008-12-10
Published
Exploited in the wild