cbcvebase.
CVE-2008-4841
published 2008-12-10

CVE-2008-4841: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary…

PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
43.03%
98.6th percentile
The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftwordpad
openofficeopenoffice.org
openofficeopenoffice.org
openofficeopenoffice.org
openofficeopenoffice.org

Detection & IOCsextracted from sources · hover to see the quote

filename2008-crash.doc.rar
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6560.rar
urlhttp://milw0rm.com/sploits/2008-crash.doc.rar
urlhttp://www.milw0rm.com/exploits/6560
  • Malicious files targeting CVE-2008-4841 use crafted Word 97 format files with extensions .doc, .wri, or .rtf that trigger memory corruption in the WordPad Text Converter on Windows 2000 SP4, XP SP2, and Server 2003 SP1/SP2.
  • The vulnerability was exploited in the wild in December 2008; hunt for suspicious .doc, .wri, or .rtf files delivered during that period or referencing the known PoC filename 2008-crash.doc.rar.
  • A similar memory corruption issue (CVE-2009-0259) also affects OpenOffice.org 1.1.2 through 1.1.5 with the same file types; the same malicious documents may trigger both vulnerabilities.
  • ·Affected Windows platforms are specifically Windows 2000 SP4, XP SP2, and Server 2003 SP1/SP2 via the WordPad Text Converter. Newer or fully patched systems are not listed as affected.
  • ·Red Hat assessed the related OpenOffice.org issue (CVE-2009-0259) as only causing a crash (DoS), not arbitrary code execution, and did not treat it as a security vulnerability.
  • ·The relationship between the original WordPad PoC (2008-crash.doc.rar, disclosed 2008-09-25) and the December 2008 in-the-wild exploitation of CVE-2008-4841 was noted as unclear at the time of disclosure.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.