Vulnerability Details : CVE-2006-1540
MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string.
Vulnerability category: OverflowExecute codeDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2006-1540
Probability of exploitation activity in the next 30 days: 45.52%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2006-1540
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2006-1540
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2006-1540
-
http://www.securityfocus.com/archive/1/439697/100/0/threaded
-
https://www.exploit-db.com/exploits/1615
Third Party Advisory;VDB Entry
-
http://securitytracker.com/id?1015855
Exploit;Third Party Advisory;VDB Entry
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-038
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A639
Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/27607
Third Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2006/2756
Vendor Advisory
-
http://www.us-cert.gov/cas/techalerts/TA06-192A.html
Third Party Advisory;US Government Resource
-
http://www.kb.cert.org/vuls/id/609868
Third Party Advisory;US Government Resource
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/27609
Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/17252
Exploit;Third Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/18889
Third Party Advisory;VDB Entry
Products affected by CVE-2006-1540
- cpe:2.3:a:microsoft:office:*:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:*:*:zh:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:*:*:ja:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:*:*:ko:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:xp:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:xp:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:xp:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2000:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office:2003:*:*:*:student_teacher:*:*:*
- cpe:2.3:a:microsoft:office:2004:*:*:*:*:mac_os_x:*:*
- cpe:2.3:a:microsoft:office:v.x:*:*:*:*:mac_os_x:*:*