# Title: MSOffice stack based overflow crash on crafted EPS files
# Discovery date: 2 Jan 2012
# Author: Andrei Costin (andrei@andreicostin.com)
# CVE: Not Avail yet
# Other SecAdv number: ACSA-2012-05, MS 12305cw
# Related CVE: CVE-2010-1628

##### Affected module #####
MSOffice graphic filter
C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT

##### Affected versions #####
Latest patch levels of MSOffice 2010/2007/2003 applications:
Excel
Word
Outlook
Powerpoint

##### Reprod. #####
100% .dmp crashdump generation

##### Details #####
For a specially crafted EPS file, inserting it as a picture in one of the mentioned applications will result in a stack based overflow in the EPSIMP32.FLT
EPSIMP32.FLT is a graphical filter used to process cetain embedded file-types into MSOffice documents.
Specifically, EPSIMP32.FLT will process EPS (Encapsulated PostScript) files.

MS confirmed crash, but marked as NOT exploitable.

##### Attack vectors/scenarios #####
1) Potential code execution in the context of MSOffice user opening the specially crafted documents which re-render/re-interpret the embedded file.
2) Potential code execution for users receiving emails in Outlook having specially crafted .eps file embedded in the email message that will trigger vulnerability upon preview.
