Vulnerability Development mailing list archives
Re: Bug in Microsoft Word
From: Bahaa Naamneh <b_naamneh () hotmail com>
Date: 8 Oct 2003 17:58:09 -0000
In-Reply-To: <oprwngn1zgab5ge7 () smtp2 adsl ya com> This pattern 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 can be found, I think ,in most of the office 2002 versions. I have found this pattern in two versions 2002(10.2627.3311) and 2002(10.5522.4219)SP-2 in some versions like version[2002 (10.2627.2625)] this pattern exist: 00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 00 69 or 00 00 00 00 00 00 97 02 00 00 38 00 00 00 69 02 00 00 00 00 00 00 69 if you replace it with: 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 it will crash because of divide by zero. but if you change it to 00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 62 69 You'll be able to see an access violation such as: 301D33D7 mov ecx,dword ptr [eax] EAX = 00200072 EBX = 00000002 ECX = 009E366C EDX = 00000000 ESI = 009D0288 EDI = 00000000 EIP = 301D33D7 ESP = 00126364 EBP = 00000000 EFL = 00000206 ------------------------ Bahaa Naamneh http://www.bsecurity.tk
Received: (qmail 18777 invoked from network); 8 Oct 2003 13:41:44 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
by mail.securityfocus.com with SMTP; 8 Oct 2003 13:41:44 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP
id ED648A3281; Wed, 8 Oct 2003 07:48:43 -0600 (MDT)
Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev () securityfocus com>
List-Help: <mailto:vuln-dev-help () securityfocus com>
List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
Delivered-To: mailing list vuln-dev () securityfocus com
Delivered-To: moderator for vuln-dev () securityfocus com
Received: (qmail 28158 invoked from network); 6 Oct 2003 19:44:47 -0000
Date: Tue, 07 Oct 2003 03:49:03 +0200
To: "vuln-dev () securityfocus com" <vuln-dev () securityfocus com>
Subject: Re: Bug in Microsoft Word
From: Pedro Jota Calvorota <calvorota () ya com>
Organization: Calvos Unidos
Content-Type: text/plain; format=flowed; charset=iso-8859-15
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <oprwngn1zgab5ge7 () smtp2 adsl ya com>
User-Agent: Opera7.20/Win32 M2 build 3144
I would like to make you notice two things:
- I downloaded the doc file from
http://www12.brinkster.com/bsecurity/Doc1.doc and checked it with MS
Ofcicce XP version and it crashes. Oddly if i do it with word97, it
doesn't not crash but shows the cursor at the end of the first line :|
- I just can't find the pattern
00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
in any doc i create, word97, or XP... is it the same in any varsion? i
don't even find de "b4 01" pattern to be able to modify the EAX register.
Can you explain it a little deeper?
Thanks a lot.
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Current thread:
- Bug in Microsoft Word Bahaa Naamneh (Oct 03)
- <Possible follow-ups>
- Re: Bug in Microsoft Word Pedro Jota Calvorota (Oct 08)
- RE: Bug in Microsoft Word Arjun Pednekar (Oct 09)
- Re: Bug in Microsoft Word Bahaa Naamneh (Oct 08)
