Full Disclosure mailing list archives
Re: Fuzzing Microsoft Office
From: "Disco Jonny" <discojonny () gmail com>
Date: Tue, 11 Jul 2006 13:52:49 +0100
hi, Im not too sure the point of your post but there u go.
One can easily identify some new problems while experimenting this stuff.
mate if you care, or give a shit. I have over 300 *different* crashes in word ( total over 5k files that crash word), from using two basic templates and then fuzzing them ( i hate to think whats gonna happen when i move off paragraphs and bullet points/numbered lists.) - so more the point is if an application the size of office has not been properly tested from the very start, then you are now fucked, you cannot get that ground back. which is why we are seeing a high number of bugs. I am getting on average 10 - 15 new independent bugs a day. I dont have time to see which are exploitable and which arnt, so i am automating a lot of this process at the moment too. Word docs seem to have a high number of integer reliance from the file format - these are the main issues i am finding. although signedness comes next - i find very few heuristic style bugs - the click this link exploit in excel would be a good example of a heuristic style bug - I wonder if when i start to use more indepth functions then I will see more of the lower hanging fruit. I am not working at full pelt yet, but i am testing approx 120,000 files a day. I am increasing the the processing power i am giving to the classification of these bugs. (with 2 p4, 1gig ram 80gb hdd machines i can at best do 2,000,000 word files per day, and hopefully more when i rewrite the perl for c) [just for the record, i am not trying to find exploits in word its self perse but i am testing my test harness]
The problem of generating the specially crafted files is not a big issue, it was assumed that one should know the binary file format in order to generate some "valid document" (one which is parsable by the applications),
You can use input testing to work this stuff out, like i have quite a bit of the word file headers mapped, and the half arsed filesystem that office uses, you can map dependant functions and vulnerable functions, all with just tossing random data at it then seeing the results. although i have yet to compare my 'results' to my mate, who has reversed the dll :) - i wonder how it will stack up. im not too sure why i sent this mail, heh, bring on the flames. cheers, dj. On 11/07/06, naveed <naveedafzal () gmail com> wrote:
Last friday I have posted a POC regarding the microsoft office mso.dll
<snip> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fuzzing Microsoft Office naveed (Jul 11)
- Re: Fuzzing Microsoft Office ad () heapoverflow com (Jul 11)
- Re: Fuzzing Microsoft Office naveed (Jul 11)
- Re: Fuzzing Microsoft Office Disco Jonny (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office Disco Jonny (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office Valdis . Kletnieks (Jul 11)
- Re: Fuzzing Microsoft Office ad () heapoverflow com (Jul 11)
- <Possible follow-ups>
- Re: Fuzzing Microsoft Office Gadi Evron (Jul 11)