Re: Bug in Microsoft Word

[Bahaa Naamneh <b_naamneh () hotmail com>]

In-Reply-To: <oprwngn1zgab5ge7 () smtp2 adsl ya com>

This pattern

00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00

can be found, I think ,in most of the office 2002 versions. I have found this pattern in two versions 
2002(10.2627.3311) and 2002(10.5522.4219)SP-2


in some versions like version[2002 (10.2627.2625)] this pattern exist:

00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 00 69
or
00 00 00 00 00 00 97 02 00 00 38 00 00 00 69 02 00 00 00 00 00 00 69

if you replace it with:

62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62

it will crash because of divide by zero.

but if you change it to 

00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 62 69

You'll be able to see an access violation such as:

301D33D7   mov  ecx,dword ptr [eax]


 EAX = 00200072 EBX = 00000002
 ECX = 009E366C EDX = 00000000
 ESI = 009D0288 EDI = 00000000
 EIP = 301D33D7 ESP = 00126364
 EBP = 00000000 EFL = 00000206


------------------------
Bahaa Naamneh
http://www.bsecurity.tk


> Received: (qmail 18777 invoked from network); 8 Oct 2003 13:41:44 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 8 Oct 2003 13:41:44 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id ED648A3281; Wed,  8 Oct 2003 07:48:43 -0600 (MDT)
> Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <vuln-dev.list-id.securityfocus.com>
> List-Post: <mailto:vuln-dev () securityfocus com>
> List-Help: <mailto:vuln-dev-help () securityfocus com>
> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
> Delivered-To: mailing list vuln-dev () securityfocus com
> Delivered-To: moderator for vuln-dev () securityfocus com
> Received: (qmail 28158 invoked from network); 6 Oct 2003 19:44:47 -0000
> Date: Tue, 07 Oct 2003 03:49:03 +0200
> To: "vuln-dev () securityfocus com" <vuln-dev () securityfocus com>
> Subject: Re: Bug in Microsoft Word
> From: Pedro Jota Calvorota <calvorota () ya com>
> Organization: Calvos Unidos
> Content-Type: text/plain; format=flowed; charset=iso-8859-15
> MIME-Version: 1.0
> Content-Transfer-Encoding: 8bit
> Message-ID: <oprwngn1zgab5ge7 () smtp2 adsl ya com>
> User-Agent: Opera7.20/Win32 M2 build 3144
>
> I would like to make you notice two things:
>
> - I downloaded the doc file from 
> http://www12.brinkster.com/bsecurity/Doc1.doc  and checked it with MS 
> Ofcicce XP version and it crashes. Oddly if i do it with word97, it 
> doesn't not crash but shows the cursor at the end of the first line :|
>
> - I just can't find the pattern
>
> 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
> 00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
> 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00
>
> in any doc i create, word97, or XP... is it the same in any varsion? i 
> don't even find de "b4 01" pattern to be able to modify the EAX register.
>
> Can you explain it a little deeper?
>
> Thanks a lot.
>
> -- 
> Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/