Re: Fuzzing Microsoft Office

["Disco Jonny" <discojonny () gmail com>]

hi,

Im not too sure the point of your post but there u go.

> One can easily identify some new problems while experimenting this stuff.

mate if you care, or give a shit.  I have over 300 *different* crashes
in word ( total over 5k files that crash word), from using two basic
templates and then fuzzing them ( i hate to think whats gonna happen
when i move off paragraphs and bullet points/numbered lists.) - so
more the point is if an application the size of office has not been
properly tested from the very start, then you are now fucked, you
cannot get that ground back.  which is why we are seeing a high number
of bugs.

I am getting on average 10 - 15 new independent bugs a day.  I dont
have time to see which are exploitable and which arnt, so i am
automating a lot of this process at the moment too.

Word docs seem to have a high number of integer reliance from the file
format - these are the main issues i am finding. although signedness
comes next - i find very few heuristic style bugs - the click this
link exploit in excel would be a good example of a heuristic style bug
- I wonder if when i start to use more indepth functions then I will
see more of the lower hanging fruit.

I am not working at full pelt yet, but i am testing approx 120,000
files a day.  I am increasing the the processing power i am giving to
the classification of these bugs. (with 2 p4, 1gig ram 80gb hdd
machines i can at best do 2,000,000 word files per day, and hopefully
more when i rewrite the perl for c)

[just for the record, i am not trying to find exploits in word its
self perse but i am testing my test harness]

> The problem of generating the specially crafted files is not a big
> issue, it was assumed that one should know the binary file format in
> order to generate some "valid document" (one which is parsable by the
> applications),

You can use input testing to work this stuff out, like i have quite a
bit of the word file headers mapped, and the half arsed filesystem
that office uses, you can map dependant functions and vulnerable
functions, all with just tossing random data at it then seeing the
results.

although i have yet to compare my 'results' to my mate, who has
reversed the dll :) - i wonder how it will stack up.

im not too sure why i sent this mail, heh, bring on the flames.

cheers,

dj.

On 11/07/06, naveed <naveedafzal () gmail com> wrote:
> Last friday I have posted a POC regarding the microsoft office mso.dll
<snip>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/