lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jul 11 13:52:58 2006
From: discojonny at gmail.com (Disco Jonny)
Subject: Fuzzing Microsoft Office

hi,

Im not too sure the point of your post but there u go.

>One can easily identify some new problems while experimenting this stuff.

mate if you care, or give a shit.  I have over 300 *different* crashes
in word ( total over 5k files that crash word), from using two basic
templates and then fuzzing them ( i hate to think whats gonna happen
when i move off paragraphs and bullet points/numbered lists.) - so
more the point is if an application the size of office has not been
properly tested from the very start, then you are now fucked, you
cannot get that ground back.  which is why we are seeing a high number
of bugs.

I am getting on average 10 - 15 new independent bugs a day.  I dont
have time to see which are exploitable and which arnt, so i am
automating a lot of this process at the moment too.

Word docs seem to have a high number of integer reliance from the file
format - these are the main issues i am finding. although signedness
comes next - i find very few heuristic style bugs - the click this
link exploit in excel would be a good example of a heuristic style bug
- I wonder if when i start to use more indepth functions then I will
see more of the lower hanging fruit.

I am not working at full pelt yet, but i am testing approx 120,000
files a day.  I am increasing the the processing power i am giving to
the classification of these bugs. (with 2 p4, 1gig ram 80gb hdd
machines i can at best do 2,000,000 word files per day, and hopefully
more when i rewrite the perl for c)

[just for the record, i am not trying to find exploits in word its
self perse but i am testing my test harness]

> The problem of generating the specially crafted files is not a big
> issue, it was assumed that one should know the binary file format in
> order to generate some "valid document" (one which is parsable by the
> applications),

You can use input testing to work this stuff out, like i have quite a
bit of the word file headers mapped, and the half arsed filesystem
that office uses, you can map dependant functions and vulnerable
functions, all with just tossing random data at it then seeing the
results.

although i have yet to compare my 'results' to my mate, who has
reversed the dll :) - i wonder how it will stack up.

im not too sure why i sent this mail, heh, bring on the flames.

cheers,

dj.

On 11/07/06, naveed <naveedafzal@...il.com> wrote:
> Last friday I have posted a POC regarding the microsoft office mso.dll
<snip>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ