lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Jul 11 14:10:24 2006
From: naveedafzal at gmail.com (naveed)
Subject: Fuzzing Microsoft Office

>>what does your post introduce new ???
it was not meant to introduce something new rather just a few
observations , ok you are THE MASTER , but everyone is not !!

> they = kcope , you , and some around there , those posting some crap POC
> on FD without to know what they did really found (exploitable or not ,
> you arent able determine the severity yourself .whah)

and some of you selling the similar kind of modified crap to ZDI and
others ... whah ...
sorry if that hurt you but kids sometimes annoy !

I do not argue with you , no doubt you are much more knowledgeable
than us but you can say those few things in a better way.

Regards

On 7/11/06, ad@...poverflow.com <ad@...poverflow.com> wrote:
> and ? what does your post introduce new ??? nothing new-bie....
>
>  >it has been noticed that people fuzzing the documents and
>  >afterwards they don't know which type of error it is.
>
> they = kcope , you , and some around there , those posting some crap POC
> on FD without to know what they did really found (exploitable or not ,
> you arent able determine the severity yourself .whah), without informing
> MS , kids.  Hopefully , the largest part of the security workers aren't
> so "mongol" than you.
>
> Bye
>
>
>
> naveed wrote:
> > Last friday I have posted a POC regarding the microsoft office mso.dll
> > boundary condition error, i have checked the code flow of mso_203 and
> > it was producing access violation errors which i have sent to bugtraq
> > and FD , microsoft's MSRC blog has been updated at
> > http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspx  stating
> > that the vulnerability is not remotely exploitable , that is true.
> > However while checking a bunch of fuzzed documents several other
> > problems have been noticed, even other people have reported the issues
> > with different office applications. Some of them were able to
> > reproduce the issue and they are exploitable others may not be.
> > Microsoft Office vulnerabilities are not new but recently interest is
> > increased , it has been noticed that people fuzzing the documents and
> > afterwards they don't know which type of error it is or whether the
> > vulnerability is exploitable or not !!. Just note how many 0-days have
> > been reported in the past few months in MS Office products. It is
> > interesting to see that most of these vulnerabilities are directly or
> > indirectly related to fuzzing and or changing the normal behavior of
> > documents.
> >
> > If we take the example of this recently discovered HLINK.DLL buffer
> > overflow flaw , the kcope who reported it used the Perl's Excel
> > worksheet generator to generate a long URL string in the worksheet,
> > interestingly Microsoft Office does not allow you to generate the
> > hyperlinks with such long strings (usually restricted to 256 bytes) ,
> > even the OLE automation restricts you but the Microsoft's binary file
> > format does not have such restrictions for "hyperlink" objects, maybe
> > it was assumed that library is safe since office is not allowing the
> > users to have such nasty url's.
> >
> > The problem of generating the specially crafted files is not a big
> > issue, it was assumed that one should know the binary file format in
> > order to generate some "valid document" (one which is parsable by the
> > applications), but the Perl's library is just an example, nanika
> > posted another style sheet flaw in ms excel which looks like the
> > result of an exercise with same library.
> >
> > Few days back the same exploit was released for MS Word , it is also
> > interesting that 3rd party libraries are not that much restrictive
> > when producing the MS Office compatible files, they allow you to do
> > some really funny stuff. For example it is an open question that why
> > OpenOffice developer's decided to accept a url string of say 20,000
> > bytes (perhaps of indefinite length) ?? One can easily identify some
> > new problems while experimenting this stuff.
> >
> >
> > ---------------------
> > Naveed Afzal
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ