lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4C8EE077.1060206@secniche.org>
Date: Mon, 13 Sep 2010 22:39:51 -0400
From: Aditya K Sood <adi_ks@...niche.org>
To: bugtraq@...urityfocus.com
Cc: cve@...re.org
Subject: CVE-2010-3200 : Microsoft Word 2003 MSO Null Pointer Dereference
 Vulnerability


Advisory
Microsoft Word 2003 MSO Null Pointer Dereference Vulnerability

CVE: 2010-3200

Version
Word 2003 (SP3) 11.8326.11.8324 tested on windows XP SP2/SP3

Details :

A null pointer dereference vulnerability has been noticed in MS Word.The
exception results in the MSO.dll library which fails to handle the
special crafted buffer in a file.The issue can be potentially triggered
by openinga malicious word file which resulted in a null pointer
exception due to invalid memory read.

Note: It has intermediate impact because if system is running (n) number
of instance of MS Word , opening of this malicious doc file results in
crash of all the instances thereby completely subverting the
functionality of word.

The following state of registers and frames were noticed

eax=00000000 ebx=00000000 ecx=02711d68 edx=00000000 esi=00000000
edi=008c1b1c
eip=30f91fd7 esp=0013cca0 ebp=0013ccb4 iopl=0         nv up ei ng nz na
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00210282
mso!Ordinal1033+0x3f4:
30f91fd7 8b481c          mov     ecx,dword ptr [eax+1Ch]
ds:0023:0000001c=????????

0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be
wrong.
0013ccb4 30f16d61 mso!Ordinal1033+0x3f4
0013ccdc 30ef266f mso!Ordinal2272+0xad
0013cdc8 30f16951 mso!Ordinal233+0x596
00000000 00000000 mso!Ordinal1307+0xc0e

0:000> u
mso!Ordinal1033+0x3f4:
30f91fd7 8b481c          mov     ecx,dword ptr [eax+1Ch]
30f91fda f6c101          test    cl,1
30f91fdd 0f85f3b20900    jne     mso!Ordinal2868+0x2eb87 (3102d2d6)
30f91fe3 8b701c          mov     esi,dword ptr [eax+1Ch]
30f91fe6 83e601          and     esi,1
30f91fe9 753a            jne     mso!Ordinal1033+0x442 (30f92025)
30f91feb 8b4848          mov     ecx,dword ptr [eax+48h]
30f91fee 2bd1            sub     edx,ecx

Basic Block:
    30f91fd7 mov ecx,dword ptr [eax+1ch]
       Tainted Input Operands: eax
    30f91fda test cl,1
       Tainted Input Operands: cl
    30f91fdd jne mso!ordinal2868+0x2eb87 (3102d2d6)
       Tainted Input Operands: ZeroFlag

Proof of Concept
The required proof of concept is available on below mentioned link
http://www.secniche.org/word_crash_11.8326.8324_poc.zip

Vendor Response:
The vulnerability was reported to Microsoft. Due to the nature of
inherent crash no separate bulletin will be released. In the next
release of development this issue will be patched or corrected.

Regards
Aditya K Sood

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ