| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Dec 2006 19:44:38 +0100
From: Joxean Koret <joxeankoret@...oo.es>
To: Disco Jonny <discojonny@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
Fuzzing List <fuzzing@...testar.linuxbox.org>,
bugtraq@...urityfocus.com, "L. M. H" <lmh@...o-pull.com>
Subject: Re: [fuzzing] OWASP Fuzzing page
Wow! That's fun! The so called "Word 0 day" flaw also affects
OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
with the file:
joxean@...eankoret $ abiword 12122006-djtest.doc
** (AbiWord-2.2:24313): WARNING **: Invalid seek
** (AbiWord-2.2:24313): WARNING **: Invalid seek
** (AbiWord-2.2:24313): WARNING **: Invalid seek
** (AbiWord-2.2:24313): WARNING **: Invalid seek
joxean@...eankoret $ ooffice 12122006-djtest.doc
OpenOffice.org lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
Using existing OpenOffice.org
Application Errorsh: line 1: crash_report: command not found
Application Error
Fatal exception: Signal 6
Stack:
/usr/lib/openoffice/program/libsal.so.3[0xb72e13ec]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1579]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1644]
[0xffffe420]
/lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
+0x53)[0x8063029]
/usr/lib/openoffice/program/libvcl645li.so(_ZN23ImplVCLExceptionHandler6signalEP13oslSignalInfo+0xb2)[0xb7df894e]
/usr/lib/openoffice/program/libvos3gcc3.so(_ZN3vos28_cpp_OSignalHandler_FunctionEPvP13oslSignalInfo+0x18)[0xb750b2f6]
/usr/lib/openoffice/program/libvos3gcc3.so(_Z24_OSignalHandler_FunctionPvP13oslSignalInfo+0x26)[0xb750b2d6]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1496]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1625]
[0xffffe420]
/lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
+0x174)[0x806314a]
/usr/lib/openoffice/program/libsfx645li.so(_Z18SfxNewHandler_Implv
+0x60)[0xb3042e46]
/usr/lib/openoffice/program/soffice.bin[0x80869cf]
/usr/lib/openoffice/program/soffice.bin(_Znaj+0x2f)[0x8086b61]
/usr/lib/openoffice/program/libsw645li.so[0xb1422b5e]
/usr/lib/openoffice/program/libsw645li.so[0xb1422a69]
/usr/lib/openoffice/program/libsw645li.so[0xb14243f2]
/usr/lib/openoffice/program/libsw645li.so[0xb1425022]
/usr/lib/openoffice/program/libsw645li.so[0xb14212df]
/usr/lib/openoffice/program/libsw645li.so[0xb13e59c0]
/usr/lib/openoffice/program/libsw645li.so[0xb13e7f7c]
/usr/lib/openoffice/program/libsw645li.so[0xb13e813d]
/usr/lib/openoffice/program/libsw645li.so[0xb12cc513]
/usr/lib/openoffice/program/libsw645li.so[0xb147cc4e]
/usr/lib/openoffice/program/libsfx645li.so(_ZN14SfxObjectShell6DoLoadEP9SfxMedium+0xa15)[0xb2eae69d]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl4LoadEPK16SfxObjectFactory+0x563)[0xb2e2d1ef]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x1f3)[0xb2e2eb8d]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x39e)[0xb2e2ed38]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl5StartEv+0x7ca)[0xb2e2c3ba]
/usr/lib/openoffice/program/libsfx645li.so(_ZN19SfxFrameLoader_Impl4loadERKN3com3sun4star3uno8SequenceINS2_5beans13PropertyValueEEERKNS3_9ReferenceINS2_5frame6XFrameEEE+0x2361)[0xb2f10bb3]
/usr/lib/openoffice/program/libfwk645li.so[0xb224207a]
/usr/lib/openoffice/program/libfwk645li.so[0xb22485e4]
/usr/lib/openoffice/program/libfwk645li.so[0xb223bb1c]
/usr/lib/openoffice/program/libfwk645li.so[0xb225662c]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop15DispatchWatcher23executeDispatchRequestsERKN4_STL6vectorINS0_15DispatchRequestENS1_9allocatorIS3_EEEE+0x230c)[0x807a34c]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop15OfficeIPCThread22ExecuteCmdLineRequestsERNS_23ProcessDocumentsRequestE+0x17f)[0x807138d]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop11OpenClientsEv+0x1ef6)[0x80681d4]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop16OpenClients_ImplEPv+0x11)[0x8065ee7]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop24LinkStubOpenClients_ImplEPvS1_+0x18)[0x8065ed2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7f49674]
/usr/lib/openoffice/program/libvcl645li.so(_Z19ImplWindowFrameProcPvP8SalFrametPKv+0x44e)[0xb7f49fc2]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN10SalDisplay21DispatchInternalEventEv+0xd9)[0xb618ad45]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN13SalX11Display5YieldEh+0x28)[0xb618ad80]
/usr/lib/openoffice/program/libvclplug_gen645li.so[0xb6186b28]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN7SalXLib5YieldEh
+0x1d3)[0xb61855db]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN14X11SalInstance5YieldEh+0x31)[0xb618e49b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5YieldEv
+0x64)[0xb7df3baa]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application7ExecuteEv
+0x35)[0xb7df3ab7]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop4MainEv
+0x1f56)[0x8065446]
/usr/lib/openoffice/program/libvcl645li.so(_Z6SVMainv+0x4a)[0xb7df89bc]
/usr/lib/openoffice/program/libvcl645li.so(main+0x4c)[0xb7fade6c]
/lib/tls/libc.so.6(__libc_start_main+0xf4)[0xb6c18974]
/usr/lib/openoffice/program/soffice.bin(_ZN6Window11RequestHelpERK9HelpEvent+0x31)[0x805e161]
Aborted
I'm using OpenOffice.org 1.1.3 (Distributed with Debian Sarge 3.1). I
will play a little with the POC to view if it affects OOffice in a way
that code execution is possible.
---
Joxean Koret
> for something a little more technical
>
> This is an email I sent someone else. (sorry mate, ill give a few
> other ones for the 'project' :) )
>
> I do not know of any fuzzer that would find this. I do not know of
> any fuzzing method, except the one I use that would find this.
>
> =====
> The file I have attached is a very basic two stage bug. stage 1 (the
> first mod) forces the code down a wrong path. the second mod by
> itsself is harmless, however when used with the first it will be the
> first and part of the second overwrite.
>
> I have use 41414141 as a marker to make it easier for you to see.
>
> I have made it crash the wordviewer again to make it more obvious
>
> Weight,
> location: 00000274
> value : 00000022 - just so it crashes, values 00000001 -> 00000006
> are probably the most useful for trying to overwrite a pointer. notice
> that neighbouring areas can be weighted the same.
>
> marker,
> location: 000027e4
> value : 41414141
>
> the weight destination address == ((weight * 4[this is EDI]) + 4
> [ECX*4]) + source memory offest[ESI].
>
> [also the meta data is microsofts, not mine]
> ======
>
> bug hugs,
>
> disco.
> _______________________________________________
> fuzzing mailing list
> fuzzing@...testar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
--
-----------------------------------
Agian, agian, egün batez
jeikiko dira egiazko Ziberotarrak,
egiazko eüskaldünak,
tirano arrotzen hiltzeko
eta gure aiten aitek ützi daikien
lurraren popüliari erremetitzeko.
-----------------------------------
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists