lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1165949078.24129.7.camel@localhost.localdomain>
Date: Tue, 12 Dec 2006 19:44:38 +0100
From: Joxean Koret <joxeankoret@...oo.es>
To: Disco Jonny <discojonny@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	Fuzzing List <fuzzing@...testar.linuxbox.org>,
	bugtraq@...urityfocus.com, "L. M. H" <lmh@...o-pull.com>
Subject: Re: [fuzzing] OWASP Fuzzing page


Wow! That's fun! The so called "Word 0 day" flaw also affects
OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
with the file:

joxean@...eankoret $ abiword 12122006-djtest.doc

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek

** (AbiWord-2.2:24313): WARNING **: Invalid seek
joxean@...eankoret $ ooffice 12122006-djtest.doc
OpenOffice.org lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
Using existing OpenOffice.org
Application Errorsh: line 1: crash_report: command not found
Application Error

Fatal exception: Signal 6
Stack:
/usr/lib/openoffice/program/libsal.so.3[0xb72e13ec]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1579]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1644]
[0xffffe420]
/lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
+0x53)[0x8063029]
/usr/lib/openoffice/program/libvcl645li.so(_ZN23ImplVCLExceptionHandler6signalEP13oslSignalInfo+0xb2)[0xb7df894e]
/usr/lib/openoffice/program/libvos3gcc3.so(_ZN3vos28_cpp_OSignalHandler_FunctionEPvP13oslSignalInfo+0x18)[0xb750b2f6]
/usr/lib/openoffice/program/libvos3gcc3.so(_Z24_OSignalHandler_FunctionPvP13oslSignalInfo+0x26)[0xb750b2d6]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1496]
/usr/lib/openoffice/program/libsal.so.3[0xb72e1625]
[0xffffe420]
/lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
+0x174)[0x806314a]
/usr/lib/openoffice/program/libsfx645li.so(_Z18SfxNewHandler_Implv
+0x60)[0xb3042e46]
/usr/lib/openoffice/program/soffice.bin[0x80869cf]
/usr/lib/openoffice/program/soffice.bin(_Znaj+0x2f)[0x8086b61]
/usr/lib/openoffice/program/libsw645li.so[0xb1422b5e]
/usr/lib/openoffice/program/libsw645li.so[0xb1422a69]
/usr/lib/openoffice/program/libsw645li.so[0xb14243f2]
/usr/lib/openoffice/program/libsw645li.so[0xb1425022]
/usr/lib/openoffice/program/libsw645li.so[0xb14212df]
/usr/lib/openoffice/program/libsw645li.so[0xb13e59c0]
/usr/lib/openoffice/program/libsw645li.so[0xb13e7f7c]
/usr/lib/openoffice/program/libsw645li.so[0xb13e813d]
/usr/lib/openoffice/program/libsw645li.so[0xb12cc513]
/usr/lib/openoffice/program/libsw645li.so[0xb147cc4e]
/usr/lib/openoffice/program/libsfx645li.so(_ZN14SfxObjectShell6DoLoadEP9SfxMedium+0xa15)[0xb2eae69d]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl4LoadEPK16SfxObjectFactory+0x563)[0xb2e2d1ef]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x1f3)[0xb2e2eb8d]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x39e)[0xb2e2ed38]
/usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl5StartEv+0x7ca)[0xb2e2c3ba]
/usr/lib/openoffice/program/libsfx645li.so(_ZN19SfxFrameLoader_Impl4loadERKN3com3sun4star3uno8SequenceINS2_5beans13PropertyValueEEERKNS3_9ReferenceINS2_5frame6XFrameEEE+0x2361)[0xb2f10bb3]
/usr/lib/openoffice/program/libfwk645li.so[0xb224207a]
/usr/lib/openoffice/program/libfwk645li.so[0xb22485e4]
/usr/lib/openoffice/program/libfwk645li.so[0xb223bb1c]
/usr/lib/openoffice/program/libfwk645li.so[0xb225662c]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop15DispatchWatcher23executeDispatchRequestsERKN4_STL6vectorINS0_15DispatchRequestENS1_9allocatorIS3_EEEE+0x230c)[0x807a34c]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop15OfficeIPCThread22ExecuteCmdLineRequestsERNS_23ProcessDocumentsRequestE+0x17f)[0x807138d]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop11OpenClientsEv+0x1ef6)[0x80681d4]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop16OpenClients_ImplEPv+0x11)[0x8065ee7]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop24LinkStubOpenClients_ImplEPvS1_+0x18)[0x8065ed2]
/usr/lib/openoffice/program/libvcl645li.so[0xb7f49674]
/usr/lib/openoffice/program/libvcl645li.so(_Z19ImplWindowFrameProcPvP8SalFrametPKv+0x44e)[0xb7f49fc2]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN10SalDisplay21DispatchInternalEventEv+0xd9)[0xb618ad45]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN13SalX11Display5YieldEh+0x28)[0xb618ad80]
/usr/lib/openoffice/program/libvclplug_gen645li.so[0xb6186b28]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN7SalXLib5YieldEh
+0x1d3)[0xb61855db]
/usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN14X11SalInstance5YieldEh+0x31)[0xb618e49b]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5YieldEv
+0x64)[0xb7df3baa]
/usr/lib/openoffice/program/libvcl645li.so(_ZN11Application7ExecuteEv
+0x35)[0xb7df3ab7]
/usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop4MainEv
+0x1f56)[0x8065446]
/usr/lib/openoffice/program/libvcl645li.so(_Z6SVMainv+0x4a)[0xb7df89bc]
/usr/lib/openoffice/program/libvcl645li.so(main+0x4c)[0xb7fade6c]
/lib/tls/libc.so.6(__libc_start_main+0xf4)[0xb6c18974]
/usr/lib/openoffice/program/soffice.bin(_ZN6Window11RequestHelpERK9HelpEvent+0x31)[0x805e161]
Aborted

I'm using OpenOffice.org 1.1.3 (Distributed with Debian Sarge 3.1). I
will play a little with the POC to view if it affects OOffice in a way
that code execution is possible.

---
Joxean Koret

> for something a little more technical
> 
> This is an email I sent someone else. (sorry mate, ill give a few
> other ones for the 'project' :) )
> 
> I do not know of any fuzzer that would find this.  I do not know of
> any fuzzing method, except the one I use that would find this.
> 
> =====
> The file I have attached is a very basic two stage bug.  stage 1 (the
> first mod) forces the code down a wrong path.  the second mod by
> itsself is harmless, however when used with the first it will be the
> first and part of the second overwrite.
> 
> I have use 41414141 as a marker to make it easier for you to see.
> 
> I have made it crash the wordviewer again to make it more obvious
> 
> Weight,
> location: 00000274
> value   : 00000022 - just so it crashes, values 00000001 -> 00000006
> are probably the most useful for trying to overwrite a pointer. notice
> that neighbouring areas can be weighted the same.
> 
> marker,
> location: 000027e4
> value   : 41414141
> 
> the weight destination address == ((weight * 4[this is EDI]) + 4
> [ECX*4]) + source memory offest[ESI].
> 
> [also the meta data is microsofts, not mine]
> ======
> 
> bug hugs,
> 
> disco.
> _______________________________________________
> fuzzing mailing list
> fuzzing@...testar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
-- 
-----------------------------------
Agian, agian, egün batez
jeikiko dira egiazko Ziberotarrak,
egiazko eüskaldünak,
tirano arrotzen hiltzeko 
eta gure aiten aitek ützi daikien 
lurraren popüliari erremetitzeko.
-----------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ