| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Oct 2012 14:23:11 +0200
From: Mario Vilas <mvilas@...il.com>
To: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Office Word 2010 Stack Overflow
stack overflow != stack buffer overflow
On Wed, Oct 24, 2012 at 3:41 AM, kaveh ghaemmaghami <
kavehghaemmaghami@...glemail.com> wrote:
> Title : Microsoft Office Word 2010 Stack Overflow
> Version : Microsoft Office professional Plus 2010
> Date : 2012-10-23
> Vendor : http://office.microsoft.com
> Impact : Med/High
> Contact : coolkaveh [at] rocketmail.com
> Twitter : @coolkaveh
> tested : XP SP3 ENG
>
> ###############################################################################
> Bug :
> ----
> StackOverflow during the handling of the doc files a context-dependent
> attacker
> can execute arbitrary code.
> ----
>
> ################################################################################
> (be0.59c): Stack overflow - code c00000fd (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00032000
> ebx=00000000
> ecx=00032fe4
> edx=000024bc
> esi=008b8974
> edi=0753e000
> eip=316d458e
> esp=000380f0
> ebp=000380f8 iopl=0 nv up ei pl nz na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010206
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll -
> wwlib+0x458e:
> 316d458e 8500 test dword ptr [eax],eax
> ds:0023:00032000=00000000
> 0:000>!exploitable -v
> eax=00032000 ebx=00000000 ecx=00032fe4 edx=000024bc esi=008b8974
> edi=0753e000
> eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe
> nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
> efl=00010206
> wwlib+0x458e:
> 316d458e 8500 test dword ptr [eax],eax
> ds:0023:00032000=00000000
> HostMachine\HostUser
> Executing Processor Architecture is x86
> Debuggee is in User Mode
> Debuggee is a live user mode debugging session on the local machine
> Event Type: Exception
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for ntdll.dll -
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for C:\Program Files\Common Files\Microsoft
> Shared\OFFICE14\MSPTLS.DLL -
> Exception Faulting Address: 0x316d458e
> First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
>
> Faulting Instruction:316d458e test dword ptr [eax],eax
>
> Basic Block:
> 316d458e test dword ptr [eax],eax
> Tainted Input Operands: eax
> 316d4590 jmp wwlib+0x4585 (316d4585)
>
> Exception Hash (Major/Minor): 0x7513030e.0x2d6c2e72
>
> Stack Trace:
> wwlib+0x458e
> wwlib!GetAllocCounters+0x78520
> wwlib!GetAllocCounters+0x90f89
> wwlib!GetAllocCounters+0x134cf
> wwlib!DllGetLCID+0x6451eb
> wwlib!DllGetLCID+0x645c74
> wwlib!DllGetLCID+0x29b461
> wwlib!DllGetLCID+0x531d6
> wwlib!DllGetLCID+0x2c1272
> wwlib!DllGetLCID+0x141bf9
> wwlib!DllGetLCID+0x1d1144
> wwlib!DllGetLCID+0x1d05ae
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> MSPTLS!FsTransformBbox+0x74ae
> MSPTLS!FsTransformBbox+0x7e28
> MSPTLS!FsCreateSubpageFinite+0xad
> wwlib!DllGetLCID+0x541fc
> wwlib!DllGetLCID+0x54037
> MSPTLS!LsLwMultDivR+0x4e92
> MSPTLS!LsLwMultDivR+0x29070
> MSPTLS!LsLwMultDivR+0x285b0
> MSPTLS!LsLwMultDivR+0x5fa3
> MSPTLS!LsLwMultDivR+0x6816
> MSPTLS!FsTransformBbox+0xb8c1
> MSPTLS!FsQueryTableObjFigureListWord+0x2a0
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> MSPTLS!FsTransformBbox+0x74ae
> MSPTLS!FsTransformBbox+0x7e28
> MSPTLS!FsCreateSubpageFinite+0xad
> wwlib!DllGetLCID+0x1d07f0
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> Instruction Address: 0x00000000316d458e
> Description: Stack Overflow
> Short Description: StackOverflow
> Recommended Bug Title: Stack Overflow starting at
> wwlib+0x000000000000458e (Hash=0x7513030e.0x2d6c2e72)
>
> ##############################################################################################################
> Proof of concept poc.rar included.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists