[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CADe7mMfPYjuZXmsi5xusR5vxKW1cL+52fA76E7eAb0g4ckTt+A@mail.gmail.com>
Date: Sat, 27 Oct 2012 23:20:59 +0330
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Office Word 2010 Stack Overflow
Dear Gynvael Coldwind , Peter Ferrie
Thanks for discuss and analyze
Regards
On Wed, Oct 24, 2012 at 5:08 AM, kaveh ghaemmaghami
<kavehghaemmaghami@...glemail.com> wrote:
> Title : Microsoft Office Word 2010 Stack Overflow
> Version : Microsoft Office professional Plus 2010
> Date : 2012-10-23
> Vendor : http://office.microsoft.com
> Impact : Med/High
> Contact : coolkaveh [at] rocketmail.com
> Twitter : @coolkaveh
> tested : XP SP3 ENG
> ###############################################################################
> Bug :
> ----
> Don't forget that exploitable bugs will be published after being patched
> ----
> StackOverflow during the handling of the doc files a context-dependent attacker
> can execute arbitrary code.
> ----
> ################################################################################
> (be0.59c): Stack overflow - code c00000fd (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00032000
> ebx=00000000
> ecx=00032fe4
> edx=000024bc
> esi=008b8974
> edi=0753e000
> eip=316d458e
> esp=000380f0
> ebp=000380f8 iopl=0 nv up ei pl nz na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll -
> wwlib+0x458e:
> 316d458e 8500 test dword ptr [eax],eax ds:0023:00032000=00000000
> 0:000>!exploitable -v
> eax=00032000 ebx=00000000 ecx=00032fe4 edx=000024bc esi=008b8974 edi=0753e000
> eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe nc
> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
> wwlib+0x458e:
> 316d458e 8500 test dword ptr [eax],eax ds:0023:00032000=00000000
> HostMachine\HostUser
> Executing Processor Architecture is x86
> Debuggee is in User Mode
> Debuggee is a live user mode debugging session on the local machine
> Event Type: Exception
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for ntdll.dll -
> *** ERROR: Symbol file could not be found. Defaulted to export
> symbols for C:\Program Files\Common Files\Microsoft
> Shared\OFFICE14\MSPTLS.DLL -
> Exception Faulting Address: 0x316d458e
> First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)
>
> Faulting Instruction:316d458e test dword ptr [eax],eax
>
> Basic Block:
> 316d458e test dword ptr [eax],eax
> Tainted Input Operands: eax
> 316d4590 jmp wwlib+0x4585 (316d4585)
>
> Exception Hash (Major/Minor): 0x7513030e.0x2d6c2e72
>
> Stack Trace:
> wwlib+0x458e
> wwlib!GetAllocCounters+0x78520
> wwlib!GetAllocCounters+0x90f89
> wwlib!GetAllocCounters+0x134cf
> wwlib!DllGetLCID+0x6451eb
> wwlib!DllGetLCID+0x645c74
> wwlib!DllGetLCID+0x29b461
> wwlib!DllGetLCID+0x531d6
> wwlib!DllGetLCID+0x2c1272
> wwlib!DllGetLCID+0x141bf9
> wwlib!DllGetLCID+0x1d1144
> wwlib!DllGetLCID+0x1d05ae
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> MSPTLS!FsTransformBbox+0x74ae
> MSPTLS!FsTransformBbox+0x7e28
> MSPTLS!FsCreateSubpageFinite+0xad
> wwlib!DllGetLCID+0x541fc
> wwlib!DllGetLCID+0x54037
> MSPTLS!LsLwMultDivR+0x4e92
> MSPTLS!LsLwMultDivR+0x29070
> MSPTLS!LsLwMultDivR+0x285b0
> MSPTLS!LsLwMultDivR+0x5fa3
> MSPTLS!LsLwMultDivR+0x6816
> MSPTLS!FsTransformBbox+0xb8c1
> MSPTLS!FsQueryTableObjFigureListWord+0x2a0
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> MSPTLS!FsTransformBbox+0x74ae
> MSPTLS!FsTransformBbox+0x7e28
> MSPTLS!FsCreateSubpageFinite+0xad
> wwlib!DllGetLCID+0x1d07f0
> MSPTLS!LsLwMultDivR+0x101e7
> MSPTLS!LsLwMultDivR+0x10afb
> MSPTLS!LsLwMultDivR+0x10c5e
> MSPTLS!LsLwMultDivR+0x10ec8
> MSPTLS!FsTransformBbox+0xe137
> MSPTLS!LsLwMultDivR+0x24ac6
> MSPTLS!LsLwMultDivR+0x27d0
> MSPTLS!LsLwMultDivR+0x25470
> MSPTLS!LsLwMultDivR+0x25642
> MSPTLS!LsLwMultDivR+0x259ad
> MSPTLS!LsLwMultDivR+0x2a64
> MSPTLS!LsLwMultDivR+0x3201
> Instruction Address: 0x00000000316d458e
> Description: Stack Overflow
> Short Description: StackOverflow
> Recommended Bug Title: Stack Overflow starting at
> wwlib+0x000000000000458e (Hash=0x7513030e.0x2d6c2e72)
> ##############################################################################################################
> Proof of concept poc.rar included.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists