RE: Bug in Microsoft Word

["Arjun Pednekar" <arjun.pednekar () patni com>]

I'm using Word 2002 (10.2627.3501) SP-1, and I was also not able to find
the pattern "b4 01". But after making the following changes I was able
to crash my version of M$-Word.

Change the pattern at location 
0000061e:00 00 00 00
to
0000061e:62 62 62 62

(I used HVIEW)

This happens to be the same location in the Word file downloaded from
http://www12.brinkster.com/bsecurity 

HTH.

Arjun R. Pednekar
Patni Computer Systems Limited
31/10, EL Zone, J-Block, MIDC Bhosari, Pune 411026, India
Tel:  + 91-20-7123980 x 499
Fax: + 91-20-7123396
Cell: + 91-9820876212


-----Original Message-----
From: Pedro Jota Calvorota [mailto:calvorota () ya com] 
Sent: Monday, October 06, 2003 6:49 PM
To: vuln-dev () securityfocus com
Subject: Re: Bug in Microsoft Word

I would like to make you notice two things:

- I downloaded the doc file from 
http://www12.brinkster.com/bsecurity/Doc1.doc  and checked it with MS 
Ofcicce XP version and it crashes. Oddly if i do it with word97, it 
doesn't not crash but shows the cursor at the end of the first line :|

- I just can't find the pattern

00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01
00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c
01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00

in any doc i create, word97, or XP... is it the same in any varsion? i 
don't even find de "b4 01" pattern to be able to modify the EAX
register.

Can you explain it a little deeper?

Thanks a lot.

-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/