stack overflow != stack buffer overflow On Wed, Oct 24, 2012 at 3:41 AM, kaveh ghaemmaghami < kavehghaemmagh...@googlemail.com> wrote:
> Title : Microsoft Office Word 2010 Stack Overflow > Version : Microsoft Office professional Plus 2010 > Date : 2012-10-23 > Vendor : http://office.microsoft.com > Impact : Med/High > Contact : coolkaveh [at] rocketmail.com > Twitter : @coolkaveh > tested : XP SP3 ENG > > ############################################################################### > Bug : > ---- > StackOverflow during the handling of the doc files a context-dependent > attacker > can execute arbitrary code. > ---- > > ################################################################################ > (be0.59c): Stack overflow - code c00000fd (first chance) > First chance exceptions are reported before any exception handling. > This exception may be expected and handled. > eax=00032000 > ebx=00000000 > ecx=00032fe4 > edx=000024bc > esi=008b8974 > edi=0753e000 > eip=316d458e > esp=000380f0 > ebp=000380f8 iopl=0 nv up ei pl nz na pe nc > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > efl=00010206 > *** ERROR: Symbol file could not be found. Defaulted to export > symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll - > wwlib+0x458e: > 316d458e 8500 test dword ptr [eax],eax > ds:0023:00032000=00000000 > 0:000>!exploitable -v > eax=00032000 ebx=00000000 ecx=00032fe4 edx=000024bc esi=008b8974 > edi=0753e000 > eip=316d458e esp=000380f0 ebp=000380f8 iopl=0 nv up ei pl nz na pe > nc > cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 > efl=00010206 > wwlib+0x458e: > 316d458e 8500 test dword ptr [eax],eax > ds:0023:00032000=00000000 > HostMachine\HostUser > Executing Processor Architecture is x86 > Debuggee is in User Mode > Debuggee is a live user mode debugging session on the local machine > Event Type: Exception > *** ERROR: Symbol file could not be found. Defaulted to export > symbols for ntdll.dll - > *** ERROR: Symbol file could not be found. Defaulted to export > symbols for C:\Program Files\Common Files\Microsoft > Shared\OFFICE14\MSPTLS.DLL - > Exception Faulting Address: 0x316d458e > First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD) > > Faulting Instruction:316d458e test dword ptr [eax],eax > > Basic Block: > 316d458e test dword ptr [eax],eax > Tainted Input Operands: eax > 316d4590 jmp wwlib+0x4585 (316d4585) > > Exception Hash (Major/Minor): 0x7513030e.0x2d6c2e72 > > Stack Trace: > wwlib+0x458e > wwlib!GetAllocCounters+0x78520 > wwlib!GetAllocCounters+0x90f89 > wwlib!GetAllocCounters+0x134cf > wwlib!DllGetLCID+0x6451eb > wwlib!DllGetLCID+0x645c74 > wwlib!DllGetLCID+0x29b461 > wwlib!DllGetLCID+0x531d6 > wwlib!DllGetLCID+0x2c1272 > wwlib!DllGetLCID+0x141bf9 > wwlib!DllGetLCID+0x1d1144 > wwlib!DllGetLCID+0x1d05ae > MSPTLS!LsLwMultDivR+0x101e7 > MSPTLS!LsLwMultDivR+0x10afb > MSPTLS!LsLwMultDivR+0x10c5e > MSPTLS!LsLwMultDivR+0x10ec8 > MSPTLS!FsTransformBbox+0xe137 > MSPTLS!LsLwMultDivR+0x24ac6 > MSPTLS!LsLwMultDivR+0x27d0 > MSPTLS!LsLwMultDivR+0x25470 > MSPTLS!LsLwMultDivR+0x25642 > MSPTLS!LsLwMultDivR+0x259ad > MSPTLS!LsLwMultDivR+0x2a64 > MSPTLS!LsLwMultDivR+0x3201 > MSPTLS!FsTransformBbox+0x74ae > MSPTLS!FsTransformBbox+0x7e28 > MSPTLS!FsCreateSubpageFinite+0xad > wwlib!DllGetLCID+0x541fc > wwlib!DllGetLCID+0x54037 > MSPTLS!LsLwMultDivR+0x4e92 > MSPTLS!LsLwMultDivR+0x29070 > MSPTLS!LsLwMultDivR+0x285b0 > MSPTLS!LsLwMultDivR+0x5fa3 > MSPTLS!LsLwMultDivR+0x6816 > MSPTLS!FsTransformBbox+0xb8c1 > MSPTLS!FsQueryTableObjFigureListWord+0x2a0 > MSPTLS!LsLwMultDivR+0x101e7 > MSPTLS!LsLwMultDivR+0x10afb > MSPTLS!LsLwMultDivR+0x10c5e > MSPTLS!LsLwMultDivR+0x10ec8 > MSPTLS!FsTransformBbox+0xe137 > MSPTLS!LsLwMultDivR+0x24ac6 > MSPTLS!LsLwMultDivR+0x27d0 > MSPTLS!LsLwMultDivR+0x25470 > MSPTLS!LsLwMultDivR+0x25642 > MSPTLS!LsLwMultDivR+0x259ad > MSPTLS!LsLwMultDivR+0x2a64 > MSPTLS!LsLwMultDivR+0x3201 > MSPTLS!FsTransformBbox+0x74ae > MSPTLS!FsTransformBbox+0x7e28 > MSPTLS!FsCreateSubpageFinite+0xad > wwlib!DllGetLCID+0x1d07f0 > MSPTLS!LsLwMultDivR+0x101e7 > MSPTLS!LsLwMultDivR+0x10afb > MSPTLS!LsLwMultDivR+0x10c5e > MSPTLS!LsLwMultDivR+0x10ec8 > MSPTLS!FsTransformBbox+0xe137 > MSPTLS!LsLwMultDivR+0x24ac6 > MSPTLS!LsLwMultDivR+0x27d0 > MSPTLS!LsLwMultDivR+0x25470 > MSPTLS!LsLwMultDivR+0x25642 > MSPTLS!LsLwMultDivR+0x259ad > MSPTLS!LsLwMultDivR+0x2a64 > MSPTLS!LsLwMultDivR+0x3201 > Instruction Address: 0x00000000316d458e > Description: Stack Overflow > Short Description: StackOverflow > Recommended Bug Title: Stack Overflow starting at > wwlib+0x000000000000458e (Hash=0x7513030e.0x2d6c2e72) > > ############################################################################################################## > Proof of concept poc.rar included. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
