While fuzzing I found some Microsoft Office 0days... a couple of these where likely patched yesterday . Note: I didnt' reported the issues myself because I was still in doing my research.
Incredible how mutational fuzzing may disclosure new vulnerabilities and issues: to reproduce the one apparently related to Powerpoint "TimeColorBehaviorContainer" find the following structure in a Microsoft Powerpoint file with animations enabled:
0F 00 3D F1 00 00 00 00 00
and modify the structure like the following one:
0F 00 2E F1 00 00 00 00 00
This exception may be expected and handled.
eax=0594b13f ebx=00000000 ecx=045c1ea0 edx=00010001 esi=df9e0005 edi=00000000
eip=3012b8cd esp=00134c38 ebp=00134c5c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
ppcore!PPMain+0x25f55:
3012b8cd 8b06 mov eax,dword ptr [esi]
....
call eax (dword ptr [esi] is tainted.)
For a crash example I have attached a sample.
http://www.mindedsecurity.com/fileshare/timecontainer_crash.ppt
No comments:
Post a Comment