Wednesday, April 13, 2011

More about Microsoft Office "Patch" Tuesday (MS11-022)

While fuzzing I found some Microsoft Office 0days... a couple of these where likely patched yesterday . Note: I didnt' reported the issues myself because I was still in doing my research.

Incredible how mutational fuzzing may disclosure new vulnerabilities and issues: to reproduce the one apparently related to Powerpoint "TimeColorBehaviorContainer" find the following structure in a Microsoft Powerpoint file with animations enabled:

0F 00 3D F1 00 00 00 00 00

and modify the structure like the following one:


0F 00 2E F1 00 00 00 00 00

This exception may be expected and handled.
eax=0594b13f ebx=00000000 ecx=045c1ea0 edx=00010001 esi=df9e0005 edi=00000000
eip=3012b8cd esp=00134c38 ebp=00134c5c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
ppcore!PPMain+0x25f55:
3012b8cd 8b06            mov     eax,dword ptr [esi]
....

call eax (dword ptr [esi] is tainted.)



For a crash example I have attached a sample.

http://www.mindedsecurity.com/fileshare/timecontainer_crash.ppt

No comments:

Post a Comment