Title : Microsoft Office OneNote 2010 WriteAV Vulnerability Version : Microsoft Office professional Plus 2010 Date : 2012-11-19 Vendor : http://office.microsoft.com Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : XP SP3 ENG ############################################################################### Bug : ---- memory corruption during the handling of the one files How can i make sure a crash is not exploitable? (( The short answer is simple assume every crash is exploitable and just fix it.)) Or "defective software is OK." ---- ################################################################################ (b70.998): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=05eb3701 ecx=062baa08 edx=00005b3f esi=062baa08 edi=00000000 eip=3acdee22 esp=00125dbc ebp=00125dc4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\ONMain.DLL - ONMain!MsoCF::Frame::Finish+0x14bd2: 3acdee22 c7050000000001000000 mov dword ptr ds:[0],1 ds:0023:00000000=???????? --------------------------------------------------------------------------------- First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x3c300459.0x3c6c1674 Stack Trace: ONMain!MsoCF::Frame::Finish+0x14bd2 ONMain!MsoCF::GetScaledValue+0x429c ONMain!MsoCF::GetScaledValue+0x39d5 ONMain!MsoCF::GetScaledValue+0x384b ONMain!Jot::IQueryScope::CreateInstance+0x1716 ONMain!MsoCF::GetScaledValue+0x3060 ONMain!MsoCF::GetScaledValue+0x2dce ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xa4d ONMain!Jot::ITextSearchPlugin::CreateQuotedTextSearchPlugin+0x44a ONMain!Jot::UseRegistryCache+0x6fb ONMain!Jot::IQueryScope::CreateInstance+0x1716 ONMain!Jot::HasFileOneExtension+0xf4e ONMain!Jot::GetBackupRootFolderPath+0x109e ONMain!Jot::GetBackupRootFolderPath+0xf01 ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1e57 ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1da3 ONMain!Jot::System::IsTabletPC+0x1c7e ONMain!Jot::System::IsTabletPC+0x1439 ONMain!MsoCF::PerfMetrics::Mark+0x107e ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x1432 ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xe4a ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xc6b ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x8f9 ONMain!MsoCF::TheZeroAtom+0xba1 ONMain!Jot::TheBackgroundScheduler::FExists+0x52e1 ONMain!Jot::TheBackgroundScheduler::FExists+0x51f5 ONMain!MsoCF::Properties::FGet+0xdc9 ONMain!Jot::TheBackgroundScheduler::FExists+0x1e0 ONMain!Jot::TheBackgroundScheduler::FExists+0x4e onenote+0x1efcf ONMain!MsoCF::TheZeroAtom+0x99b onenote+0x212f onenote+0x2054 onenote+0x201e kernel32!RegisterWaitForInputIdle+0x49 Instruction Address: 0x000000003acdee22 Short Description: WriteAV ############################################################################### Proof of concept included. http://www43.zippyshare.com/v/27372192/file.html