Fuzzing Microsoft Office
Last friday I have posted a POC regarding the microsoft office mso.dll
boundary condition error, i have checked the code flow of mso_203 and
it was producing access violation errors which i have sent to bugtraq
and FD , microsoft's MSRC blog has been updated at
http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspx stating
that the vulnerability is not remotely exploitable , that is true.
However while checking a bunch of fuzzed documents several other
problems have been noticed, even other people have reported the issues
with different office applications. Some of them were able to
reproduce the issue and they are exploitable others may not be.
Microsoft Office vulnerabilities are not new but recently interest is
increased , it has been noticed that people fuzzing the documents and
afterwards they don't know which type of error it is or whether the
vulnerability is exploitable or not !!. Just note how many 0-days have
been reported in the past few months in MS Office products. It is
interesting to see that most of these vulnerabilities are directly or
indirectly related to fuzzing and or changing the normal behavior of
documents.
If we take the example of this recently discovered HLINK.DLL buffer
overflow flaw , the kcope who reported it used the Perl's Excel
worksheet generator to generate a long URL string in the worksheet,
interestingly Microsoft Office does not allow you to generate the
hyperlinks with such long strings (usually restricted to 256 bytes) ,
even the OLE automation restricts you but the Microsoft's binary file
format does not have such restrictions for "hyperlink" objects, maybe
it was assumed that library is safe since office is not allowing the
users to have such nasty url's.
The problem of generating the specially crafted files is not a big
issue, it was assumed that one should know the binary file format in
order to generate some "valid document" (one which is parsable by the
applications), but the Perl's library is just an example, nanika
posted another style sheet flaw in ms excel which looks like the
result of an exercise with same library.
Few days back the same exploit was released for MS Word , it is also
interesting that 3rd party libraries are not that much restrictive
when producing the MS Office compatible files, they allow you to do
some really funny stuff. For example it is an open question that why
OpenOffice developer's decided to accept a url string of say 20,000
bytes (perhaps of indefinite length) ?? One can easily identify some
new problems while experimenting this stuff.
---------------------
Naveed Afzal