NOT a 0day! Re: [fuzzing] [Full-disclosure] OWASP Fuzzing page
On Tue, 12 Dec 2006, Joxean Koret wrote:
>
> Wow! That's fun! The so called "Word 0 day" flaw also affects
> OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
> with the file:
This is NOT a 0day. It is a disclosed vulnerability in full-disclosure
mode, on a mailing list (fuzzing mailing list).
I am not sure why I got this 10 times now, I thought the days of these
bounces were over. But I am tired of seeing every full-disclosure
vulnerability called a 0day anymore.
A 0day, whatever definition you use, is used in the wild before people are
aware of it.
>
> joxean@joxeankoret $ abiword 12122006-djtest.doc
>
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
>
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
>
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
>
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> joxean@joxeankoret $ ooffice 12122006-djtest.doc
> OpenOffice.org lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
> Using existing OpenOffice.org
> Application Errorsh: line 1: crash_report: command not found
> Application Error
>
> Fatal exception: Signal 6
> Stack:
> /usr/lib/openoffice/program/libsal.so.3[0xb72e13ec]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1579]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1644]
> [0xffffe420]
> /lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
> +0x53)[0x8063029]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN23ImplVCLExceptionHandler6signalEP13oslSignalInfo+0xb2)[0xb7df894e]
> /usr/lib/openoffice/program/libvos3gcc3.so(_ZN3vos28_cpp_OSignalHandler_FunctionEPvP13oslSignalInfo+0x18)[0xb750b2f6]
> /usr/lib/openoffice/program/libvos3gcc3.so(_Z24_OSignalHandler_FunctionPvP13oslSignalInfo+0x26)[0xb750b2d6]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1496]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1625]
> [0xffffe420]
> /lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
> +0x174)[0x806314a]
> /usr/lib/openoffice/program/libsfx645li.so(_Z18SfxNewHandler_Implv
> +0x60)[0xb3042e46]
> /usr/lib/openoffice/program/soffice.bin[0x80869cf]
> /usr/lib/openoffice/program/soffice.bin(_Znaj+0x2f)[0x8086b61]
> /usr/lib/openoffice/program/libsw645li.so[0xb1422b5e]
> /usr/lib/openoffice/program/libsw645li.so[0xb1422a69]
> /usr/lib/openoffice/program/libsw645li.so[0xb14243f2]
> /usr/lib/openoffice/program/libsw645li.so[0xb1425022]
> /usr/lib/openoffice/program/libsw645li.so[0xb14212df]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e59c0]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e7f7c]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e813d]
> /usr/lib/openoffice/program/libsw645li.so[0xb12cc513]
> /usr/lib/openoffice/program/libsw645li.so[0xb147cc4e]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN14SfxObjectShell6DoLoadEP9SfxMedium+0xa15)[0xb2eae69d]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl4LoadEPK16SfxObjectFactory+0x563)[0xb2e2d1ef]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x1f3)[0xb2e2eb8d]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x39e)[0xb2e2ed38]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl5StartEv+0x7ca)[0xb2e2c3ba]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN19SfxFrameLoader_Impl4loadERKN3com3sun4star3uno8SequenceINS2_5beans13PropertyValueEEERKNS3_9ReferenceINS2_5frame6XFrameEEE+0x2361)[0xb2f10bb3]
> /usr/lib/openoffice/program/libfwk645li.so[0xb224207a]
> /usr/lib/openoffice/program/libfwk645li.so[0xb22485e4]
> /usr/lib/openoffice/program/libfwk645li.so[0xb223bb1c]
> /usr/lib/openoffice/program/libfwk645li.so[0xb225662c]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop15DispatchWatcher23executeDispatchRequestsERKN4_STL6vectorINS0_15DispatchRequestENS1_9allocatorIS3_EEEE+0x230c)[0x807a34c]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop15OfficeIPCThread22ExecuteCmdLineRequestsERNS_23ProcessDocumentsRequestE+0x17f)[0x807138d]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop11OpenClientsEv+0x1ef6)[0x80681d4]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop16OpenClients_ImplEPv+0x11)[0x8065ee7]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop24LinkStubOpenClients_ImplEPvS1_+0x18)[0x8065ed2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7f49674]
> /usr/lib/openoffice/program/libvcl645li.so(_Z19ImplWindowFrameProcPvP8SalFrametPKv+0x44e)[0xb7f49fc2]
> /usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN10SalDisplay21DispatchInternalEventEv+0xd9)[0xb618ad45]
> /usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN13SalX11Display5YieldEh+0x28)[0xb618ad80]
> /usr/lib/openoffice/program/libvclplug_gen645li.so[0xb6186b28]
> /usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN7SalXLib5YieldEh
> +0x1d3)[0xb61855db]
> /usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN14X11SalInstance5YieldEh+0x31)[0xb618e49b]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5YieldEv
> +0x64)[0xb7df3baa]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application7ExecuteEv
> +0x35)[0xb7df3ab7]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop4MainEv
> +0x1f56)[0x8065446]
> /usr/lib/openoffice/program/libvcl645li.so(_Z6SVMainv+0x4a)[0xb7df89bc]
> /usr/lib/openoffice/program/libvcl645li.so(main+0x4c)[0xb7fade6c]
> /lib/tls/libc.so.6(__libc_start_main+0xf4)[0xb6c18974]
> /usr/lib/openoffice/program/soffice.bin(_ZN6Window11RequestHelpERK9HelpEvent+0x31)[0x805e161]
> Aborted
>
> I'm using OpenOffice.org 1.1.3 (Distributed with Debian Sarge 3.1). I
> will play a little with the POC to view if it affects OOffice in a way
> that code execution is possible.
>
> ---
> Joxean Koret
>
> > for something a little more technical
> >
> > This is an email I sent someone else. (sorry mate, ill give a few
> > other ones for the 'project' :) )
> >
> > I do not know of any fuzzer that would find this. I do not know of
> > any fuzzing method, except the one I use that would find this.
> >
> > =====
> > The file I have attached is a very basic two stage bug. stage 1 (the
> > first mod) forces the code down a wrong path. the second mod by
> > itsself is harmless, however when used with the first it will be the
> > first and part of the second overwrite.
> >
> > I have use 41414141 as a marker to make it easier for you to see.
> >
> > I have made it crash the wordviewer again to make it more obvious
> >
> > Weight,
> > location: 00000274
> > value : 00000022 - just so it crashes, values 00000001 -> 00000006
> > are probably the most useful for trying to overwrite a pointer. notice
> > that neighbouring areas can be weighted the same.
> >
> > marker,
> > location: 000027e4
> > value : 41414141
> >
> > the weight destination address == ((weight * 4[this is EDI]) + 4
> > [ECX*4]) + source memory offest[ESI].
> >
> > [also the meta data is microsofts, not mine]
> > ======
> >
> > bug hugs,
> >
> > disco.
> > _______________________________________________
> > fuzzing mailing list
> > fuzzing@xxxxxxxxxxxxxxxxxxxxxx
> > http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
> --
> -----------------------------------
> Agian, agian, egün batez
> jeikiko dira egiazko Ziberotarrak,
> egiazko eüskaldünak,
> tirano arrotzen hiltzeko
> eta gure aiten aitek ützi daikien
> lurraren popüliari erremetitzeko.
> -----------------------------------
>