Vulners
Lucene search
Microsoft Office OneNote 2010 Crash PoC
Title : Microsoft Office OneNote 2010 WriteAV Vulnerability
Version : Microsoft Office professional Plus 2010
Date : 2012-11-19
Vendor : http://office.microsoft.com
Impact : Med/High
Contact : coolkaveh [at] rocketmail.com
Twitter : @coolkaveh
tested : XP SP3 ENG
###############################################################################
Bug :
----
memory corruption during the handling of the one files
How can i make sure a crash is not exploitable? (( The short answer is
simple assume every crash is exploitable and just fix it.))
Or
"defective software is OK."
----
################################################################################
(b70.998): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=05eb3701 ecx=062baa08 edx=00005b3f esi=062baa08 edi=00000000
eip=3acdee22 esp=00125dbc ebp=00125dc4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\ONMain.DLL -
ONMain!MsoCF::Frame::Finish+0x14bd2:
3acdee22 c7050000000001000000 mov dword ptr ds:[0],1 ds:0023:00000000=????????
---------------------------------------------------------------------------------
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x3c300459.0x3c6c1674
Stack Trace:
ONMain!MsoCF::Frame::Finish+0x14bd2
ONMain!MsoCF::GetScaledValue+0x429c
ONMain!MsoCF::GetScaledValue+0x39d5
ONMain!MsoCF::GetScaledValue+0x384b
ONMain!Jot::IQueryScope::CreateInstance+0x1716
ONMain!MsoCF::GetScaledValue+0x3060
ONMain!MsoCF::GetScaledValue+0x2dce
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xa4d
ONMain!Jot::ITextSearchPlugin::CreateQuotedTextSearchPlugin+0x44a
ONMain!Jot::UseRegistryCache+0x6fb
ONMain!Jot::IQueryScope::CreateInstance+0x1716
ONMain!Jot::HasFileOneExtension+0xf4e
ONMain!Jot::GetBackupRootFolderPath+0x109e
ONMain!Jot::GetBackupRootFolderPath+0xf01
ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1e57
ONMain!Jot::TheBackgroundScheduler::FAddJobForThread+0x1da3
ONMain!Jot::System::IsTabletPC+0x1c7e
ONMain!Jot::System::IsTabletPC+0x1439
ONMain!MsoCF::PerfMetrics::Mark+0x107e
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x1432
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xe4a
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0xc6b
ONMain!Jot::ITextSearchPlugin::CreateFullSearchInstance+0x8f9
ONMain!MsoCF::TheZeroAtom+0xba1
ONMain!Jot::TheBackgroundScheduler::FExists+0x52e1
ONMain!Jot::TheBackgroundScheduler::FExists+0x51f5
ONMain!MsoCF::Properties::FGet+0xdc9
ONMain!Jot::TheBackgroundScheduler::FExists+0x1e0
ONMain!Jot::TheBackgroundScheduler::FExists+0x4e
onenote+0x1efcf
ONMain!MsoCF::TheZeroAtom+0x99b
onenote+0x212f
onenote+0x2054
onenote+0x201e
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x000000003acdee22
Short Description: WriteAV
###############################################################################
Proof of concept included.
http://www43.zippyshare.com/v/27372192/file.html
http://www.exploit-db.com/sploits/22850.rar
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1