Last friday I have posted a POC regarding the microsoft office mso.dll boundary condition error, i have checked the code flow of mso_203 and it was producing access violation errors which i have sent to bugtraq and FD , microsoft's MSRC blog has been updated at http://blogs.technet.com/msrc/archive/2006/07/10/441006.aspx stating that the vulnerability is not remotely exploitable , that is true. However while checking a bunch of fuzzed documents several other problems have been noticed, even other people have reported the issues with different office applications. Some of them were able to reproduce the issue and they are exploitable others may not be. Microsoft Office vulnerabilities are not new but recently interest is increased , it has been noticed that people fuzzing the documents and afterwards they don't know which type of error it is or whether the vulnerability is exploitable or not !!. Just note how many 0-days have been reported in the past few months in MS Office products. It is interesting to see that most of these vulnerabilities are directly or indirectly related to fuzzing and or changing the normal behavior of documents. If we take the example of this recently discovered HLINK.DLL buffer overflow flaw , the kcope who reported it used the Perl's Excel worksheet generator to generate a long URL string in the worksheet, interestingly Microsoft Office does not allow you to generate the hyperlinks with such long strings (usually restricted to 256 bytes) , even the OLE automation restricts you but the Microsoft's binary file format does not have such restrictions for "hyperlink" objects, maybe it was assumed that library is safe since office is not allowing the users to have such nasty url's. The problem of generating the specially crafted files is not a big issue, it was assumed that one should know the binary file format in order to generate some "valid document" (one which is parsable by the applications), but the Perl's library is just an example, nanika posted another style sheet flaw in ms excel which looks like the result of an exercise with same library. Few days back the same exploit was released for MS Word , it is also interesting that 3rd party libraries are not that much restrictive when producing the MS Office compatible files, they allow you to do some really funny stuff. For example it is an open question that why OpenOffice developer's decided to accept a url string of say 20,000 bytes (perhaps of indefinite length) ?? One can easily identify some new problems while experimenting this stuff. --------------------- Naveed Afzal
