At first, i would have said that this can't work.
But it does. :) I can't really imagine the poor coding taking place in this
1.
I am running office sp1. Haven't tested this with sp2.
This is what i get:
Microsoft (R) Windows 2000 (TM) Version 5.00 DrWtsn32
Copyright (C) 1985-1999 Microsoft Corp. All rights reserved.
Application exception occurred:
App: (pid=1416)
When: 5/29/2001 @ 10:27:51.203
Exception number: c0000005 (access violation)
*----> System Information <----*
Computer Name: ANTTIW2K
User Name: xxxxxxxx
Number of Processors: 1
Processor Type: x86 Family 6 Model 6 Stepping 0
Windows 2000 Version: 5.0
Current Build: 2195
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization: xxx
Registered Owner: Antti Hakulinen
*----> Task List <----*
0 Idle.exe
8 System.exe
132 SMSS.exe
160 CSRSS.exe
156 WINLOGON.exe
208 SERVICES.exe
220 LSASS.exe
388 svchost.exe
416 SPOOLSV.exe
492 svchost.exe
516 fsaa.exe
528 fsma32.exe
548 fsmb32.exe
596 fch32.exe
664 regsvc.exe
684 mstask.exe
708 fameh32.exe
748 WinMgmt.exe
796 fsgk32.exe
828 ZipToA.exe
292 fnrb32.exe
960 fih32.exe
1020 fsav32.exe
1160 explorer.exe
1236 realplay.exe
1268 fpdisp3.exe
1272 Imgicon.exe
1276 fsm32.exe
1304 internat.exe
1412 OUTLOOK.exe
1424 MAPISP32.exe
500 notepad.exe
1416 WINWORD.exe
1220 DRWTSN32.exe
0 _Total.exe
(30000000 - 3086D000)
(77F80000 - 77FFB000)
(77DB0000 - 77E0B000)
(77E80000 - 77F35000)
(77D40000 - 77DB0000)
(77F40000 - 77F7C000)
(77E10000 - 77E74000)
(308C0000 - 30E1C000)
(77A50000 - 77B46000)
(782F0000 - 78532000)
(70BD0000 - 70C1C000)
(71700000 - 7178A000)
(77800000 - 7781D000)
(6E420000 - 6E426000)
(75E60000 - 75E7A000)
(775A0000 - 77625000)
(779B0000 - 77A4B000)
(78000000 - 78046000)
(017D0000 - 017E7000)
(770F0000 - 772A7000)
(772B0000 - 7731C000)
(507C0000 - 50844000)
(50700000 - 50712000)
(77840000 - 7787C000)
(770C0000 - 770E3000)
(23000000 - 2301D000)
(50880000 - 50A59000)
State Dump for Thread Id 0x1f8
eax=3078e6d0 ebx=00000412 ecx=00000000 edx=3078fed0 esi=00000411
edi=00000001
eip=3076a63e esp=0012e748 ebp=0012e754 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202
function: <nosymbols>
3076a61b 50 push eax
3076a61c e8dd11acff call wdCommandDispatch+0x517c1
(3022b7fe)
3076a621 85c0 test eax,eax
3076a623 7e76 jle wdGetApplicationObject+0x17ff35
(3077479b)
3076a625 a144797b30 mov eax,[307b7944]
ds:307b7944=307ad458
3076a62a 8b0d64e77c30 mov ecx,[307ce764]
ds:307ce764=307ba8c0
3076a630 8b4028 mov eax,[eax+0x28]
ds:3137bca2=????????
3076a633 8b8910180000 mov ecx,[ecx+0x1810]
ds:00001810=????????
3076a639 8b5008 mov edx,[eax+0x8]
ds:3137bca2=????????
3076a63c 8b00 mov eax,[eax]
ds:3078e6d0=00010000
FAULT ->3076a63e 8b09 mov ecx,[ecx]
ds:00000000=????????
3076a640 8b80580a0000 mov eax,[eax+0xa58]
ds:3078f128=00000809
3076a646 898ae8040000 mov [edx+0x4e8],ecx
ds:307903b8=00000000
3076a64c 3bc6 cmp eax,esi
3076a64e 7412 jz wdGetApplicationObject+0x179afc
(3076e362)
3076a650 3d04080000 cmp eax,0x804
3076a655 740b jz wdGetApplicationObject+0x1798fc
(3076e162)
3076a657 3bc3 cmp eax,ebx
3076a659 7449 jz wdGetApplicationObject+0x179b3e
(3076e3a4)
3076a65b 3d04040000 cmp eax,0x404
3076a660 7542 jnz wdGetApplicationObject+0x17993e
(3076e1a4)
3076a662 3bc3 cmp eax,ebx
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0012E754 3032A9BE FFFFFFFE 00000001 00000000 307AD380
!wdGetApplicationObject
307A065B 792AE030 7A066830 79293030 7A067030 78E77830 !wdCommandDispatch
7A066030 00000000 00000000 00000000 00000000 00000000 <nosymbols>
*----> Raw Stack Dump <----*
0012e748 80 d3 7a 30 5b 06 00 00 - 00 00 00 00 5b 06 7a 30
..z0[.......[.z0
0012e758 be a9 32 30 fe ff ff ff - 01 00 00 00 00 00 00 00
..20............
0012e768 80 d3 7a 30 58 7f 79 30 - d0 d6 79 30 19 00 00 00
..z0X.y0..y0....
0012e778 01 00 00 00 89 00 00 00 - f8 8b 79 00 52 3a 13 00
..........y.R:..
0012e788 00 00 00 00 c0 31 13 00 - 00 00 18 00 00 00 00 00
.....1..........
0012e798 00 00 64 00 00 00 00 00 - 00 00 00 00 89 00 00 00
..d.............
0012e7a8 f8 8b 79 00 84 ea 12 00 - f4 00 12 30 a8 36 79 00
..y........0.6y.
0012e7b8 3c 2d 79 00 00 00 00 00 - 0e 00 00 00 04 00 00 00
<-y.............
0012e7c8 00 00 00 00 00 00 00 00 - c0 31 13 00 f8 8b 79 00
.........1....y.
0012e7d8 74 46 79 00 d2 fd 00 00 - 40 2d 79 00 38 e8 12 00
tFy.....@-y.8...
0012e7e8 bd 96 93 30 a8 36 79 00 - 01 00 00 00 5c 1c 79 00
...0.6y.....\.y.
0012e7f8 2c e9 12 00 b0 4d 79 00 - a8 36 79 00 40 2d 79 00
,....My..6y.@-y.
0012e808 40 2d 79 00 48 e8 12 00 - 32 d2 93 30 b0 4d 79 00
@-y.H...2..0.My.
0012e818 00 00 00 00 10 00 00 00 - 9c ea 12 00 02 00 00 00
................
0012e828 24 e9 12 00 e0 2f 79 00 - 00 00 00 00 b0 31 13 00
$..../y......1..
0012e838 00 00 00 00 00 00 00 00 - a8 36 79 00 48 99 03 00
.........6y.H...
0012e848 48 e9 12 00 47 ce 93 30 - 94 2f 79 00 08 e9 12 00
H...G..0./y.....
0012e858 00 00 00 00 01 00 00 00 - 01 00 00 00 10 00 00 00
................
0012e868 9c ea 12 00 4c eb 12 00 - 90 e9 12 00 84 e9 12 00
....L...........
0012e878 80 e9 12 00 68 ea 12 00 - 68 ea 12 00 a8 36 79 00
....h...h....6y.
State Dump for Thread Id 0x450
eax=77d50c62 ebx=00157758 ecx=0015655c edx=00000000 esi=00157640
edi=00000100
eip=77f82a84 esp=01a4fe28 ebp=01a4ff74 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206
function: ZwReplyWaitReceivePortEx
77f82a79 b8ac000000 mov eax,0xac
77f82a7e 8d542404 lea edx,[esp+0x4]
ss:0263d3fb=????????
77f82a82 cd2e int 2e
77f82a84 c21400 ret 0x14
*----> Stack Back Trace <----*
FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
01A4FF74 77D50781 77D50D7F 00157640 00000000 40157150
ntdll!ZwReplyWaitReceivePortEx
01A4FFA8 77D50C7A 001564C0 01A4FFEC 77E8758A 00157758
rpcrt4!RpcBindingSetOption
01A4FFB4 77E8758A 00157758 00000000 40157150 00157758
rpcrt4!RpcBindingSetOption
01A4FFEC 00000000 00000000 00000000 00000000 00000000
kernel32!SetFilePointer
-----Original Message-----
From: Oliver Reeves [mailto:Oliver.Reevesat_private]
Sent: 29. toukokuuta 2001 2:55
To: 'VULN-DEVat_private'
Subject: Word 2000 DDE error on Win2K
Morning All,
I was playing around with word this morning, and found something quite
interesting. I thought I'd post it to see what you all thought.
I'm not sure if this is a known bug in Word 2000, and I can't find out right
now as I don't have web access from my PC at work.
I can consistently crash Word 2000 using the following method:
1) Open up any text/document editor such as notepad or wordpad
2) type a single word (must be a known word, no punctuation).
3) highlight the whole word and CTRL+C
4) launch word 2000
5) CTRL+V
6) press HOME to take you to the start of the line
7) type I
8) hit the space bar
this consistenly crashes word 2000 for me, and i get the following error
message:
DDE Server Window: WINWORD.EXE - Application Error
The instruction at "0x3076a63e" referenced memory at "0x00000000". The
memory could not be "read".
I am running:
Win2K 5.00.2195
Word 2000 9.0.3821 SR-1
I doubt that this would be exploitable, but I thought I'd find out if any of
you could reproduce it.
Thanks
Oliver.
###########################################
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
For more information, connect to http://www.F-Secure.com/
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 22:12:46 PDT