About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Hancom Office 2020 Hword Docx XML parsing heap underflow vulnerability- 975

TalosPosted 3 Years Ago
  • Hancom Office is an alternative version of Office used in South Korea. Docx files are mostly just XML documents.
  • Instead of sharing the bug then the crash, the authors show the crash with the malicious file. When the application crashes, after subtracting 4 from a pointer and dereferencing this, the code crashes.
  • After finding the crash, they noticed this came from parsing the </w:> XML tag. This was caused by not including a starting <w:> tag to denote the start of a paragraph. The parsing code appears to make the assumption that if the ending tag is there then the starting one is there as well.
  • The deferencing is making an indirect call for a virtual function table. This means, that with proper heap feng shui an attacker could control the pointer being dereferenced and execute code. Overall, pretty straight forward bug with a simple write up!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed