Lee Yee Chan founded F13 Laboratory. She has been working in cyber security industry for the last 6 years. Her research majors in the art of packing/unpacking, dynamic execution tracing, kernel threat vulnerability and exploitation techniques. She has presented her security research in BlackHat USA 2013, Infiltrate 2013, PacSec 2012, BlackHat Euro 2012, HackInParis 2012, DEFCON 16 and numerous other events.
The vulnerability happen when processing Word macro byte Opcode. The main function processing is sub 307B9EAB. The interesting point of this function is, it perform memory copy without checking the size. To trigger above memove, src1/src2/src3/src4 need to be set before that. Some bytecode can do that :. As you can see, when src$i is set, the v4 will be point to address of size$i . I choose a sample doc file with has macro bytecode and break point when it read opcode:. Trying change the overwrote value w...