Friday, August 16, 2013

BUG in WinCalc.exe

Today I'd like to share another "funny BUG" (yep, believe me this is quite funny) through this summer time quick'n dirty post. The involved hunter is Nuzhny (no contacts provided to me, more infos here) who disclosed a Stack Overflow in Windows Calculator last week. You would think: "A BOF in Windows Calc.exe ? You're kidding me... One of the oldest executable on the Earth is still hiding BUGS on it ?". The sad answers is: "yes", windows CALC still has undisclosed BUGs at least on the following machine (in where I was able to test it).

Machine Settings:

Windows 7 Ultimate SP1 x86-64, English.

Trigger the bug:
  1. Start |-> run Calc.exe
  2. Press "Alt-2" to go to tjhe "Scientific" calculator mode ("Programmer mode" should also work)
  3. Type "1/255" and press Enter.
  4. Now press button "F-E"
Problem Signature:
Problem Event Name: APPCRASH
Application Name: calc.EXE
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc9d4
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7601.17725
Fault Module Timestamp: 4ec4aa8e
Exception Code: c00000fd
Exception Offset: 0000000000053560
OS Version: 6.1.7601.2.1.0.256.1
 

The exception is unhandled at address:  0xC00000FD.

The screen-shot:
Crash after F-E representation needed.

Debugger on BUG
Bottomline:
I'm not sure on how this bug could be exploited in the real life - right now -,   maybe it wouldn't become a vulnerability at all but what it's important to all this "story" is that no safe software in a real world exist. Even wincalc.exe, one of the most simple and most tested software of the entire software history might hide bugs and vulnerabilities. Are you still wondering why a "security source code review" is essential out there ?