Today I’d like to share another “funny BUG” (yep, believe me this is quite funny) through this summer time quick’n dirty post. The involved hunter is Nuzhny (no contacts provided to me, more infos here) who disclosed a Stack Overflow in Windows Calculator last week. You would think: “A BOF in Windows Calc.exe ? You’re kidding me… One of the oldest executable on the Earth is still hiding BUGS on it ?”. The sad answers is: “yes”, windows CALC still has undisclosed BUGs at least on the following machine (in where I was able to test it).
Machine Settings:
Windows 7 Ultimate SP1 x86-64, English.
Trigger the bug:
- Start |-> run Calc.exe
- Press “Alt-2” to go to tjhe “Scientific” calculator mode (“Programmer mode” should also work)
- Type “1/255” and press Enter.
- Now press button “F-E”
Problem Signature:
Problem Event Name: APPCRASH
Application Name: calc.EXE
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bc9d4
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7601.17725
Fault Module Timestamp: 4ec4aa8e
Exception Code: c00000fd
Exception Offset: 0000000000053560
OS Version: 6.1.7601.2.1.0.256.1
The exception is unhandled at address: 0xC00000FD.
The screen-shot:
 |
||||||
| Crash after F-E representation needed. |
 |
| Debugger on BUG |
Bottomline:
I’m not sure on how this bug could be exploited in the real life – right now -, maybe it wouldn’t become a vulnerability at all but what it’s important to all this “story” is that no safe software in a real world exist. Even wincalc.exe, one of the most simple and most tested software of the entire software history might hide bugs and vulnerabilities. Are you still wondering why a “security source code review” is essential out there ?
more technical/debuging info on the subject: http://rce4fun.blogspot.com/2013/12/64-bit-calcexe-stack-overflow-root.html
hello could any one explain what is {\x2F\x2A} ?
is it encoded of hex?
thanks indeed
The same problem with calc.exe of Windows 8 64 bit
Waliedassar, obviously you are right.
My iPad auto-correction made it happen: This time it corrected “Overflow” to “BufferOverflow”. I did not re-read carefully the post.
Thank *you* very much for pointing it out !
I did the update.
It is a stack overflow (STATUS_STACK_OVERFLOW), not buffer overflow.
It also works for 1/127