Releasing “Word Quick Fuzzer”

July 1, 2018

Word, the widely used word processor by Microsoft Office, is known for its variety of features and capabilities. So many in fact, that some are actually forgotten, having being developed a long time ago. An example of such a feature can be found in DDE, Dynamic Data Exchange, a very old feature who made a surprising comeback late 2017/ early 2018 when it was used to achieve macro-less code execution in Word / Excel.

There are many more such features, all with different capabilities but with one common denominator: Word Quick Fields – In order for Word to be able to process and use these capabilities, one must use the appropriate Quick Field.

That and more, some very common capabilities such as OLE embedding and OLE linking are in fact Quick Fields behind the scenes.

Introducing fuzzing, the art of generating corrupted input and supplying it to a program in order to reveal unexpected code paths and behaviors. By utilizing fuzzing, security researchers can preform an outstanding amount of security testing as a factor of time.

There are all sorts of fuzzers out there: AFL, Peach, radamsa etc. each with its speciality and capabilities. Combining the above, we realize that Word Quick Fields might contain hidden treasures which can be revealed by fuzzing it.

The problem begins when you realize that in order to fuzz Word Quick Fields, you must fuzz Word as well. This is a cause for concern as the process of loading Word is time consuming and takes us away from our goal, there must by another way to do it..?

Introducing “Word Quick Fuzzer”  – a python program aiming to fuzz Word quick fields! By utilizing python and COM, we can achieve a relatively fast fuzzing experience ( in comparison to native code) and actually achieve some results.

We’ve chosen to release this tool to support the community and advance this research forward. It contains 2 modules: HTML fuzzing via INCLUDETEXT Quick Field and Image fuzzing via INCLUDEPICTURE Quick Field.

There are further possibilities to explore: DDE fuzzing, undocumented commands fuzzing etc.

Please see our Github Repository for more info.