Reversemode
Home
Friday, 03 September 2010
  
 
CONTENT
Home
Papers
Advisories
News Archive
Corporate Website
Downloads
Contact
About





BYTES & WORDS
Summertime PDF Print
Written by Rubén   
Tuesday, 12 August 2008

Wow, I wrote the last entry in June, that's not good. I promess that in the upcoming months I'll try to do better...

First off, we are going to talk about bugs. Today Microsoft has released the security bulletin for August where addresses, among others, a couple of flaws in PowerPoint I discovered about a year ago. Nothing really exciting, one of them is a classical integer overflow, let's see:

text:300F642C mov eax, [edi] .text:300F642E mov ecx, [ebp-14h] .text:300F6431 mov ebx, [eax+ecx*4]; parsing record .text:300F6434 mov esi, [ebx+2] ; malicious length (0xFFFFFFFF) .text:300F6437 test esi, esi .text:300F6439 mov [ebp-20h], ebx .text:300F643C mov [ebp-1Ch], esi .text:300F643F jz loc_300F6516 .text:300F6445 mov ax, [ebx] .text:300F6448 and eax, 3FFFh .text:300F644D push eax .text:300F644E call _MsoPopinfoGet@4 ; MsoPopinfoGet(x) .text:300F6453 mov eax, [eax] .text:300F6455 cmp eax, 6 .text:300F6458 jz short loc_300F64B4 .text:300F645A cmp eax, 0Bh .text:300F645D jz short loc_300F6467 {...} ---->.text:300F6467 loc_300F6467: ; CODE XREF: sub_300F6402+5B#j .text:300F6467 push esi ; malicious length .text:300F6468 call sub_30133564 ----> [..] ----> .text:30133564 mov eax, [esp+arg_0] .text:30133568 add eax, 3 ; Integer Overflow ( 0xFFFFFFFF + 3 ) .text:3013356B and al, 0FCh ; align .text:3013356D push eax ; 0 .text:3013356E push 0 ; uFlags .text:30133570 call ds:GlobalAlloc ; Underallocate .text:30133576 test eax, eax .text:30133578 jnz short locret_3013357F et voilà...heap overflow. The second one is more interesting, while parsing picture records we can force an arbitrary function pointer dereference by modifying certain index.

.text:300F8B16 mov ecx, [eax+2] ; malicious index
.text:300F8B19 mov ecx, [edx+ecx*4-4] 
.text:300F8B1D lea edx, [esi+15Ch]
.text:300F8B23 mov [edx], ecx
.text:300F8B25 mov [eax+2], ecx
.text:300F8B28 cmp dword ptr [edx], 0
.text:300F8B2B jz short loc_300F8B33
.text:300F8B2D mov eax, [ecx] ; loads arbitrary pointer
.text:300F8B2F push ecx
.text:300F8B30 call dword ptr [eax+4] ; Boom!


The interesting part is how we can exploit this issue. If we were exploiting this flaw within a browser context, it would be a children's play. Just by spraying the heap we can achieve the code execution, in PowerPoint it's not so different but slighltly changes. We don't know neither where our shellcode is nor the address of our fake pointer so we need to spray the heap as well. The only thing that varies is the way to do it. In this case we have to embed several pictures in the ppt in order to control how the heap will look like. After that, we change the content of the pictures (raw bytes, avoiding to modify headers just in case) by our nop-slide and in the last image we will copy the shellcode.

It seems that I missed an advisory from Novell for a METHOD_NEITHER flaw in NWFS.sys I reported some time ago. It was released on June according to secunia. I'm planning to upload a k-plugin for this flaw soon.

If you like ring0 flaws stay tuned since I'll release, in a couple of weeks, an interesting flaw which affects several vendors. On the other hand, I'm moving to the greener pastures of pure remote bugs, previously I've never digged too much into networking issues but it seems cool. I have found several flaws so far so I think that I came to stay. Nevertheless, don't forget that there are still a lot of buggy drivers out there :) !

That's all. See you in september!

Last Updated ( Monday, 15 September 2008 )
< Prev   Next >
 
"Nevertheless, it does move"
Galileo