Next Page >>
esi
Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2],
Sophos Antivirus [3] and Rising Antivirus [4]) have been found that
could lead to a Denial of Service (DoS) and possibly to code execution
attacks. An attacker, utilizing these flaws, could be able to locally
reboot the whole system shutting down the firewall or anti-virus
protection. However, in some cases it may be possible to extend the
impact of these bugs, and they could lead to the execution of arbitrary
code in the privileged kernel mode.
*Vulnerable Packages*
(to get the scripts mentioned by this advisory please get the full
version at http://www.hexale.org/advisories/OCHOA-2010-0209.txt; I did
not include them here to reduce the size of this email)
Windows SMB NTLM Authentication Weak Nonce Vulnerability
Security Advisory
Hernan Ochoa (hernan@gmail.com) - Agustin Azubel (agustin.azubel@gmail.com)
Gen LI & Jun MA & Ying Zhang
More Detail :
(CSTransfer.dll)
esi
+---------------------+ |
| | \|/
| Malicious input | _______________________________
| ...........> | | | | | | | | |
+---------------------+ |R | |4 |0 | |\r |\n | .... |
3. *Vulnerability Description*
Ston3D is a cross-platform technology developed by StoneTrip [1],
allowing applications developed with ShiVa product [2] to be run from
various media. It is a platform for 3D real time development, specially
designed to make games and other real time applications.
Ston3D players come in two flavors:
1. Ston3D StandalonePlayer [3],
2. and Ston3D WebPlayer [4], which runs like an extension or plug-in
ECX 7A7A7A7A
EDX 00000000
EBX 00000003
ESP 0171ED64
EBP 0171EEFC
ESI 013579F0 ASCII
"zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz"
EDI 00C60000
EIP 77FCC453 ntdll.77FCC453
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
The problem is located in the function at address 0101488A used to
perform the sending of a reply packet back to the client where it's
raised an exception if send() fails, for example because the client
interrupted the connection before the receiving of the data.
In this function the size of the data to send (0x2c) is passed to
ntohl() and stored on the stack buffer where is located the beginning
of the packet to send, but when the exception is raised then the code
flow continues from 01013e86 and after a CALL EAX in msvcrt.dll arrives
on 01013e8a where EDI takes the value at [EBP-4C] which is just
0x2c000000 (yes, it's 0x2c in network endian).
3 Analysis
=========
asm in dirapi.dll 11.6.1.629
.text:6809FC7A push esi
.text:6809FC7B push edi
.text:6809FC7C push ebp
.text:6809FC7D call IML32_1414_get_a_dword //get a
dword form dir file
.text:6809FC82 mov esi, eax //if eax=66666680
.text:1006F407 lea eax, [ebp-28h]
.text:1006F40A lea ecx, [ebp-10h]
.text:1006F40D push eax ; lpProcessInformation
.text:1006F40E lea eax, [ebp-6Ch]
.text:1006F411 push eax ; lpStartupInfo
.text:1006F412 push esi ; lpCurrentDirectory
.text:1006F413 push esi ; lpEnvironment
.text:1006F414 push esi ; dwCreationFlags
.text:1006F415 push esi ; bInheritHandles
.text:1006F416 push esi ; lpThreadAttributes
.text:1006F417 push esi ; lpProcessAttributes
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp",
a typical example is provided in the Windows XP Command Line Reference,
available at http://technet.microsoft.com/en-us/library/bb490918.aspx.
Using hcp:// URLs is intended to be safe, as when invoked via the registered
(And try dealing with Microsoft licensing sometime if you think security
communication is lacking)
Tavis Ormandy wrote:
> Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
> ----------------------------------------------------------------------------
>
> Help and Support Centre is the default application provided to access online
> documentation for Microsoft Windows. Microsoft supports accessing help documents
> directly via URLs by installing a protocol handler for the scheme "hcp",
library copy enough content from the file to the stack so as to
overwrite a function pointer that is later executed by the library.
As shown in the following extract from PubConv.dll, the call to
function 'sub_344EEB00' (1.1) returns a pointer to a WORD with the
size of the data to be copied from an intermediate buffer to the
stack. Instruction (1.2) shows that ECX is loaded with that 16-bit
value sign-extended to 32 bits. This value, after a series of
verifications and transformations, is used in (1.3) as the size
argument of a memmove call. This ends up writing a function pointer in
the stack.
CFNetwork is a framework in the Core Services framework that provides a
library of abstractions for network protocols. It can be used to perform
a variety of network tasks using different protocols such as SSL/TLS,
DNS, FTP and HTTP.
Besides many other applications the CFNetwork framework is used by
Safari and Mail.
Description:
A remotely exploitable vulnerability has been found in the HTTP header
----- Original Message ----
From: Tavis Ormandy <taviso@cmpxchg8b.com>
To: full-disclosure@lists.grok.org.uk
Cc: bugtraq@securityfocus.com
Sent: Wed, June 9, 2010 4:46:21 PM
Subject: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly
----------------------------------------------------------------------------
Help and Support Centre is the default application provided to access online
3. Technical Description.
The problem lies in how the stack locations are traversed while trying
to complete an IRP. Let's see
lkd> dt nt!_IRP
script_info script[script_count]
u30 method_body_count
method_body_info method_body[method_body_count]
}
The value of class_count element is the number of entries in the
instance and class arrays.
Each instance entry is a variable length instance_info structure which
specifies the
characteristics of object instances created by a particular class:
*Vulnerability Description*
WonderWare is supplier of industrial automation and information software
solutions. According to the company's website [1]: "one third of the
world's plants run Wonderware software solutions. Having sold more than
500,000 software licenses in over 100,000 plants worldwide, Wonderware
has customers in virtually every global industry - including Oil & Gas,
Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals,
Automotive and more".
WonderWare offers software solutions in the areas of Production and
openfolder=0
prodname=Smart Checker
diskspace=75376
checksum=8f79795f330f1cadcbe0a55400715da3
object_url=http://ardownload.adobe.com/pub/adobe/acrobat/win/all/sgc15.exe
signoff_url=
dependson=942
required=1
visible=0
params=
ask_for_destination=0
copy the filename argument to a fixed-size buffer in the stack without
properly checking that the buffer is large enough to hold the filename
string. Proof of concept PDF file also included [5].
If an 'Open/Execute a file' is defined in a PDF file, when the trigger
condition is satisfied, Foxit Reader first determines if the filename
argument has a relative path:
/-----------
00403029 |> 50 PUSH EAX
Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in regards to resolve the random crashes.
To execute either the sample program or any other system command, the user has to be either the admin, in the admin group or the Administrators group.
Since this buffer underflow never makes it to kernel memory, it could be possible that propping up the underflow will make it overflow and take control over the operating system without any restriction.
Remedy
- ------------
No remedy available at this time.
======================
Vulnerability details:
======================
The kernel driver aavmker4.sys shipped with avast! 4.7 contains a vulnerability in
the code that handles IOCTL requests. Exploitation of this vulnerability can result
in:
1) local denial of service attacks (system crash due to a kernel panic), or
2) local execution of arbitrary code at the kernel level (complete system compromise)
2) Bug
======
Classical heap overflow during the handling of the IVR files caused by
the allocation of a certain amount of data (frame size) decided by the
attacker and the copying of another arbitrary amount on the same
buffer.
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
-----------------------------
See Appendix A for sample code and Appendix B for research results.
Disclaimer
-----------------------------
There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (phion AG) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Appendix A - Sample source code
#define _WIN32_WINNT 0x0600
#define WIN32_LEAN_AND_MEAN
READ_ADDRESS: 92bc0000 Nonpaged pool
FAULTING_IP:
nt!memcpy+33
81c834b3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
stack overflow vulnerability finally in the following codes:
(C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)
.text:1B0B72BB mov ecx, edx ; ecx=0x5200
.text:1B0B72BD mov esi, edi ; esi point
to the datas
.text:1B0B72BF mov ebp, ecx ; which
can be find in the mdb file
.text:1B0B72C1 lea edi, [esp+40h] ; edi point
to stack memory
Adobe Acrobat Reader is prone to a use-after-free vulnerability due to
an invalid usage of a released memory chunk. A specially crafted '.pdf'
file containing special flash code triggers an 'ACCESS_VIOLATION'
reading at address 0x00000030.
A more careful analysis of that code indicates that ESI points to a
released chunk of memory. Exploitation is feasible forcing the
allocation process of Adobe Acrobat Reader to reuse the chunk pointed by
ESI with specially controlled data.
/-----
To execute either the sample program or any other system command, the
user has to be either the admin, in the admin group or the
Administrators group.
Since this buffer underflow never makes it to kernel memory, it could
be possible that propping up the underflow will make it overflow and
take control over the operating system without any restriction.
Remedy
- ------------
Author: Azizov Emin (azizov@itdefence.ru)
ITDEFENCE.ru
Denial of Service at INPUT tag processing
(designMode = on)
POC:
<html>
<head>
A] memory corruption
--------------------
The program uses a particular function for allocating memory for the
arrays used in the WF1 files.
In short if the reallocation fails it's possible to write a memory
pointer and a NULL in the expected last two positions of the
"supposedly" reallocated array so with possibilities of corrupting
memory zones almost arbitrarialy:
00B1A2B0 /$ 56 PUSH ESI ; value + 0x32
.text:0003B422 mov eax, [esp+18h+arg_10]
.text:0003B426 test eax, eax
.text:0003B428 jz loc_3BB85 ; default
.text:0003B42E pop edi
.text:0003B42F mov dword ptr [ebx], 4
.text:0003B435 pop esi
.text:0003B436 mov dword ptr [eax], offset unk_60001 ;0x60001 - >
eax=controlled
.text:0003B43C pop ebp
.text:0003B43D mov al, 1
.text:0003B43F pop ebx
.text:5C769F60 cmp eax, [esp+48h+var_3C]
.text:5C769F64 jb short loc_5C769F37
.text:5C769F66 mov [esp+48h+size], eax
.text:5C769F6A mov eax, [ebp+arg_0]
.text:5C769F6D call sub_5C14A6E8
.text:5C769F72 push [esp+48h+size] ; size
.text:5C769F76 push dword ptr [eax] ; int
.text:5C769F78 push [ebp+arg_0] ; int
.text:5C769F7B call sub_5C765B6D
.text:5C769F80 add esp, 0Ch
Next Page>>
|
