stack frame
The vulnerability is triggered in ntdll.dll. The code corresponds to the
function RtlAllocateHeap when a new node is added to the double-linked
list of heap chunks. As can be seen, both EAX and ECX contain arbitrary
values controlled by the attacker (0x41414141). This is the Call Stack
when the crash occurs:
/-----
Call stack of main thread
Address Stack Procedure / arguments Called from
See the VAX Architecture Reference Manual (VARM) or the
VAX Arcitecture Handbook.
http://www.bitsavers.org/pdf/dec/vax/archSpec has a copy
of the internal version of the VARM,
which will help explain the stack frame and the instruction set.
*/
unsigned char shellcode[] =
"\021\017" /* brb shellcode+0x11 (PC-relative) */
"\272\001" /* popr $0x1 (this is a mask: pop one word into r0) */
// Set the required "messages" value for the layout. Here we
// are assuming that the layout is for use with HTML.
$this->_layout->events = implode('', $this->_layoutEventsToMail);
// If an exception occurs during rendering, convert it to a notice
// so we can avoid an exception thrown without a stack frame.
try {
$this->_mail->setBodyHtml($this->_layout->render());
} catch (Exception $e) {
...
}
// Set the required "messages" value for the layout. Here we
// are assuming that the layout is for use with HTML.
$this->_layout->events = implode('', $this->_layoutEventsToMail);
// If an exception occurs during rendering, convert it to a notice
// so we can avoid an exception thrown without a stack frame.
try {
$this->_mail->setBodyHtml($this->_layout->render());
} catch (Exception $e) {
...
}
// cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e pop esi
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator new+0x73
// 03 00000000 00000000 00000000 00000000 00000000 xul!gfxWindowsFontGroup::MakeTextRun+0x54
The specific flaw exists within the wins.exe service distributed with
Microsoft Windows 2003 Server. This service is designed to resolve
NetBIOS requests and accepts connections on port 42. Due to a logic
error when handling a socket send exception, certain user-supplied
values remain within a stack frame and are re-used in another context. A
remote attacker can abuse this flaw to cause a call to
LeaveCriticalSection to operate upon a controlled location in memory.
Such a condition could lead to remote code execution under the context
of the SYSTEM user.
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.
This verification relies on the following incorrect assumptions:
- Setting up a VDM context requires SeTcbPrivilege.
dispatching mechanism, which transfers execution to user mode at a
static canonical address inside NTDLL. However, if an indirect jump
to a non-canonical address is performed repeatedly, a hardware
interrupt will eventually (after a few seconds) occur while execution
is at the non-canonical RIP, meaning the hardware interrupt handler
will receive an invalid stack frame that will cause it to fault at its
IRETQ instruction. The #GP handler will then execute with user GS
active but a return CS indicating kernel mode, yielding the
exploitable scenario described above.
When executed in a loop, the following x64 assembly instructions will
3 2 1 0 E S P U O Z D I
FST 4220 Cond 1 0 1 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1
Stack Trace:
Call stack of main thread
Address Stack Procedure / arguments Called from
Frame
0012DFC4 68175563 DIRAPI.681747A0 DIRAPI.6817555E
0012DFE4 6817003B DIRAPI.68175290 DIRAPI.68170036
0012E018 6817020D DIRAPI.6816FF40 DIRAPI.68170208
print s.recv(4000)
- -----------/
A debugger was used on a Windows system to see where the 'OvOSLocale'
overflow is located. The call stack shows that '_OVresetLangEnv' in
'ovutil.dll' calls 'ov.sprintf_new' in 'ov.dll' that calls '_vsnprintf'
in 'msvcrt.dll'. The destination buffer of the '_vsnprintf' is located
on the stack, the count is 0x7fff, the format is 'OV_LANG=%s', and the
string is too large for the stack buffer, causing the stack overflow. A
new CVE name was assigned, CVE-2009-0920, marking this bug as unfixed or
<NSException>
Tue Jan 25 21:42:02 Program Name[23594] <Error>: *** Terminating app
due to uncaught exception 'NSInvalidArgumentException', reason: '***
-[NSConcreteData initWithBytes:length:copy:freeWhenDone:bytesAreVM:]:
absurd length: 4294967295, maximum size: 2147483648 bytes'
*** Call stack at first throw:
(
0 CoreFoundation 0x3048e987
__exceptionPreprocess + 114
1 libobjc.A.dylib 0x33a0849d
objc_exception_throw + 24
The methods SaveasMolFile and ReadMolFile are both vulnerable to
a stack overflow condition which can be reached when supplying
more than 400 white-space characters in the filename argument.
Both tab and space characters can be used to trigger the overflow condition.
The 401-404th byte will result in the overflow of the call stack return address.
Both vulnerabilities can be used to gain command execution when combined
with a JavaScript heap spray when jumping into a pre-allocated heap.
+--------+
|Solution|
dispatching mechanism, which transfers execution to user mode at a
static canonical address inside NTDLL. However, if an indirect jump
to a non-canonical address is performed repeatedly, a hardware
interrupt will eventually (after a few seconds) occur while execution
is at the non-canonical RIP, meaning the hardware interrupt handler
will receive an invalid stack frame that will cause it to fault at its
IRETQ instruction. The #GP handler will then execute with user GS
active but a return CS indicating kernel mode, yielding the
exploitable scenario described above.
When executed in a loop, the following x64 assembly instructions will
required to exploit this vulnerability.
The specific flaw exists within the code responsible for ensuring proper
privileged execution of methods. If an untrusted method in an applet
attempts to call a method that requires privileges, Java will walk the
call stack and for each entry verify that the method called is defined
within a class that has that privilege. However, this does not take into
account an untrusted object that has extended the trusted class without
overwriting the target method. Additionally, this can be bypassed by
abusing a similar trust issue with interfaces. An attacker can leverage
these insecurities to execute vulnerable code under the context of the
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.
The specific flaw exists within the AVM bytecode verifier. Specifically,
the newFrameState method performs arithmetic when calculating the size
of a stack frame. It implicitly trusts the max_scope and max_stack
variables as obtained from the bytecode. By crafting specific values,
the integer indicating the size of the frame can be made to overflow.
This value is later used during memory copy operations which an attacker
can influence to gain arbitrary code execution under the context of the
user running the browser.
DestinationPrefix.Prefix = "1.2.3.4"
DestinationPrefix.PrefixLength = 0xEE
======== Callstack ========
934b7a00 85a1b1bb 00000020 837100ee 934b7ac4 NETIO!PtpCreateTrieNode+0x20
934b7a34 85a6211f 842f4ed0 934b7ac4 837100ee NETIO!PtInsertEntry+0x59
934b7a5c 85aa6fe4 00000000 934b7ac4 837100ee tcpip!IppCreateUnicastRoute+0xf0
934b7ae8 85a5d121 00000001 858b6278 84d74ce8 tcpip!IppValidateSetAllRouteParameters+0x217
SEH chain:
0012e7dc: <Unloaded_nr.dll>+41414140 (41414141)
Invalid exception stack at 41414141
Call stack:
0012e060 01a7b862 AdjMmsEng!djWaveformAnalyzerMouseActionGet+0x45863
0012e07c 01a0be1b AdjMmsEng!djWaveformAnalyzerMouseActionGet+0x3d30f
0012e7e8 41414141 AdjMmsEng!djLrcFileTimeEnhancedTagsGetAt+0x13696
0012e7ec 41414141 <Unloaded_nr.dll>+0x41414140
|
