首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Reader <= 2.1.1.3143 Heap Overflow
来源:aluigi@autistici.org 作者:Luigi 发布时间:2011-04-13  

Source: http://aluigi.org/adv/msreader_2-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              <= 2.6.1.7169 (Origami version)
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          heap overflow
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Heap overflow caused by the allocation of a certain amount of memory
and the copying of arbitrary data during the decompression of the
sections.

A quick trace of the sum operations performed with the entry
size/offset values and then the function that performs the copying:

  0107F517  |> 8B85 E0FDFFFF  MOV EAX,DWORD PTR SS:[EBP-220]    ; second 64bit number (entry->size)
  0107F51D  |. 0B85 E4FDFFFF  OR EAX,DWORD PTR SS:[EBP-21C]
  0107F523  |. 74 12          JE SHORT msreader.0107F537
  0107F525  |. 8B46 60        MOV EAX,DWORD PTR DS:[ESI+60]     ; 64bit total size
  0107F528  |. 8B4E 64        MOV ECX,DWORD PTR DS:[ESI+64]
  0107F52B  |. 0185 D8FDFFFF  ADD DWORD PTR SS:[EBP-228],EAX    ; added to the first 64bit number (entry->offset)
  0107F531  |. 118D DCFDFFFF  ADC DWORD PTR SS:[EBP-224],ECX
  0107F537  |> FF75 18        PUSH DWORD PTR SS:[EBP+18]
  0107F53A  |. 8D85 D8FDFFFF  LEA EAX,DWORD PTR SS:[EBP-228]
  0107F540  |. FF75 14        PUSH DWORD PTR SS:[EBP+14]
  0107F543  |. 50             PUSH EAX
  0107F544  |. FF76 74        PUSH DWORD PTR DS:[ESI+74]
  0107F547  |. 56             PUSH ESI
  0107F548  |. FF75 0C        PUSH DWORD PTR SS:[EBP+C]
  0107F54B  |. E8 DEBEFEFF    CALL msreader.0106B42E
  ...
  0106B596  |. 8B71 48        MOV ESI,DWORD PTR DS:[ECX+48]     ; second 64bit number (entry->size)
  0106B599  |. 897D F0        MOV DWORD PTR SS:[EBP-10],EDI
  0106B59C  |. 13C2           ADC EAX,EDX
  0106B59E  |. 03F3           ADD ESI,EBX                       ; added to the 64bit total size
  0106B5A0  |. 8975 0C        MOV DWORD PTR SS:[EBP+C],ESI
  0106B5A3  |. 8B71 4C        MOV ESI,DWORD PTR DS:[ECX+4C]
  0106B5A6  |. 1371 44        ADC ESI,DWORD PTR DS:[ECX+44]
  0106B5A9  |. 5B             POP EBX
  0106B5AA  |. 3BD6           CMP EDX,ESI
  0106B5AC  |. 72 1C          JB SHORT msreader.0106B5CA
  0106B5AE  |. 77 08          JA SHORT msreader.0106B5B8
  ...
  01092A02  /. 55             PUSH EBP                          ; copying function
  ...skip...
    examples specific for the PoC msreader_2a.lit
    LocalAlloc  000a6f68    = 01610020
    ReadFile    000a6f68    (file offset 0x22f5d)
    LocalAlloc  000a6f68    = 016c0020
    DES decryption of the data read by the file with output in the second allocated buffer
    memcpy esi is 016c0020
    memcpy edi is 0022a008
  ...skip...
  01092B50  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
  01092B53  |. 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
  01092B56  |. 8B7D 14        MOV EDI,DWORD PTR SS:[EBP+14]
  01092B59  |. 8BCB           MOV ECX,EBX
  01092B5B  |. 8D3410         LEA ESI,DWORD PTR DS:[EAX+EDX]
  01092B5E  |. 8BD1           MOV EDX,ECX
  01092B60  |. C1E9 02        SHR ECX,2
  01092B63  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

The data copied in the heap buffer is exactly the one coming from the
file and decrypted with DES, that's why the bytes visible during the
copying can't be seen in the file.

I have provided two proof-of-concepts where the first shows the exact
location of the memcpy while the second will cause an exception during
the "call [ret+num]" instruction (could take some seconds to be
reached).

Modified bytes for msreader_2a.lit:
000005F6   84       40  ; from 0x230 to 0x40
000005F7   30       5F  ; modified only to keep the size of the subsequent entry string

Modified bytes for msreader_2b.lit:
000005F7   30       00  ; from 0x230 to 0x200


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_2.zip
http://www.exploit-db.com/sploits/17161.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Reader <= 2.1.1.3143
·Microsoft Reader <= 2.1.1.3143
·Microsoft Host Integration Ser
·Microsoft Reader <= 2.1.1.3143
·Microsoft HTML Help <= 6.1 Sta
·Microsoft Reader <= 2.1.1.3143
·Wordtrainer 3.0 .ORD File Buff
·TinyBB v1.4 Blind Sql Injectio
·OpenText FirstClass Client v 1
·PlaylistMaker V1.5 .txt File B
·Cisco Security Agent Managemen
·VeryTools Video Spirit Pro <=
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved