lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon Jun 26 12:12:34 2006 From: mc at khamsa.ch (Michele Cicciotti [Khamsa S.A.]) Subject: Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow Alexander Hristov wrote: > Author: JAAScois > Date: 25.6.2006 > Type: Heap Overflow > Product: http://live.com , http://messenger.msn.com > Patch: N/A > Link : http://securitydot.net/xpl/exploits/vulnerabilities/articles/1108/exploit.html This is most definitely *not* a heap overflow. Based on my analysis (Windows XP Professional, Service Pack 2, fully patched), several non-fatal exceptions occur inside FormatMessageW: ntdll!fputwc+0x14: 7c92c24e 668902 mov [edx],ax ds:0023:022c1000=???? [...] ChildEBP RetAddr 0006f23c 7c92c221 ntdll!fputwc+0x14 0006f24c 7c92c1f6 ntdll!_output+0x9d9 0006f260 7c92c314 ntdll!_output+0xa49 0006f6d8 7c92c2d2 ntdll!_woutput+0x9ae 0006f710 7c9399c8 ntdll!_snwprintf+0x31 0006fad0 7c828f98 ntdll!RtlFormatMessage+0x360 0006fb6c 7c829068 kernel32!BaseDllFormatMessage+0x1be 0006fb94 00762290 kernel32!FormatMessageW+0x21 [...] If we continue execution, we see this is actually on-demand buffer extension at work: ChildEBP RetAddr 0006ed98 7c809ad2 ntdll!ZwAllocateVirtualMemory 0006ede4 7c809a99 kernel32!VirtualAllocEx+0x47 0006ee00 7c85ea14 kernel32!VirtualAlloc+0x18 0006ee20 7c85ea7b kernel32!ExtendVirtualBuffer+0x40 0006ee30 7c840977 kernel32!VirtualBufferExceptionHandler+0x2a 0006ee40 7c839a54 kernel32!BaseDllFormatMessage+0x24b 0006ee68 7c9137bf kernel32!_except_handler3+0x61 0006ee8c 7c91378b ntdll!ExecuteHandler2+0x26 0006ef3c 7c91eafa ntdll!ExecuteHandler+0x24 0006ef3c 7c92c24e ntdll!KiUserExceptionDispatcher+0xe 0006f23c 7c92c221 ntdll!fputwc+0x14 [...] And it's not even the heap: 0:000> !address 022c1000 022c0000 : 022c0000 - 00001000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD It's just a random, non-descript 64 KB block reserved by an internal kernel32.dll function and allocated page by page on demand, and _snwprintf never writes outside of its bounds, and doesn't overwrite anything. What *really* happens is that FormatMessageW fails because the message exceeds the 64 KB maximum and is truncated: 0:000> !gle LastErrorValue: (Win32) 0xea (234) - Sono disponibili altri dati. LastStatusValue: (NTSTATUS) 0x80000005 - {Overflow del buffer} Numero di dati eccessivo per poter essere contenuti nel buffer specificato. Messenger handles the error by throwing an exception: Args to Child e06d7363 00000001 00000003 kernel32!RaiseException+0x53 0006fbb4 005c2584 0006fbd8 MSVCR80!_CxxThrowException+0x46 At 005c2584 we have the exception type, which points to a type info table at 00841dd8, which contain a table info entry at 00841de0, which reveals that the exception is of type "?AVCAtlException@ATL@@". The exception object itself, at 0006fbb4, begins with a doubleword containing 8007000e, which is a Win32 error wrapped in a HRESULT. 0xE is ERROR_OUTOFMEMORY The verdict is: unhandled exception
Powered by blists - more mailing lists