[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201208061159.q76Bx0DX031829@sf01web1.securityfocus.com>
Date: Mon, 6 Aug 2012 11:59:00 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code
Execution
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution
tested against: Microsoft Windows Vista sp2
Microsoft Windows Server 2003 r2 sp2
Mozilla Firefox 14.0.1
download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe
(this was the update for a previous vulnerability, see ZDI-12-098)
see also the installer aol_toolbar_pricecheck.exe
url: http://toolbar.aol.com/download_files/download-helper.html?brand=aol&a=111&ncid=txtlnkusdown00000043
vulnerability:
the mentioned product installs a Firefox plugin:
File: npdnupdater2.dll
Version: 1.3.0.0
Name: npdnupdater2
Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
Mime type: applicatiotn/x-vend.aol.dnupdater2.1
Extension: ocp
By embedding this plugin inside an html page
is possible to trigger a buffer overflow vulnerability
through the 'SRC' parameter.
Example crash:
EAX 00000000
ECX 01101470
EDX 01135208 ASCII "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
EBX 00000000
ESP 0013F618
EBP 0013F634
ESI 00000002
EDI 0013F668
EIP 61616161
C 1 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDD000(4000)
T 0 GS 0000 NULL
D 0
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00000297 (NO,B,NE,BE,S,PE,L,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 8.0000000000000000000
ST7 empty 0.2500000000000000000 CONST 1/4.
3 2 1 0 E S P U O Z D I
FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Last cmnd 001B:10571FBD xul.10571FBD
XMM0 00000000 00000000 00000000 00000000
XMM1 61616161 61616161 61616161 61616161
XMM2 61616161 61616161 61616161 61616161
XMM3 61616161 61616161 61616161 61616161
XMM4 61616161 61616161 61616161 61616161
XMM5 61616161 61616161 61616161 61616161
XMM6 61616161 61616161 61616161 61616161
XMM7 61616161 61616161 61616161 61616161
P U O Z D I
MXCSR 00001F80 FZ 0 DZ 0 Err 0 0 0 0 0 0
Rnd NEAR Mask 1 1 1 1 1 1
EIP is overwritten, also EDX points to user-supplied code (this can
be done by setting an overlong fake parameter, see poc).
As attachment, proof of concept code.
a copy loop [*] is involved
in overwriting a certain memory region. The subsequent code can be used
to call inside this memory region [**].
See npdnupdater2.dll:
CPU Disasm
Address Hex dump Command Comments
01A91C10 /$ 55 PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1)
01A91C11 |. 56 PUSH ESI
01A91C12 |. 8BE9 MOV EBP,ECX
01A91C14 |. 57 PUSH EDI
01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1]
01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C
01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
01A91C22 |. 33F6 XOR ESI,ESI
01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX
01A91C27 |. C645 08 00 MOV BYTE PTR SS:[EBP+8],0
01A91C2B |. C745 10 00000 MOV DWORD PTR SS:[EBP+10],0
01A91C32 |. 66:3977 0A CMP WORD PTR DS:[EDI+0A],SI
01A91C36 |. 7E 3E JLE SHORT 01A91C76
01A91C38 |. EB 06 JMP SHORT 01A91C40
01A91C3A | 8D9B 00000000 LEA EBX,[EBX]
01A91C40 |> 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C]
01A91C43 |. 8B14B1 |MOV EDX,DWORD PTR DS:[ESI*4+ECX]
01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4 ; /Arg2 = ASCII "SRC"
01A91C4B |. 52 |PUSH EDX ; |Arg1
01A91C4C |. E8 E06F0000 |CALL 01A98C31 <------------- ; \npdnupdater2.01A98C31
01A91C51 |. 83C4 08 |ADD ESP,8
01A91C54 |. 85C0 |TEST EAX,EAX
01A91C56 |. 75 15 |JNE SHORT 01A91C6D
01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10]
01A91C5B |. 8B0CB0 |MOV ECX,DWORD PTR DS:[ESI*4+EAX]
01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII "aaaa..."
01A91C63 |> 8A01 |/MOV AL,BYTE PTR DS:[ECX] <----------------- [*]
01A91C65 |. 41 ||INC ECX
01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL
01A91C68 |. 42 ||INC EDX
01A91C69 |. 84C0 ||TEST AL,AL
01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63
01A91C6D |> 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A]
01A91C71 |. 46 |INC ESI
01A91C72 |. 3BF1 |CMP ESI,ECX
01A91C74 |.^ 7C CA \JL SHORT 01A91C40
01A91C76 |> 5F POP EDI
01A91C77 |. 5E POP ESI
01A91C78 |. 8BC5 MOV EAX,EBP
01A91C7A |. 5D POP EBP
01A91C7B \. C2 0400 RETN 4
01A91C7E CC INT3
01A91C7F CC INT3
01A91C80 /. 8B4424 04 MOV EAX,DWORD PTR SS:[ARG.1]
01A91C84 |. 85C0 TEST EAX,EAX
01A91C86 |. 56 PUSH ESI
01A91C87 |. 8BF1 MOV ESI,ECX
01A91C89 |. 74 09 JE SHORT 01A91C94
01A91C8B |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
01A91C8D |. 85C0 TEST EAX,EAX
01A91C8F |. 8946 0C MOV DWORD PTR DS:[ESI+0C],EAX
01A91C92 |. 75 06 JNE SHORT 01A91C9A
01A91C94 |> 32C0 XOR AL,AL
01A91C96 |. 5E POP ESI
01A91C97 |. C2 0400 RETN 4
01A91C9A |> 57 PUSH EDI
01A91C9B |. 8B3D 0CA1A901 MOV EDI,DWORD PTR DS:[<&USER32.SetWindow
01A91CA1 |. 68 501BA901 PUSH 01A91B50 ; /NewValue = npdnupdater2.1A91B50
01A91CA6 |. 6A FC PUSH -4 ; |Index = GWL_WNDPROC
01A91CA8 |. 50 PUSH EAX ; |hWnd
01A91CA9 |. FFD7 CALL EDI ; \USER32.SetWindowLongA
01A91CAB |. 56 PUSH ESI
01A91CAC |. A3 3CDCA901 MOV DWORD PTR DS:[1A9DC3C],EAX
01A91CB1 |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0C]
01A91CB4 |. 6A EB PUSH -15
01A91CB6 |. 50 PUSH EAX
01A91CB7 |. FFD7 CALL EDI
01A91CB9 |. B0 01 MOV AL,1
01A91CBB |. 5F POP EDI
01A91CBC |. 8846 08 MOV BYTE PTR DS:[ESI+8],AL
01A91CBF |. 5E POP ESI
01A91CC0 \. C2 0400 RETN 4
..
01A98C31 /$ 55 PUSH EBP ; npdnupdater2.01A98C31(guessed Arg1,Arg2)
01A98C32 |. 8BEC MOV EBP,ESP
01A98C34 |. 51 PUSH ECX
01A98C35 |. 53 PUSH EBX
01A98C36 |. E8 C9BDFFFF CALL 01A94A04 ; [npdnupdater2.01A94A04
..
..
CPU Disasm
Address Hex dump Command Comments
01A94A04 /$ 53 PUSH EBX ; npdnupdater2.01A94A04(guessed void)
01A94A05 |. 56 PUSH ESI
01A94A06 |. FF15 14A0A901 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [NTDLL.RtlGetLastWin32Error
01A94A0C |. FF35 9CC1A901 PUSH DWORD PTR DS:[1A9C19C]
01A94A12 |. 8BD8 MOV EBX,EAX
01A94A14 |. FF15 BCDDA901 CALL DWORD PTR DS:[1A9DDBC] <------------------------------------- [**] boom!
..
..
01A9DDBC 61 POPAD <--------------boom!!
01A9DDBD 61 POPAD
01A9DDBE 61 POPAD
01A9DDBF 61 POPAD
01A9DDC0 61 POPAD
01A9DDC1 61 POPAD
01A9DDC2 61 POPAD
01A9DDC3 61 POPAD
01A9DDC4 61 POPAD
..
poc: http://retrogod.altervista.org/9sg_aol_dnu_src_poc.htm
rgod
Powered by blists - more mailing lists