lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201208061159.q76Bx0DX031829@sf01web1.securityfocus.com>
Date: Mon, 6 Aug 2012 11:59:00 GMT
From: nospam@...il.it
To: bugtraq@...urityfocus.com
Subject: AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code
 Execution

AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution

tested against: Microsoft Windows Vista sp2
                Microsoft Windows Server 2003 r2 sp2
                Mozilla Firefox 14.0.1
               
download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe
(this was the update for a previous vulnerability, see ZDI-12-098)

see also the installer aol_toolbar_pricecheck.exe
url: http://toolbar.aol.com/download_files/download-helper.html?brand=aol&a=111&ncid=txtlnkusdown00000043

vulnerability:
the mentioned product installs a Firefox plugin:

File: npdnupdater2.dll
Version: 1.3.0.0
Name: npdnupdater2
Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll
Mime type: applicatiotn/x-vend.aol.dnupdater2.1
Extension: ocp

By embedding this plugin inside an html page
is possible to trigger a buffer overflow vulnerability
through the 'SRC' parameter. 

Example crash:

EAX 00000000
ECX 01101470
EDX 01135208 ASCII "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
EBX 00000000
ESP 0013F618
EBP 0013F634
ESI 00000002
EDI 0013F668
EIP 61616161

C 1  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 1  FS 003B 32bit 7FFDD000(4000)
T 0  GS 0000 NULL
D 0
O 0  LastErr 00000000 ERROR_SUCCESS
EFL 00000297 (NO,B,NE,BE,S,PE,L,LE)

ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 8.0000000000000000000
ST7 empty 0.2500000000000000000         CONST 1/4.
               3 2 1 0      E S P U O Z D I
FST 0120  Cond 0 0 0 1  Err 0 0 1 0 0 0 0 0 (LT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
Last cmnd 001B:10571FBD xul.10571FBD

XMM0 00000000 00000000 00000000 00000000
XMM1 61616161 61616161 61616161 61616161
XMM2 61616161 61616161 61616161 61616161
XMM3 61616161 61616161 61616161 61616161
XMM4 61616161 61616161 61616161 61616161
XMM5 61616161 61616161 61616161 61616161
XMM6 61616161 61616161 61616161 61616161
XMM7 61616161 61616161 61616161 61616161
                                P U O Z D I
MXCSR 00001F80  FZ 0 DZ 0  Err  0 0 0 0 0 0
                Rnd NEAR   Mask 1 1 1 1 1 1

EIP is overwritten, also EDX points to user-supplied code (this can 
be done by setting an overlong fake parameter, see poc).

As attachment, proof of concept code.

a copy loop [*] is involved
in overwriting a certain memory region. The subsequent code can be used
to call inside this memory region [**].

See npdnupdater2.dll:

CPU Disasm
Address   Hex dump          Command                                  Comments
01A91C10  /$  55            PUSH EBP                                 ; npdnupdater2.01A91C10(guessed Arg1)
01A91C11  |.  56            PUSH ESI
01A91C12  |.  8BE9          MOV EBP,ECX
01A91C14  |.  57            PUSH EDI
01A91C15  |.  8B7C24 10     MOV EDI,DWORD PTR SS:[ARG.1]
01A91C19  |.  C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C
01A91C20  |.  8B07          MOV EAX,DWORD PTR DS:[EDI]
01A91C22  |.  33F6          XOR ESI,ESI
01A91C24  |.  8945 04       MOV DWORD PTR SS:[EBP+4],EAX
01A91C27  |.  C645 08 00    MOV BYTE PTR SS:[EBP+8],0
01A91C2B  |.  C745 10 00000 MOV DWORD PTR SS:[EBP+10],0
01A91C32  |.  66:3977 0A    CMP WORD PTR DS:[EDI+0A],SI
01A91C36  |.  7E 3E         JLE SHORT 01A91C76
01A91C38  |.  EB 06         JMP SHORT 01A91C40
01A91C3A  |   8D9B 00000000 LEA EBX,[EBX]
01A91C40  |>  8B4F 0C       /MOV ECX,DWORD PTR DS:[EDI+0C]
01A91C43  |.  8B14B1        |MOV EDX,DWORD PTR DS:[ESI*4+ECX]
01A91C46  |.  68 D4A2A901   |PUSH OFFSET 01A9A2D4                    ; /Arg2 = ASCII "SRC"
01A91C4B  |.  52            |PUSH EDX                                ; |Arg1
01A91C4C  |.  E8 E06F0000   |CALL 01A98C31    <-------------     ; \npdnupdater2.01A98C31
01A91C51  |.  83C4 08       |ADD ESP,8
01A91C54  |.  85C0          |TEST EAX,EAX
01A91C56  |.  75 15         |JNE SHORT 01A91C6D
01A91C58  |.  8B47 10       |MOV EAX,DWORD PTR DS:[EDI+10]
01A91C5B  |.  8B0CB0        |MOV ECX,DWORD PTR DS:[ESI*4+EAX]
01A91C5E  |.  BA 38CCA901   |MOV EDX,OFFSET 01A9CC38                 ; ASCII "aaaa..."
01A91C63  |>  8A01          |/MOV AL,BYTE PTR DS:[ECX] <----------------- [*]
01A91C65  |.  41            ||INC ECX
01A91C66  |.  8802          ||MOV BYTE PTR DS:[EDX],AL
01A91C68  |.  42            ||INC EDX
01A91C69  |.  84C0          ||TEST AL,AL
01A91C6B  |.^ 75 F6         |\JNE SHORT 01A91C63
01A91C6D  |>  0FBF4F 0A     |MOVSX ECX,WORD PTR DS:[EDI+0A]
01A91C71  |.  46            |INC ESI
01A91C72  |.  3BF1          |CMP ESI,ECX
01A91C74  |.^ 7C CA         \JL SHORT 01A91C40
01A91C76  |>  5F            POP EDI
01A91C77  |.  5E            POP ESI
01A91C78  |.  8BC5          MOV EAX,EBP
01A91C7A  |.  5D            POP EBP
01A91C7B  \.  C2 0400       RETN 4
01A91C7E      CC            INT3
01A91C7F      CC            INT3
01A91C80  /.  8B4424 04     MOV EAX,DWORD PTR SS:[ARG.1]
01A91C84  |.  85C0          TEST EAX,EAX
01A91C86  |.  56            PUSH ESI
01A91C87  |.  8BF1          MOV ESI,ECX
01A91C89  |.  74 09         JE SHORT 01A91C94
01A91C8B  |.  8B00          MOV EAX,DWORD PTR DS:[EAX]
01A91C8D  |.  85C0          TEST EAX,EAX
01A91C8F  |.  8946 0C       MOV DWORD PTR DS:[ESI+0C],EAX
01A91C92  |.  75 06         JNE SHORT 01A91C9A
01A91C94  |>  32C0          XOR AL,AL
01A91C96  |.  5E            POP ESI
01A91C97  |.  C2 0400       RETN 4
01A91C9A  |>  57            PUSH EDI
01A91C9B  |.  8B3D 0CA1A901 MOV EDI,DWORD PTR DS:[<&USER32.SetWindow
01A91CA1  |.  68 501BA901   PUSH 01A91B50                            ; /NewValue = npdnupdater2.1A91B50
01A91CA6  |.  6A FC         PUSH -4                                  ; |Index = GWL_WNDPROC
01A91CA8  |.  50            PUSH EAX                                 ; |hWnd
01A91CA9  |.  FFD7          CALL EDI                                 ; \USER32.SetWindowLongA
01A91CAB  |.  56            PUSH ESI
01A91CAC  |.  A3 3CDCA901   MOV DWORD PTR DS:[1A9DC3C],EAX
01A91CB1  |.  8B46 0C       MOV EAX,DWORD PTR DS:[ESI+0C]
01A91CB4  |.  6A EB         PUSH -15
01A91CB6  |.  50            PUSH EAX
01A91CB7  |.  FFD7          CALL EDI
01A91CB9  |.  B0 01         MOV AL,1
01A91CBB  |.  5F            POP EDI
01A91CBC  |.  8846 08       MOV BYTE PTR DS:[ESI+8],AL
01A91CBF  |.  5E            POP ESI
01A91CC0  \.  C2 0400       RETN 4

..
01A98C31  /$  55            PUSH EBP                                 ; npdnupdater2.01A98C31(guessed Arg1,Arg2)
01A98C32  |.  8BEC          MOV EBP,ESP
01A98C34  |.  51            PUSH ECX
01A98C35  |.  53            PUSH EBX
01A98C36  |.  E8 C9BDFFFF   CALL 01A94A04                            ; [npdnupdater2.01A94A04
..

..
CPU Disasm
Address   Hex dump          Command                                  Comments
01A94A04  /$  53            PUSH EBX                                 ; npdnupdater2.01A94A04(guessed void)
01A94A05  |.  56            PUSH ESI
01A94A06  |.  FF15 14A0A901 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [NTDLL.RtlGetLastWin32Error
01A94A0C  |.  FF35 9CC1A901 PUSH DWORD PTR DS:[1A9C19C]
01A94A12  |.  8BD8          MOV EBX,EAX
01A94A14  |.  FF15 BCDDA901 CALL DWORD PTR DS:[1A9DDBC]   <------------------------------------- [**] boom!
..

..
01A9DDBC    61              POPAD <--------------boom!!
01A9DDBD    61              POPAD
01A9DDBE    61              POPAD
01A9DDBF    61              POPAD
01A9DDC0    61              POPAD
01A9DDC1    61              POPAD
01A9DDC2    61              POPAD
01A9DDC3    61              POPAD
01A9DDC4    61              POPAD
..

poc: http://retrogod.altervista.org/9sg_aol_dnu_src_poc.htm

rgod

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ