lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <002401c48f08$eaa579c0$6501a8c0@sec>
From: me at cipher.org.uk (E.Kellinis)
Subject: MSInfo  Buffer Overflow

#########################################
Application:     MSInfo
Vendors:         http://www.microsoft.com
Platforms:       Windows 2000
Bug:                Msinfo32.exe BOF
Risk:               Low
Exploitation:    Local
Date:              30 August 2004
Author:           Emmanouel Kellinis
e-mail:            me[at]cipher(dot)org(dot)uk
web:               http://www.cipher.org.uk
#########################################


=======
Product
=======
Microsoft System Information collects system information,
such as devices that are installed in your computer or device
drivers loaded in your computer, and provides a menu for displaying
the associated system topics. You can use Microsoft System
Information
to diagnose computer issues, for example, if you are having display
issues, you can use Microsoft System Information to determine what
display adapter is installed on your computer and view the status
of its drivers.


===
Bug
===

MSINFO32 is having an option which let you Open
a specific NFO or CAB file

msinfo32 /msinfo_file=filename

The buffer of msinfo_file can be overflowed and overwrite
the Code register. 

The BOF works if you  exceed 258 characters as an input to
msinfo_file.

if you put at the possition of 259 of a string a hex value
then the redirection will go a memory location with address
which is a  decimal number created by the following
pattern :

e.g. 0x05 -> 0x79
     0x06 -> 0x7A
     0x07 -> 0x7B
. and so on



I've tested values up to 0xFF which points to 0x00000173
there is a possibility to broad the range of memory values you
control if you feed more characters in the BOF string.

Although in tests this bug wouldnt lead to dangerous situations.. 
I wouldnt bet 100% on that !

Microsoft know about it since 9th of May


=====================
Proof Of Concept Code
=====================

C:\Program Files\Common Files\Microsoft Shared\MSInfo>
msinfo32 /msinfo_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ