lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20060626111225.AD2F51D9004@supertolla.itapac.net>
Date: Mon Jun 26 12:12:34 2006
From: mc at khamsa.ch (Michele Cicciotti [Khamsa S.A.])
Subject: Windows Live Messenger 8.0 ( Contact List *.ctt
	)	Heap Overflow

Alexander Hristov wrote:
> Author:    JAAScois
> Date:      25.6.2006
> Type:      Heap Overflow
> Product:   http://live.com , http://messenger.msn.com
> Patch:     N/A
> Link : http://securitydot.net/xpl/exploits/vulnerabilities/articles/1108/exploit.html

This is most definitely *not* a heap overflow. Based on my analysis 
(Windows XP Professional, Service Pack 2, fully patched), several 
non-fatal exceptions occur inside FormatMessageW:

ntdll!fputwc+0x14:
7c92c24e 668902           mov     [edx],ax       ds:0023:022c1000=????

[...]

ChildEBP RetAddr
0006f23c 7c92c221 ntdll!fputwc+0x14
0006f24c 7c92c1f6 ntdll!_output+0x9d9
0006f260 7c92c314 ntdll!_output+0xa49
0006f6d8 7c92c2d2 ntdll!_woutput+0x9ae
0006f710 7c9399c8 ntdll!_snwprintf+0x31
0006fad0 7c828f98 ntdll!RtlFormatMessage+0x360
0006fb6c 7c829068 kernel32!BaseDllFormatMessage+0x1be
0006fb94 00762290 kernel32!FormatMessageW+0x21

[...]

If we continue execution, we see this is actually on-demand buffer 
extension at work:

ChildEBP RetAddr
0006ed98 7c809ad2 ntdll!ZwAllocateVirtualMemory
0006ede4 7c809a99 kernel32!VirtualAllocEx+0x47
0006ee00 7c85ea14 kernel32!VirtualAlloc+0x18
0006ee20 7c85ea7b kernel32!ExtendVirtualBuffer+0x40
0006ee30 7c840977 kernel32!VirtualBufferExceptionHandler+0x2a
0006ee40 7c839a54 kernel32!BaseDllFormatMessage+0x24b
0006ee68 7c9137bf kernel32!_except_handler3+0x61
0006ee8c 7c91378b ntdll!ExecuteHandler2+0x26
0006ef3c 7c91eafa ntdll!ExecuteHandler+0x24
0006ef3c 7c92c24e ntdll!KiUserExceptionDispatcher+0xe
0006f23c 7c92c221 ntdll!fputwc+0x14

[...]

And it's not even the heap:

0:000> !address 022c1000
     022c0000 : 022c0000 - 00001000
                     Type     00020000 MEM_PRIVATE
                     Protect  00000004 PAGE_READWRITE
                     State    00001000 MEM_COMMIT
                     Usage    RegionUsageIsVAD

It's just a random, non-descript 64 KB block reserved by an internal 
kernel32.dll function and allocated page by page on demand, and 
_snwprintf never writes outside of its bounds, and doesn't overwrite 
anything. What *really* happens is that FormatMessageW fails because the 
message exceeds the 64 KB maximum and is truncated:

0:000> !gle
LastErrorValue: (Win32) 0xea (234) - Sono disponibili altri dati.
LastStatusValue: (NTSTATUS) 0x80000005 - {Overflow del buffer}  Numero 
di dati eccessivo per poter essere contenuti nel buffer specificato.

Messenger handles the error by throwing an exception:

Args to Child
e06d7363 00000001 00000003 kernel32!RaiseException+0x53
0006fbb4 005c2584 0006fbd8 MSVCR80!_CxxThrowException+0x46

At 005c2584 we have the exception type, which points to a type info 
table at 00841dd8, which contain a table info entry at 00841de0, which 
reveals that the exception is of type "?AVCAtlException@ATL@@". The 
exception object itself, at 0006fbb4, begins with a doubleword 
containing 8007000e, which is a Win32 error wrapped in a HRESULT. 0xE is 
ERROR_OUTOFMEMORY

The verdict is: unhandled exception

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ