Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Microsoft Agent Heap Overflow Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Microsoft Agent Heap Overflow Vulnerability
Date: 30 Jan 2007 19:27:34 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Agent Heap Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

Microsoft Agent is a software technology that enables an enriched form of 
user interaction that makes learning to use a computer easier. With the 
software service, developers can enhance the user interface of their 
applications and Web pages with interactive personalities in the form of 
animated characters.

This feature is preinstalled on Win2k/XP and allows loading of remote 
character data via HTTP through Internet Explorer. Microsoft actually 
utilizes a custom compression algorithm to compress the character data 
file (.acf) which we presume is to speed up the distribution over network.

A security researcher of COSEINC Vulnerability Research Lab has discovered 
that Microsoft Agent has a heap overflow vulnerability. This vulnerability 
is triggered when Microsoft Agent parses the malformed character file in 
its uncompressed state in memory, by having an overly large value in a 
length field. This will lead to an integer overflow during the allocation 
of buffer. Subsequently, when data is copied to the buffer, the heap 
overflow will occur. The result is possible remote code execution.

DETAILS

Systems Affected:
 * Windows 2000 All Service Packs
 * Windows XP All Service Packs

The vulnerability exists in the ReadWideString function in agentdpv.dll:

711a2cc4     mov     eax,[ebp+0xc]
711a2cc7     cmp     eax,ebx
711a2cc9     jz      agentdpv!ReadWideStringW+0x6b (711a2d0e)
711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

The .acf format when uncompressed in memory, stores strings with their 
lengths prepended to them. To trigger the vulnerability, a large value 
7FFFFFFF can be set in the length field of a string before compression 
takes place to create a malformed .acf file (This can be done using the 
Microsoft- supplied Agent Character Editor and editing the memory contents 
when creating the .acf file). When Microsoft Agent parses the .acf file, 
this length is read after uncompressing the file in memory:

711a2cc4     mov     eax,[ebp+0xc] ; length of string

An integer overflow occurs presumably during the calculation of the size 
of the memory to allocate for a widestring using the supplied length, 
resulting in an allocation of 0 bytes:

711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

Sometime after, the string will be read from memory allocated earlier and 
copied to the buffer leading to the overflow and corrupting the heap.

711a2ce8     push    ebx
711a2ce9     add     edx,edx
711a2ceb     push    edx
711a2cec     push    eax
711a2ced     push    edi
711a2cee     call    dword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}

Notes:
The string has been earlier written (together with other data) to a 
temporary buffer as a result of the uncompressing procedure. The 2nd DWORD 
in the .acf file specifies the total size of the file in its uncompressed 
state and is used internally to allocate the required memory for the 
temporary buffer.

The number of bytes to copy from this temporary buffer is apparently 
determined by subtracting from the total size, the size of previous data 
chunks and does not utilize the supplied string length.

Hence, the amount of overflow can be controlled by simply using a string 
of the desired length. This is why the large length of 7FFFFFFF does not 
result in continuous copying leading to access violation (usually in the 
case of an integer overflow). Consequently, an arbitrary 4-byte overwrite 
will occur resulting in possible code execution.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is 
available at:
 <http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx> 
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx


ADDITIONAL INFORMATION

The information has been provided by Willow.
The original article can be found at:  <http://www.coseinc.com/alert.html> 
http://www.coseinc.com/alert.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Microsoft Agent Heap Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [EXPL] Intel 2200BG 802.11 Disassociation Packet Kernel Memory Corruption, SecuriTeam
Next by Date:  [NEWS] @Mail WebMail Cross Site Request Forgery, SecuriTeam
Previous by Thread:  [EXPL] Intel 2200BG 802.11 Disassociation Packet Kernel Memory Corruption, SecuriTeam
Next by Thread:  [NEWS] @Mail WebMail Cross Site Request Forgery, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]