Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Det

from [Coseinc] Network Security [Permanent Link]
Subject: COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched)
Date: Tue, 30 Jan 2007 15:13:34 +0800 
Microsoft Agent Heap Overflow Vulnerability

COSEINC Alert
http://www.coseinc.com/alert.html

Vendor:
Microsoft

Systems Affected:
Windows 2000 All Service Packs
Windows XP All Service Packs

Overview:
Microsoft Agent is a software technology that enables an enriched form of
user interaction that makes learning to use a computer easier. With the
software service, developers can enhance the user interface of their
applications and Web pages with interactive personalities in the form of
animated characters.

This feature is preinstalled on Win2k/XP and allows loading of remote
character data via HTTP through Internet Explorer. Microsoft actually
utilizes a custom compression algorithm to compress the character data file
(.acf) which we presume is to speed up the distribution over network.

A security researcher of COSEINC Vulnerability Research Lab has discovered
that Microsoft Agent has a heap overflow vulnerability. This vulnerability
is triggered when Microsoft Agent parses the malformed character file in its
uncompressed state in memory, by having an overly large value in a length
field. This will lead to an integer overflow during the allocation of
buffer. Subsequently, when data is copied to the buffer, the heap overflow
will occur. The result is possible remote code execution.

Technical Details:
The vulnerability exists in the ReadWideString function in agentdpv.dll:

711a2cc4     mov     eax,[ebp+0xc]
711a2cc7     cmp     eax,ebx
711a2cc9     jz      agentdpv!ReadWideStringW+0x6b (711a2d0e)
711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

The .acf format when uncompressed in memory, stores strings with their
lengths prepended to them. To trigger the vulnerability, a large value
7FFFFFFF can be set in the length field of a string before compression takes
place to create a malformed .acf file (This can be done using the Microsoft-
supplied Agent Character Editor and editing the memory contents when
creating the .acf file). When Microsoft Agent parses the .acf file, this
length is read after uncompressing the file in memory:

711a2cc4     mov     eax,[ebp+0xc] ; length of string

An integer overflow occurs presumably during the calculation of the size of
the memory to allocate for a widestring using the supplied length, resulting
in an allocation of 0 bytes:

711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

Sometime after, the string will be read from memory allocated earlier and
copied to the buffer leading to the overflow and corrupting the heap.

711a2ce8     push    ebx
711a2ce9     add     edx,edx
711a2ceb     push    edx
711a2cec     push    eax
711a2ced     push    edi
711a2cee     call    dword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}

Notes:
The string has been earlier written (together with other data) to a
temporary buffer as a result of the uncompressing procedure. The 2nd DWORD
in the .acf file specifies the total size of the file in its uncompressed
state and is used internally to allocate the required memory for the
temporary buffer.

The number of bytes to copy from this temporary buffer is apparently
determined by subtracting from the total size, the size of previous data
chunks and does not utilize the supplied string length.

Hence, the amount of overflow can be controlled by simply using a string of
the desired length. This is why the large length of 7FFFFFFF does not result
in continuous copying leading to access violation (usually in the case of an
integer overflow). Consequently, an arbitrary 4-byte overwrite will occur
resulting in possible code execution.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx

Credit:
This vulnerability was discovered by Willow, a Windows security researcher
of the COSEINC Vulnerability Research Lab (VRL).

Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
no warranties, implied or express, with regard to this information. In no
event shall the author or the company be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • COSEINC Alert: Microsoft Agent Heap Overflow Vulnerability Technical Details (Patched), Coseinc <=
Previous by Date:  Re: [Full-disclosure] S21sec-034-en: Cisco VTP DoS vulnerability, Clay Seaman-Kossmeyer
Next by Date:  rPSA-2007-0020-2 rmake, rPath Update Announcements
Previous by Thread:  RBL - ASP (scripts with db) SQL injection, sn0oPy . team
Next by Thread:  rPSA-2007-0020-2 rmake, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]