OpenRCE Blog Entry

Kostya Kortchinsky (Kostya) <kostya

kortchinsky

gmail

com>

Thursday, March 23 2006 03:41.55 CST

Greetings people,

Here are some details about the flaw in WebClient service I reported to Microsoft some months ago and that got patched with MS06-008.

In the function DavOpenCreateConnection in webclnt.dll, one can notice the following piece of code :



.text:5A9F38E6                 push    [ebp+Password]  ; wchar_t *

.text:5A9F38E9                 call    esi ; __imp__wcslen

.text:5A9F38EB                 shl     eax, 1

.text:5A9F38ED                 mov     [ebp+var_8], eax

.text:5A9F38F0                 movzx   eax, ax

.text:5A9F38F3                 add     eax, 15h

.text:5A9F38F6                 and     eax, 0FFFFFFFCh

.text:5A9F38F9                 pop     ecx

.text:5A9F38FA                 mov     [ebp+uBytes], eax

.text:5A9F38FD

.text:5A9F38FD loc_5A9F38FD:   ; CODE XREF: DavOpenCreateConnection(x,x,x,x,x,x,x,x,x,x)+3B

.text:5A9F38FD                 cmp     [ebp+UserName], edi

.text:5A9F3900                 jz      short loc_5A9F3919

.text:5A9F3902                 push    [ebp+UserName]  ; wchar_t *

.text:5A9F3905                 call    esi ; __imp__wcslen

.text:5A9F3907                 shl     eax, 1

.text:5A9F3909                 mov     [ebp+var_C], eax

.text:5A9F390C                 movzx   eax, ax

.text:5A9F390F                 add     eax, 15h

.text:5A9F3912                 and     eax, 0FFFFFFFCh

.text:5A9F3915                 add     [ebp+uBytes], eax

.text:5A9F3918                 pop     ecx

.text:5A9F3919

.text:5A9F3919 loc_5A9F3919:   ; CODE XREF: DavOpenCreateConnection(x,x,x,x,x,x,x,x,x,x)+57

.text:5A9F3919                 add     [ebp+uBytes], 24h

.text:5A9F391D                 push    [ebp+uBytes]    ; uBytes

.text:5A9F3920                 push    ebx             ; uFlags

.text:5A9F3921                 call    ds:__imp__LocalAlloc@8 ; LocalAlloc(x,x)

The allocated buffer is then used to store both UserName and Password thanks to wcscpy(). A noticeable error here lies within the movzx eax, ax instructions that will only keep the lower 16 bits of (wcslen(Password) * 2), which means that if wcsclen(Password) = 32768, eax will be null, the allocated buffer will then be too small for the widestring copy operation, and a heap overflow will occur. Usually, you will get a page fault this way, so you will have to grow heap first to do a "real" overflow. Of course, before MS06-008, no length check was done on Password or UserName in this function, or its callers.

The funny thing is that this flaw is also present in some other functions :
- NwOpenCreateConnection in Client Service for Netware, previously reported, and corrected in MS05-046 ;
- WsOpenCreateConnection in Workstation Service, but unfortunately length checks have been in there for a while ;

In the patch, Microsoft chose to add length checks in parent function DavrCreateConnection, rather than in the function itself, which doesn't seem a really good idea because if a new path to the vulnerable code is added some day, the same issue will probably be raised again.

This flaw can be exploited thanks to operation number 0 of RPC interface c8cb7687-e6d3-11d2-a958-00c04f682e16, described here, through the named pipe "DAV RPC SERVICE" which requires authentication.

Kostya

	Posted: Wednesday, December 31 1969 18:00.00 CST