OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, March 23 2006 03:41.55 CST Modified: Thursday, March 23 2006 03:56.21 CST

Printer Friendly ...

MS06-008

Author: Kostya

# Views: 5648

Greetings people,

Here are some details about the flaw in WebClient service I reported to Microsoft some months ago and that got patched with MS06-008.

In the function DavOpenCreateConnection in webclnt.dll, one can notice the following piece of code :



.text:5A9F38E6                 push    [ebp+Password]  ; wchar_t *

.text:5A9F38E9                 call    esi ; __imp__wcslen

.text:5A9F38EB                 shl     eax, 1

.text:5A9F38ED                 mov     [ebp+var_8], eax

.text:5A9F38F0                 movzx   eax, ax

.text:5A9F38F3                 add     eax, 15h

.text:5A9F38F6                 and     eax, 0FFFFFFFCh

.text:5A9F38F9                 pop     ecx

.text:5A9F38FA                 mov     [ebp+uBytes], eax

.text:5A9F38FD

.text:5A9F38FD loc_5A9F38FD:   ; CODE XREF: DavOpenCreateConnection(x,x,x,x,x,x,x,x,x,x)+3B

.text:5A9F38FD                 cmp     [ebp+UserName], edi

.text:5A9F3900                 jz      short loc_5A9F3919

.text:5A9F3902                 push    [ebp+UserName]  ; wchar_t *

.text:5A9F3905                 call    esi ; __imp__wcslen

.text:5A9F3907                 shl     eax, 1

.text:5A9F3909                 mov     [ebp+var_C], eax

.text:5A9F390C                 movzx   eax, ax

.text:5A9F390F                 add     eax, 15h

.text:5A9F3912                 and     eax, 0FFFFFFFCh

.text:5A9F3915                 add     [ebp+uBytes], eax

.text:5A9F3918                 pop     ecx

.text:5A9F3919

.text:5A9F3919 loc_5A9F3919:   ; CODE XREF: DavOpenCreateConnection(x,x,x,x,x,x,x,x,x,x)+57

.text:5A9F3919                 add     [ebp+uBytes], 24h

.text:5A9F391D                 push    [ebp+uBytes]    ; uBytes

.text:5A9F3920                 push    ebx             ; uFlags

.text:5A9F3921                 call    ds:__imp__LocalAlloc@8 ; LocalAlloc(x,x)

The allocated buffer is then used to store both UserName and Password thanks to wcscpy(). A noticeable error here lies within the movzx eax, ax instructions that will only keep the lower 16 bits of (wcslen(Password) * 2), which means that if wcsclen(Password) = 32768, eax will be null, the allocated buffer will then be too small for the widestring copy operation, and a heap overflow will occur. Usually, you will get a page fault this way, so you will have to grow heap first to do a "real" overflow. Of course, before MS06-008, no length check was done on Password or UserName in this function, or its callers.

The funny thing is that this flaw is also present in some other functions :
- NwOpenCreateConnection in Client Service for Netware, previously reported, and corrected in MS05-046 ;
- WsOpenCreateConnection in Workstation Service, but unfortunately length checks have been in there for a while ;

In the patch, Microsoft chose to add length checks in parent function DavrCreateConnection, rather than in the function itself, which doesn't seem a really good idea because if a new path to the vulnerable code is added some day, the same issue will probably be raised again.

This flaw can be exploited thanks to operation number 0 of RPC interface c8cb7687-e6d3-11d2-a958-00c04f682e16, described here, through the named pipe "DAV RPC SERVICE" which requires authentication.

Kostya

There are 31,314 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit