[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] Buffer overflow in Shell32.dll . Net monitor
From:       "David F. Madrid" <idoru () videosoft ! net ! uy>
Date:       2003-05-29 22:54:09
[Download RAW message or body]

Issue



Buffer overflow in Shell32.dll . Net monitor


Tested version


W2000 Server Sp3 Shell32.dll versión 5.0.3502.5436


Vendor status


Microsoft was informed months ago but as they seem to be even slower
than me debugging I dediced to publish it .


Descripción


Net monitor is a traffic analisis tool that ships with some versions of
Windows .
Besides analizing traffic you can open capture files ( .cap ) . If you try
to open
a capture file with a long file name ( ~252 bytes ) netmon will crash with
an
access violation . Program instruction pointer EIP is overwritten with the
file
name converted to unicode , therefore the cause of the crash is a corruption
of adjacent variables in the stack . In order to execute code with this
vulnerability
you can place your code in a system enviroment variable . That place your
code
in an address ( ~00010040 ) that can be referenced from our controled EIP
converted to unicode .

The crash occurs in this function

77E3A294 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
77E3A298 CD 2B INT 2B
77E3A29A C2 0400 RETN 4

After executing int 2B , program seems to change stack and ESP has the value
of ~6bf88 . This memory zone is overwritten in the second call to
MultiByteToWideChar
function in module shell32.dll

775C059B FF7424 10 PUSH DWORD PTR SS:[ESP+10]        ( Wide buffer size =
260 bytes )
775C059F 66:890E MOV WORD PTR DS:[ESI],CX
775C05A2 8A50 02 MOV DL,BYTE PTR DS:[EAX+2]
775C05A5 80E2 34 AND DL,34
775C05A8 80FA 34 CMP DL,34
775C05AB 0F84 8AA20400 JE SHELL32.7760A83B
775C05B1 56 PUSH ESI                                                 (
pointer to Wide buffer )
775C05B2 83C0 0E ADD EAX,0E
775C05B5 6A FF PUSH -1
775C05B7 50 PUSH EAX                                                 (
filename )
775C05B8 51 PUSH ECX
775C05B9 51 PUSH ECX
775C05BA FF15 68185977 CALL DWORD PTR DS:[<&KERNEL32.MultiByteToWideChar>]

I think the cause is in this call , because when converting to unicode a
filename of 252
bytes the wide buffer size should be at least of 504 bytes .

This sencond call to MultiByteToWideChar is made from GetOpenFileNameW ,
which opens a dialog to choose the file to open and fills a OpenFileName
structure
with the chosen file name and path . GetOpenFileNameW call completes
correctly ,
 the crash occurs a bit after , when executing the 2b interrupt . I ignore
what does
this interrupt do , I have found in google is reserved for DOS and is
equivalent to RET .

Every note or correction will be wellcome cause I am just a student and this
is not tought
at university :D


Exploit


In the spanish version of this advisory you can find a script to generate
the long file
name that will crash netmon when open in it

http://nautopia.coolfreepages.com/vulnerabilidades/shell32_getOpenFileNameW.htm



Regards ,

David F. Madrid ,
Madrid , Spain

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]