[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow
- To: Full-Disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow
- From: "Michele Cicciotti [Khamsa S.A.]" <mc@xxxxxxxxx>
- Date: Mon, 26 Jun 2006 13:12:20 +0200
Alexander Hristov wrote:
Author: JAAScois
Date: 25.6.2006
Type: Heap Overflow
Product: http://live.com , http://messenger.msn.com
Patch: N/A
Link :
http://securitydot.net/xpl/exploits/vulnerabilities/articles/1108/exploit.html
This is most definitely *not* a heap overflow. Based on my analysis
(Windows XP Professional, Service Pack 2, fully patched), several
non-fatal exceptions occur inside FormatMessageW:
ntdll!fputwc+0x14:
7c92c24e 668902 mov [edx],ax ds:0023:022c1000=????
[...]
ChildEBP RetAddr
0006f23c 7c92c221 ntdll!fputwc+0x14
0006f24c 7c92c1f6 ntdll!_output+0x9d9
0006f260 7c92c314 ntdll!_output+0xa49
0006f6d8 7c92c2d2 ntdll!_woutput+0x9ae
0006f710 7c9399c8 ntdll!_snwprintf+0x31
0006fad0 7c828f98 ntdll!RtlFormatMessage+0x360
0006fb6c 7c829068 kernel32!BaseDllFormatMessage+0x1be
0006fb94 00762290 kernel32!FormatMessageW+0x21
[...]
If we continue execution, we see this is actually on-demand buffer
extension at work:
ChildEBP RetAddr
0006ed98 7c809ad2 ntdll!ZwAllocateVirtualMemory
0006ede4 7c809a99 kernel32!VirtualAllocEx+0x47
0006ee00 7c85ea14 kernel32!VirtualAlloc+0x18
0006ee20 7c85ea7b kernel32!ExtendVirtualBuffer+0x40
0006ee30 7c840977 kernel32!VirtualBufferExceptionHandler+0x2a
0006ee40 7c839a54 kernel32!BaseDllFormatMessage+0x24b
0006ee68 7c9137bf kernel32!_except_handler3+0x61
0006ee8c 7c91378b ntdll!ExecuteHandler2+0x26
0006ef3c 7c91eafa ntdll!ExecuteHandler+0x24
0006ef3c 7c92c24e ntdll!KiUserExceptionDispatcher+0xe
0006f23c 7c92c221 ntdll!fputwc+0x14
[...]
And it's not even the heap:
0:000> !address 022c1000
022c0000 : 022c0000 - 00001000
Type 00020000 MEM_PRIVATE
Protect 00000004 PAGE_READWRITE
State 00001000 MEM_COMMIT
Usage RegionUsageIsVAD
It's just a random, non-descript 64 KB block reserved by an internal
kernel32.dll function and allocated page by page on demand, and
_snwprintf never writes outside of its bounds, and doesn't overwrite
anything. What *really* happens is that FormatMessageW fails because the
message exceeds the 64 KB maximum and is truncated:
0:000> !gle
LastErrorValue: (Win32) 0xea (234) - Sono disponibili altri dati.
LastStatusValue: (NTSTATUS) 0x80000005 - {Overflow del buffer} Numero
di dati eccessivo per poter essere contenuti nel buffer specificato.
Messenger handles the error by throwing an exception:
Args to Child
e06d7363 00000001 00000003 kernel32!RaiseException+0x53
0006fbb4 005c2584 0006fbd8 MSVCR80!_CxxThrowException+0x46
At 005c2584 we have the exception type, which points to a type info
table at 00841dd8, which contain a table info entry at 00841de0, which
reveals that the exception is of type "?AVCAtlException@ATL@@". The
exception object itself, at 0006fbb4, begins with a doubleword
containing 8007000e, which is a Win32 error wrapped in a HRESULT. 0xE is
ERROR_OUTOFMEMORY
The verdict is: unhandled exception
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/