[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow



Just so that I understand correctly, are you reporting that if one is logged on 
as the administrator, it may be possible to execute this exploit in order to 
take over the machine?

t

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of J. Oquendo
Sent: Friday, April 01, 2011 10:52 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Microsoft VISTA TCP/IP heap buffer underflow

Summary
- -----------------------------
Microsoft Device IO Control wrapped by an API shipping with Windows Vista 32 
bit and 64 bit contains a possibly exploitable, buffer underflow corrupting 
kernel memory.


Affected Systems
- -----------------------------

Using the sample proof of concept, it was possible to verify this issue on 
following operating systems and configurations:

* Microsoft Windows Vista Ultimate 32 bit

It is very likely that other versions of Windows Vista are affected by this 
issue.

This issue did not occur on Windows XP, Windows 2003 Advanced Server, Windows 
2008 Server nor Windows Millenium Edition

Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in 
regards to resolve the random crashes.

To execute either the sample program or any other system command, the user has 
to be either the admin, in the admin group or the Administrators group.

Since this buffer underflow never makes it to kernel memory, it could be 
possible that propping up the underflow will make it overflow and take control 
over the operating system without any restriction.

Remedy
- ------------
No remedy available at this time.

Reported
- ------------
This vulnerability is being reported now


Relevant
- ------------
934b7a5c 85aa6fe4 00000000 934b7ac4 837100ee
tcpip!IppCreateUnicastRoute+0xf0
934b7ae8 85a5d121 00000001 858b6278 84d74ce8
tcpip!IppValidateSetAllRouteParameters+0x217
934b7b64 85a18a29 836c134c 00000000 92a84a70
tcpip!Ipv4SetAllRouteParameters+0x1d1
934b7ba4 8a844551 00000001 92a326b4 00000000 NETIO!NsiSetAllParametersEx+0xbd
934b7bf0 8a844eb8 00000000 836c1330 836c1378
nsiproxy!NsippSetAllParameters+0x1b1
934b7c14 8a844f91 92a32601 00000000 8371d290
nsiproxy!NsippDispatchDeviceControl+0x88
934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33
934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63
934b7c64 81a80cba 8590b448 8371d290 0027f700
nt!IopSynchronousServiceTail+0x1d9
934b7d00 81a6a98e 8590b448 92a32698 00000000 nt!IopXxxControlFile+0x6b7
934b7d34 8188ba7a 00000044 00000048 00000000 nt!NtDeviceIoControlFile+0x2a
934b7d34 77529a94 00000044 00000048 00000000 nt!KiFastCallEntry+0x12a 0027f68c 
77528444 777214b9 00000044 00000048 ntdll!KiFastSystemCallRet
0027f690 777214b9 00000044 00000048 00000000 ntdll!ZwDeviceIoControlFile+0xc

======== Disassembly with commands ========

mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
test eax,eax
jl OMNOM!PtpCreateNOM+0x1b
push esi
push 74704D4Eh
push dword ptr [ebp+8] ; = 0x00000020
push 0
call ExAllocatePoolWithTag ; eax = ExAllocatePoolWithTag(0, 0x20, 0x74704D4E, 
esi); mov esi,eax ; = 0x83716380 allocated buffer address test esi,esi je 
NOM!CreateOMNOM+0x6d push dword ptr [ebp+8] ; = 0x00000020 push 0 push esi ; 
0x83716380 allocated buffer address call NOM!memset (85a10543) ; 
memset((char*)0x83716380, 0, 0x20) mov eax,dword ptr [ebp+14h] mov dword ptr 
[esi],eax mov eax,dword ptr [ebp+18h] mov dword ptr [esi+0Ch],eax mov dword ptr 
[eax],esi mov eax,dword ptr [ebp+0Ch] and word ptr [esi+14h],0 add esp,0Ch push 
eax ; = 0x837100ee lea eax,[esi+18h] ; esi unchanged, holds the alloc. buffer 
address
(=0x83716380)
push eax ; = 0x83716398 add offset of 0x18 bytes to the allocated buffer inc 
dword ptr [edi+8] mov eax,esi pop esi pop edi pop ebp ret 14h nop nop nop om 
nom nom


- -- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to ruin it. If you 
think about that, you'll do things differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iD8DBQFNlhDEK/fYPyEKla8RAnWXAJ0XaB/D0Cd0eYt+6Vd00Tx6RYsRmQCfWwGk
QGt6mpCUiDKXxhCdg5xpi7M=
=pjws
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/