MS ASN library is fraught not only with integer overflow, but also with stack overflow.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MS ASN library is fraught not only with integer overflow, but also with stack overflow.
From: flashsky fangxing <flashsky@xxxxxxxxxx>
Date: 20 Feb 2004 00:54:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm



    MS ASN library is fraught not only with integer overflow, but also with 
stack overflow.


    After eEye published the vulnerability with ASN library, many people 
discussed it, and focused on whether we can exploit it and gain privilege.

    Theoretically speaking, we can gain privilege, but in fact, it's very 
difficult, because it needs a very LARGE value to cause an integer overflow. 
This happened when copying data into heap buffer, and will cause an error with 
writting buffer firstly, so it's difficult to be exploited. If an example can 
deal with above 512M data when bit string heap corruption, it's possible to 
exploit it.

   To some special ASN library functions, they exist stack overflow. If this 
kind of ASN function is used by some programs or services, we can exploit it. 
But it's regrettable, because we don't find this kind of programs or services. 
If these programs exist, it's easy to exploit(only stack overflow).

    This is ASN1BERDecDouble function in ASN1 library(not Win2K+SP4):


call    ASN1BERDecTag
test    eax, eax
jz      error
lea     eax, [ebp+arg_4]
push    edi
push    eax
push    ebx
call    ASN1BERDecLength    &#12296;-----When the value is bigger than 0X10C, 
trigger a stack overflow
test    eax, eax               
jz      error
mov     edx, [ebp+arg_4]
cmp     edx, edi
jnz     short l1

l1:
mov     eax, [ebx+20h]
lea     ecx, [edx+eax]
lea     esi, [eax+1]
mov     [ebx+20h], ecx
movzx   ecx, byte ptr [eax] <-------Pay attention to EAX. We can control it to 
fit to condition, not the 0X84. 

test    cl, 80h
mov     [ebp+var_8], ecx
jz      l2

l2:
test    cl, 40h
jz      short l3

l3:
lea     ecx, [edx-1]
lea     edi, [ebp+var_10C]   &#12296;--This is stack not heap. If ECX bigger 
than 0X10C, it causes to overwrite stack.
mov     eax, ecx
push    2Ch
shr     ecx, 2
repe movsd
####################################################

    But this vulnerability is fixed in Win2K+SP4. We found another similar 
function: ASN1PERDecDouble. It can be exploited in W2K+SP4, but the new hotfix 
has fixed it.

    Although we don't find system program that calls ASN1PERDecDouble or 
ASN1BERDecDouble, but if these programs call THIS two functions and not be 
fixed, we can exploit to gain privilege without doubt. Especially to 
ASN1PERDecDouble, it's dangerous in WIN2K+SP4.

    The next thing is only to find these applies or services.






flashsky@xxxxxxxxxx
http://www.venustech.com.cn
http://www.xfocus.org
http://www.xfocus.net

Prev by Date: MDKSA-2004:016 - Updated mtools packages fix local root vulnerability
Next by Date: Alcatel Omniswitch 7000 series
Previous by thread: MDKSA-2004:016 - Updated mtools packages fix local root vulnerability
Next by thread: Alcatel Omniswitch 7000 series
Index(es):
- Date
- Thread