MS ASN library is fraught not only with integer overflow, but also with stack overflow.
MS ASN library is fraught not only with integer overflow, but also with
stack overflow.
After eEye published the vulnerability with ASN library, many people
discussed it, and focused on whether we can exploit it and gain privilege.
Theoretically speaking, we can gain privilege, but in fact, it's very
difficult, because it needs a very LARGE value to cause an integer overflow.
This happened when copying data into heap buffer, and will cause an error with
writting buffer firstly, so it's difficult to be exploited. If an example can
deal with above 512M data when bit string heap corruption, it's possible to
exploit it.
To some special ASN library functions, they exist stack overflow. If this
kind of ASN function is used by some programs or services, we can exploit it.
But it's regrettable, because we don't find this kind of programs or services.
If these programs exist, it's easy to exploit(only stack overflow).
This is ASN1BERDecDouble function in ASN1 library(not Win2K+SP4):
call ASN1BERDecTag
test eax, eax
jz error
lea eax, [ebp+arg_4]
push edi
push eax
push ebx
call ASN1BERDecLength 〈-----When the value is bigger than 0X10C,
trigger a stack overflow
test eax, eax
jz error
mov edx, [ebp+arg_4]
cmp edx, edi
jnz short l1
l1:
mov eax, [ebx+20h]
lea ecx, [edx+eax]
lea esi, [eax+1]
mov [ebx+20h], ecx
movzx ecx, byte ptr [eax] <-------Pay attention to EAX. We can control it to
fit to condition, not the 0X84.
test cl, 80h
mov [ebp+var_8], ecx
jz l2
l2:
test cl, 40h
jz short l3
l3:
lea ecx, [edx-1]
lea edi, [ebp+var_10C] 〈--This is stack not heap. If ECX bigger
than 0X10C, it causes to overwrite stack.
mov eax, ecx
push 2Ch
shr ecx, 2
repe movsd
####################################################
But this vulnerability is fixed in Win2K+SP4. We found another similar
function: ASN1PERDecDouble. It can be exploited in W2K+SP4, but the new hotfix
has fixed it.
Although we don't find system program that calls ASN1PERDecDouble or
ASN1BERDecDouble, but if these programs call THIS two functions and not be
fixed, we can exploit to gain privilege without doubt. Especially to
ASN1PERDecDouble, it's dangerous in WIN2K+SP4.
The next thing is only to find these applies or services.
flashsky@xxxxxxxxxx
http://www.venustech.com.cn
http://www.xfocus.org
http://www.xfocus.net