MSInfo Buffer Overflow
#########################################
Application: MSInfo
Vendors: http://www.microsoft.com
Platforms: Windows 2000
Bug: Msinfo32.exe BOF
Risk: Low
Exploitation: Local
Date: 30 August 2004
Author: Emmanouel Kellinis
e-mail: me[at]cipher(dot)org(dot)uk
web: http://www.cipher.org.uk
#########################################
=======
Product
=======
Microsoft System Information collects system information,
such as devices that are installed in your computer or device
drivers loaded in your computer, and provides a menu for displaying
the associated system topics. You can use Microsoft System
Information
to diagnose computer issues, for example, if you are having display
issues, you can use Microsoft System Information to determine what
display adapter is installed on your computer and view the status
of its drivers.
===
Bug
===
MSINFO32 is having an option which let you Open
a specific NFO or CAB file
msinfo32 /msinfo_file=filename
The buffer of msinfo_file can be overflowed and overwrite
the Code register.
The BOF works if you exceed 258 characters as an input to
msinfo_file.
if you put at the possition of 259 of a string a hex value
then the redirection will go a memory location with address
which is a decimal number created by the following
pattern :
e.g. 0x05 -> 0x79
0x06 -> 0x7A
0x07 -> 0x7B
. and so on
I've tested values up to 0xFF which points to 0x00000173
there is a possibility to broad the range of memory values you
control if you feed more characters in the BOF string.
Although in tests this bug wouldnt lead to dangerous situations..
I wouldnt bet 100% on that !
Microsoft know about it since 9th of May
=====================
Proof Of Concept Code
=====================
C:\Program Files\Common Files\Microsoft Shared\MSInfo>
msinfo32 /msinfo_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA
=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
=========================================================