OllyDbg "INT3 AT" Format String Vulnerability

To: SBUGTRAQ <bugtraq@xxxxxxxxxxxxxxxxx>, FULLDISC <full-disclosure@xxxxxxxxxxxxxxxxx>, vulnwatch@xxxxxxxxxxxxx, news@xxxxxxxxxxxxxx
Subject: OllyDbg "INT3 AT" Format String Vulnerability
From: Piotr Bania <bania.piotr@xxxxxxxxx>
Date: Fri, 13 May 2005 15:04:16 +0200
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=CenQblrQpA77+Lpr9bnbDBS4XCbrBczJ4bF4mxdrHAxLgWHD+Z1nyPD03gGbLBQQFwplw099CU+U4F/oTv3v6TLjBqZ/qnmtcj8A2MXrDKhQuG8WhDCnbJx79ArSyJhGNUEn+u+eDcL0rL4GihBkNsvYoOyOGa/k95Dd1HGcbUA=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0 (Windows/20041206)




     OllyDbg "INT3 AT" Format String Vulnerability
     by Piotr Bania <bania.piotr@xxxxxxxxx>
     http://pb.specialised.info


     Original location:
     http://pb.specialised.info/all/adv/olly-int3-adv.txt
        
     Severity:                  High / Medium - code execution.
     Version affected:          Probably all versions, tested on
                                v1.10.

        

     I. BACKGROUND

     "OllyDbg is a 32-bit assembler level analysing debugger for
      Microsoft Windows. Emphasis on binary code analysis makes it
      particularly useful in cases where source is unavailable."


     II. DESCRIPTION            

     Vulnerability takes place when module (with special crafted file
     name) executes int 3 instruction (trap to debugger).

     Here is the vulnerable code:

     .text:0042FBE0                 lea     eax, [ebp+buffer]
     .text:0042FBE6                 push    eax        ; format string
     .text:0042FBE7                 mov     edx, [ebp+var_28]
     .text:0042FBEA                 push    edx
     .text:0042FBEB                 call    sub_42E100 ; _vsprintf->
                                                       ;___vprinter


     Where format is an ascii string like: "INT3 command at
     <module_name>.addr".

     Attacker can place a format string chars inside "<module_name>"
     (part of format buffor) and cause Olly to overwrite arbitary data.

     NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is
           still vulnerable. Attacker can also load some special crafted
           module (with special crafted name) while debugging, to make
           the attack more stealthy.


     III. IMPACT

     This vulnerability after successful exploitation can allow the
     attacker to run arbitrary code in context of current user.
     Of course if the exploitation was not successful OllyDbg will fault
     and loose all debugged data.



best regards,
Piotr Bania

--
--------------------------------------------------------------------
Piotr Bania - <bania.piotr@xxxxxxxxx> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33
http://pb.specialised.info  - Key ID: 0xBE43AC33
--------------------------------------------------------------------

Prev by Date: [FLSA-2005:154988] Updated openoffice.org packages fix security issues
Next by Date: Willings WebCam - Password Disclosure Issue
Previous by thread: [FLSA-2005:154988] Updated openoffice.org packages fix security issues
Next by thread: Willings WebCam - Password Disclosure Issue
Index(es):
- Date
- Thread