Friday, March 20, 2009

MS08-046 Analysis

Long time back, I analyzed this vulnerability for some practical needs :P Now I think its time to just dump the details here.

The vulnerability exists in the API OpenColorProfile exported from mscms.dll in the following code segment:

.text:73B33A07 lea eax, [ebp+var_C]
.text:73B33A0A push eax ; PDWORD
.text:73B33A0B push edi ; PWSTR 0x104 byte heap buff
.text:73B33A0C push 0 ; PCWSTR
.text:73B33A0E call GetColorDirectoryW
.text:73B33A13 push offset asc_73B420B4 ; "\\"
.text:73B33A18 push edi ; lpString1
.text:73B33A19 mov edi, ds:lstrcatW
.text:73B33A1F call edi ; lstrcatW Append "\\" to buffer pointed by edi
.text:73B33A21 push dword ptr [ebx+0Ch] ; lpString2 Use data [ebx + 0x0C]
.text:73B33A24 push [ebp+lpString1] ; lpString1
.text:73B33A27 call edi ; lstrcatW Almost unbounded append (HEAP OVERFLOW)
.text:73B33A29 push dword ptr [ebx+0Ch] ; pMem
.text:73B33A2C call sub_73B31C29 ; [ebx+0x0C] is free'd here
.text:73B33A31 mov eax, [ebp+lpString1]
.text:73B33A34 mov [ebx+0Ch], eax
.text:73B33A37 mov [ebx+10h], esi
.text:73B33A3A jmp loc_73B31ED0

Loosely, the vulnerable code can be represented in the following C like syntax:

ptr = GlobalAlloc(0x104);
GetColorDirectoryW(NULL, ptr, &dw)

strcatW(ptr, L"\\");
strcatW(ptr, lpString1); // lpString1 points to user supplied data

.. and here goes the PoC

No comments:

Post a Comment