-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, We recently found a unchecked buffer in Microsoft's Net Messenger service (Sitedude found it first actually). By sending more than 2050 chars with the SEND function you can reproduce the buffer overflow locally. The client runs with privileges as the current user. I am not familiar with the way Windows handles it's memory. The EAX buffer is overwritten between 2050 and 2389. This overflow might not get anywhere. Doesn't really have much to offer. Here is Dr Watson's output: State Dump for Thread Id 0x770 eax=00780078 ebx=00230000 ecx=00230178 edx=00230302 esi=00235928 edi=00234118 eip=77fc9e84 esp=0006fdb8 ebp=0006fdc4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206 function: RtlFreeHeap 77fc9e68 0f8510290000 jne RtlZeroHeap+0x454 (77fcc77e) 77fc9e6e 8a4605 mov al,[esi+0x5] ds:00e42efe=?? 77fc9e71 2410 and al,0x10 77fc9e73 a810 test al,0x10 77fc9e75 884705 mov [edi+0x5],al ds:00e416ee=?? 77fc9e78 7544 jnz 77fd29be 77fc9e7a 8b4e0c mov ecx,[esi+0xc] ds:00e42efe=???????? 77fc9e7d 8b4608 mov eax,[esi+0x8] ds:00e42efe=???????? 77fc9e80 3bc1 cmp eax,ecx 77fc9e82 8901 mov [ecx],eax ds:00230178=00780078 FAULT ->77fc9e84 894804 mov [eax+0x4],ecx ds:0138d64e=???????? 77fc9e87 0f847b0b0000 je RtlDestroyHeap+0xb19 (77fcaa08) 77fc9e8d 8a4605 mov al,[esi+0x5] ds:00e42efe=?? 77fc9e90 a804 test al,0x4 77fc9e92 0f8597290000 jne RtlZeroHeap+0x505 (77fcc82f) 77fc9e98 0fb70e movzx ecx,word ptr [esi] ds:00235928=0078 77fc9e9b 8b4510 mov eax,[ebp+0x10] ss:00c7d39a=???????? 77fc9e9e 0108 add [eax],ecx ds:00780078=???????? 77fc9ea0 0fb70e movzx ecx,word ptr [esi] ds:00235928=0078 77fc9ea3 294b28 sub [ebx+0x28],ecx ds:00e3d5d6=???????? 77fc9ea6 668b08 mov cx,[eax] ds:00780078=???? 77fc9ea9 f6470510 test byte ptr [edi+0x5],0x10 ds:00e416ee=?? It's kinda wierd to me. The eax is filled with 00780078. That would make it fill with " x x". I dunno if it is exploitable but it at least overwrites something! :) You may check it out using a sample program I made to create it. Yes guys, it's VB. I made it in VB because C wasn't parsing enough chars =\ Oh well, it works. I'll figure out later why my C source wasn't working. You may download the test program at the following location: Precompiled EXE: http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/test.exe Source (ZIP): http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/testsource.ZIP If you need the Visual Basic support files you may download them at: Self Extracing EXE: http://hellomred.virtualave.net/files/dlls.exe ZIP: http://www.hack3000.com/netcrash/p0pt4rtz/net.exe/supportdlls.zip Also, I noticed this in Dr Watson's symbol dump. These are within ntdll.dll, kernel32.dll, netapi32.dll, and advapi32.dll They just caught my eye. - - -- 77F8F1D6 00000000 stricmp 77F8F1D6 00000289 strcmpi 77F94653 00000025 wcscpy 77F95D84 00000025 wcscmp 77FB697C 00000053 memccpy 77FB73B7 00000330 memcpy 77FB76E7 00000098 memset 77FB790B 0000006c strcpy 77FB7977 000000a0 strcat 77FB7A17 00000081 strcmp 78001098 00000055 memset 7801EE65 0000006c mbscpy 77E87E39 00000000 lstrcpy 77E87E39 00000073 lstrcpyA 77E8A1A4 000001ce lstrcpyW 77E9016C 000000c9 lstrcmpW 77E90A24 00000000 lstrcmp 77E90A24 00000090 lstrcmpA 780013D1 00000059 memcmp 780020E2 00000025 wcscpy 78002107 0000002a wcscat 78003B18 00000106 strcpy 780047DE 00000214 strcmp 78004B60 00000758 strcat - - -- There you have it. Unchecked buffer in Net.exe :) Also, please keep in mind that this is a local buffer overflow. Microsoft was contacted about this bug. - - -- p0p t4rtz p0pt4rtzat_private Sitedude macaddyat_private Netcrash Security Research http://www.netcrash.wronger.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPN2JwByQPmTAdF2MEQKgvACguJvMb2+5Xy9xDw68mAzcVkX6GEoAoJTO ti9stPQCtfx3x9z/I9Ifejxr =5HEn -----END PGP SIGNATURE----- _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com
This archive was generated by hypermail 2b30 : Sat May 11 2002 - 15:16:40 PDT