TUCoPS :: Windows :: hack3080.htm

MS ASN library is fraught not only with integer overflow, but also with stack overflow.
MS ASN library is fraught not only with integer overflow, but also with stack overflow.





    MS ASN library is fraught not only with integer overflow, but also with stack overflow.





    After eEye published the vulnerability with ASN library, many people discussed it, and focused on whether we can exploit it and gain privilege.



    Theoretically speaking, we can gain privilege, but in fact, it's very difficult, because it needs a very LARGE value to cause an integer overflow. This happened when copying data into heap buffer, and will cause an error with writting buffer firstly, so it's difficult to be exploited. If an example can deal with above 512M data when bit string heap corruption, it's possible to exploit it.



   To some special ASN library functions, they exist stack overflow. If this kind of ASN function is used by some programs or services, we can exploit it. But it's regrettable, because we don't find this kind of programs or services. If these programs exist, it's easy to exploit(only stack overflow).



    This is ASN1BERDecDouble function in ASN1 library(not Win2K+SP4):





call    ASN1BERDecTag

test    eax, eax

jz      error

lea     eax, [ebp+arg_4]

push    edi

push    eax

push    ebx

call    ASN1BERDecLength    〈-----When the value is bigger than 0X10C, trigger a stack overflow

test    eax, eax               

jz      error

mov     edx, [ebp+arg_4]

cmp     edx, edi

jnz     short l1



l1:

mov     eax, [ebx+20h]

lea     ecx, [edx+eax]

lea     esi, [eax+1]

mov     [ebx+20h], ecx

movzx   ecx, byte ptr [eax] <-------Pay attention to EAX. We can control it to fit to condition, not the 0X84. 



test    cl, 80h

mov     [ebp+var_8], ecx

jz      l2



l2:

test    cl, 40h

jz      short l3



l3:

lea     ecx, [edx-1]

lea     edi, [ebp+var_10C]   〈--This is stack not heap. If ECX bigger than 0X10C, it causes to overwrite stack.

mov     eax, ecx

push    2Ch

shr     ecx, 2

repe movsd

####################################################



    But this vulnerability is fixed in Win2K+SP4. We found another similar function: ASN1PERDecDouble. It can be exploited in W2K+SP4, but the new hotfix has fixed it.



    Although we don't find system program that calls ASN1PERDecDouble or ASN1BERDecDouble, but if these programs call THIS two functions and not be fixed, we can exploit to gain privilege without doubt. Especially to ASN1PERDecDouble, it's dangerous in WIN2K+SP4.



    The next thing is only to find these applies or services.













flashsky@xfocus.org 

http://www.venustech.com.cn 

http://www.xfocus.org 

http://www.xfocus.net 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH