TUCoPS :: Windows :: hack3177.htm

MSInfo Buffer Overflow
MSInfo Buffer Overflow 

#########################################
Application:     MSInfo
Vendors:         http://www.microsoft.com 
Platforms:       Windows 2000
Bug:                Msinfo32.exe BOF
Risk:               Low
Exploitation:    Local
Date:              30 August 2004
Author:           Emmanouel Kellinis
e-mail:            me[at]cipher(dot)org(dot)uk
web:               http://www.cipher.org.uk 
#########################################


=======
Product
=======
Microsoft System Information collects system information,
such as devices that are installed in your computer or device
drivers loaded in your computer, and provides a menu for displaying
the associated system topics. You can use Microsoft System
Information
to diagnose computer issues, for example, if you are having display
issues, you can use Microsoft System Information to determine what
display adapter is installed on your computer and view the status
of its drivers.


===
Bug
===

MSINFO32 is having an option which let you Open
a specific NFO or CAB file

msinfo32 /msinfo_file=filename

The buffer of msinfo_file can be overflowed and overwrite
the Code register. 

The BOF works if you  exceed 258 characters as an input to
msinfo_file.

if you put at the possition of 259 of a string a hex value
then the redirection will go a memory location with address
which is a  decimal number created by the following
pattern :

e.g. 0x05 -> 0x79
     0x06 -> 0x7A
     0x07 -> 0x7B
. and so on



I've tested values up to 0xFF which points to 0x00000173
there is a possibility to broad the range of memory values you
control if you feed more characters in the BOF string.

Although in tests this bug wouldnt lead to dangerous situations.. 
I wouldnt bet 100% on that !

Microsoft know about it since 9th of May


=====================
Proof Of Concept Code
=====================

C:\Program Files\Common Files\Microsoft Shared\MSInfo>
msinfo32 /msinfo_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA



=========================================================
*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt 
=========================================================

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH