Tuesday, September 15, 2009

Libxml2 Denial of Service

Recently, several dangerous vulnerabilities have been discovered in libxml2, the open source of Gnome for parsing xml files (http://xmlsoft.org/). In fact, I’m accidentally interested in these vulnerabilities because I used libxml2 in some my applications. So, I also want to write a demo exploiting.

From patch of Gnome, this error resides in a function of the source parser.c:
xmlParseElementChildrenContenDecl()

Looking at the function’s name, I thought that there was an error in processing DTD ELEMENT declared in the xml file. Let's pay attention to the patch of the fault:

-xmlElementContentPtr
-xmlParseElementChildrenContentDecl (xmlParserCtxtPtr ctxt, int inputchk) {
+static xmlElementContentPtr
+xmlParseElementChildrenContentDeclPriv(xmlParserCtxtPtr ctxt, int inputchk,
+ int depth) {
xmlElementContentPtr ret = NULL, cur = NULL, last = NULL, op = NULL;
const xmlChar *elem;
xmlChar type = 0;
+ if (((depth > 128) && ((ctxt->options & XML_PARSE_HUGE) == 0))
+ (depth > 2048)) {
+ xmlFatalErrMsgInt(ctxt, XML_ERR_ELEMCONTENT_NOT_FINISHED,
+"xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE\n",
+ depth);
+ return(NULL);
+ }

The fixed function have one more parameter (depth). So, I guessed this error was due to the fact that ELEMENT declaration was too deep. The result was that the recursive call would consume all the memory and the program could completely crash.

Applications using libxml2 with xml parser functions (xmlReadFile, xmlParseFile…) can lead to denial of service on parsing this file.

Besides, file parser.c also have another error relating notation and enumeration attribute types in a DTD definition.

Posted by Mr.Minh at 7:45 PM 1 comments  

Wednesday, May 20, 2009

IIS WebDAV Vulnerability

This is a vulnerability allowing a remote attacker bypass the authentication mechanism of IIS. It's in WebDAV extension.

kcope presented method of exploiting this flaw on milw0rm.com

I tested successfully with TamperData and Hackbar (FireFox Add-on). Thank TamperData and HackBar very much :).

More Informations:

Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files collaboratively on remote World Wide Web servers. The protocol is defined in RFC 4918. The group of developers responsible for these extensions was also known by the same name and was a working group of the Internet Engineering Task Force (IETF).

Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/971492.mspx

Microsoft Blog: http://blogs.technet.com/srd/archive/2009/05/18/more-information-about-the-iis-authentication-bypass.aspx

Posted by Mr.Minh at 8:03 PM 0 comments  

Monday, April 13, 2009

How Conficker makes use of MS08-067 ?

By Bui Quang Minh & Hoang Xuan Minh

Conficker emerges as a hot topic recently. This is the most widespread virus since Code Red. The news has been talking so much about it that I decided to write an article too.

This article concerns the spreading technique used by this virus, particularly the way it exploits the MS08-067 security vulnerability in the Server Service of Windows.

MS08-067 Technical Details
I have actually had an article discussing about this flaw [1] when it was published but I will do it over again in more details now.

RPC protocol in Server Service supports a remote procedure converting any path (for instance, \\C\Program Files\..\Windows) to Canonicalization path (\\C\Windows). But Windows does not handle well overly long path, resulting in buffer overrun.

To concretize, Windows (svchost process) uses NetpwPathCanonicalize() function of netapi32.dll library to perform the above mentioned operation. The pseudo-code comes following:
func _NetpwPathCanonicalize(wchar_t* Path)
{
 // check Path length
 if( !_function_check_length(Path) )
 return;

 _CanonicalizePathName(Path);

        return;
}
func _CanonicalizePathName(wchar_t* Path)
{
 // protect stack with cookie - /GS
 _save_security_cookie();

 wchar _wcsBuffer[420h];

 // this is the function causing the overrun
 wcscat(wcsBuffer,Path);

 // converting function
 _ConvertPathMacros(wcsBuffer);

 return;
}
As we can see from the pseudo-code, NetpwPathCanonicalize() checks the length of the path before passing it into CanonicalizePathName() function. However, CanonicalizePathName() uses wcscat() to copy the path into a local variable (wcsBuffer). The consequence is that the function wouldn’t create a buffer-overflow in the first run but it would in the subsequents. For example, the contents of wcsBuffer after each call to this function would be:

- Call 1 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a”
- Call 2 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”
- Call 3 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”
- …

So we can definitely overflow Server Service with several calls to NetpwPathCanonicalize() function remotely providing appropriate path length. Up to this point, it seems as if the road had been cleared out.

But two other obstacles appear:
Cookie: The CanonicalizePathName() function was built with /GS option, which protects it with a cookie put before the return address. Whenever the return address is overwritten, so is the cookie and the system therefore knows that a buffer overflow has been encountered.
DEP: the process of Server Service (svchost.exe) is protected with DEP by default. As a result, if Shellcode is put on stack, DEP won’t allow code execution.

What exploiting techniques were used by Conficker?
Now let’s draw our attention to a function used in CanonicalizePathName(), which is called ConvertPathMacros() by Microsoft. This function does not perform any check against the cookie and hence was taken advantage by Conficker to redirect control to Shellcode.

The article of Microsoft [2] also mentioned the ConvertPathMacros() function but did not describe its role in the exploitation correctly. More precisely, Microsoft pointed out that this function used a local variable to store the buffer and the exploitation would overflow it in order to overwritten the return address of ConvertPathMacros().

But in actuality, ConvertPathMacros() does not have any portion of code that directly copies and overflows such local buffer. It is made possible to overwrite the return address of this function owing to a weakness in its string processing algorithm. As a consequence, wcscpy() function, which is called within ConvertPathMacros(), has its return address overwritten.

For DEP bypassing, Conficker makes use of ZwSetInformationProcess() function to disable DEP in runtime mode. After that, Conficker redirects control to Shellcode on stack.

Conficker uses instructions available in AcGenral.dll library, which is loaded by svchost, to overcome both previous protection mechanisms.

So with this method of exploiting, Conficker just needs to call NetpwPathCanonicalize() one time to successfully attack.

Spreading module of Conficker
Using above exploiting techniques, Conficker can exploit many different Windows versions (XP SP2/SP3, English, Italian,…). With a particular IP address, Conficker will try attacking with malicious code for one version of Windows. Here comes the pseudo-code:
func __Thread_Attack (IpAddress)
{

 // Create an Url for shellcode to download virus.
 url = Make_Url_Download();

 While(1)
 {
  // If connection fails, abort.
  if( ! IsConnect(IpAddress)) return;

  // A buffer for a particular Windows version will be created.
  buffer  = Make_Buffer(url, WinVersion);

  // Attack
  Attack(IpAddress, buffer);

  // Wait 1 second, if successfully exploit, break from the loop.
  // if not, try the next exploiting buffer.
  if( WaitForSingleObject(1000) != WAIT_TIMEOUT ) break;
 }

}

Conficker Shellcode activity
- Decode (Xor with 0xC4)
- Get the addresses of necessary API functions: LoadLibraryA(), ExitThread().
- Load urlmon.dll library into the process.
- Get the address of URLDownloadToFileA() function in urlmon.dll
- Download virus from the attacking computer using http protocol.
- Source address used for download: http://xxxxxx:port/xxxxx
- Download and LoadLibraryA virus is saved under the name x.
- Kill the thread (ExitThread).

Which OS are susceptible to Conficker attack
After reversing Conficker, I found 51 Windows versions that could be attacked by Conficker (SP2 and SP3 are considered different versions). One interesting thing is that the addresses of the exploiting module for different versions of Windows used by Conficker are the same as those of metasploit exploit code [3]. This shows high possibility that the virus creator take these addresses from metasploit. The following a list of operating system susceptible to Conficker.

1 Windows 2000.
2 Windows XP SP2/SP3 English.
3 Windows XP SP2/SP3 Arabic.
4 Windows XP SP2/SP3 Taiwan.
5 Windows XP SP2/SP3 Chinese.
6 Windows XP SP2/SP3 Czech.
7 Windows XP SP2/SP3 Danish.
8 Windows XP SP2/SP3 German.
9 Windows XP SP2/SP3 Greek.
10 Windows XP SP2/SP3 Spanish.
11 Windows XP SP2/SP3 Finnish.
12 Windows XP SP2/SP3 French.
13 Windows XP SP2/SP3 Hebrew.
14 Windows XP SP2/SP3 Hungarian.
15 Windows XP SP2/SP3 Italian.
16 Windows XP SP2/SP3 Japanese.
17 Windows XP SP2/SP3 Korean.
18 Windows XP SP2/SP3 Dutch.
19 Windows XP SP2/SP3 Norwegian.
20 Windows XP SP2/SP3 Polish.
21 Windows XP SP2/SP3 Brazilian.
22 Windows XP SP2/SP3 Portuguese.
23 Windows XP SP2/SP3 Russian.
24 Windows XP SP2/SP3 Swedish.
25 Windows XP SP2/SP3 Turkish.
26 Windows 2003 SP1/SP2 English.

Reference

[0] http://security.bkis.vn/
[1] http://bkav.com.vn/tinh_hinh_an_ninh_mang/27/10/2008/6/1896/ (Vietnamese)
[2] http://blogs.technet.com/srd/archive/2009/03/16/gs-cookie-protection...
[3] http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/...


Posted by Mr.Minh at 10:02 PM 2 comments  

Wednesday, April 8, 2009

GOM bof exploit

GOM Player use srt2smi.exe module to convert srt to smi format. However, this module has not handled well with a crafted srt file, leading to buffer overrun. This is pseudo-code :
vuln_function(char* srt_file)   {
     char src[10244];
     char dest[10244];
     FILE* file;

     File = fopen(srt_file);

     while(condition 1)   {

          src = fgets(file,10240); //  index
          src = fgets(file,10240); //  time
          src = fgets(file,10240); //  content

          while(condition 2)   {
                strcat(dest,src); //  vulnerability
                src = fgets(file,10240); //  next content

          }

      }
}
This error is due to strcat function. Especially, srt2smi.exe is independent of the process of GOM Player. So, it crash silently and doesn’t affect GOM Player.

Reference : http://security.bkis.vn/?p=501

PoC : http://security.bkis.vn/wp-content/uploads/2009/04/gom_poc.pl

Posted by Mr.Minh at 2:40 AM 0 comments  

Sunday, March 22, 2009

IncrediMail 5.86 Script Execution Vulnerability

Discovered by Bui Quang Minh

The most of popular Mail Client now exclude Script Code for mail content. It aims to avoid the type of XSS exploitation (For e.g: stolen cookie).

IncrediMail also remove Script Code when the user read mail. However, I found the "Reply" and "Forward" function of the mail client has not handled mail content well resulting in XSS vulnerability.

Of course, this leads to a lot of risk to users as lost sensitive information, cookies, ...

I reported to the manufacturer!

Posted by Mr.Minh at 9:52 PM 0 comments  

Monday, March 16, 2009

Metasploit Shellcode Hiccup in Exploitation (English)

Bui Quang Minh

With software vulnerability, most demo exploits make use of Shellcode taken from metasploit.com of HD Moore. This is really a success of HD Moore.

However, I found a small problem in the Shellcode of HD Moore. If a person does not have a thorough grasp of Shellcode, he or she might encounter the circumstances where Shellcodes are not executed even though he or she has already been able to redirect control of the program.

More specifically, at the beginning of Shellcode, HD Moore often uses his own decoder (though there are several other methods). Let look more closely at the fourth instruction: fnstenv [esp-0Ch]. This instruction saves FPU environment into the memory location pointed by esp-0Ch.

Basically, this instruction works just fine. But, let's imagine, if ESP is pointing right at the start of the shellcode, and the control redirection is achieved via "jmp ESP". As a result, this instruction unintentionally overwrites some part of the shellcode or even lies onto the currently executed instruction "fnsenv". The consequence is that shellcode cannot run successfully.

This is really an issue because exploitation making use of "jmp esp" is very popular or even the basic matter in software vulnerability exploitation. Of course, I believe that many people have encountered this problem and haven't been able to resolve it, or have overcome it but do not totally understand the reason why. And this is the main idea of this short paper.

OK, we have finished with the theory. And here come the solutions, two solutions actually:

- Create a new shellcode which does not use ESP.

- Add a lot of NOP instruction (0x90) at the beginning of shellcode.

Posted by Mr.Minh at 6:24 AM 1 comments  

Sunday, March 15, 2009

Hello World!

Welcome to me!

Posted by Mr.Minh at 8:28 AM 0 comments  

Tuesday, January 20, 2009

Security Softwares

Conficker Scanner
This tool can detect Conficker infected PCs in a network.


Tool to detect all kinds of viruses exploiting .lnk vulnerability.

Posted by Mr.Minh at 11:51 PM 0 comments  

Subscribe to: Posts (Atom)