RE: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underfl
Just so that I understand correctly, are you reporting that if one is logge=
d on as the administrator, it may be possible to execute this exploit in or=
der to take over the machine?
t
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bou=
nces@lists.grok.org.uk] On Behalf Of J. Oquendo
Sent: Friday, April 01, 2011 10:52 AM
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Microsoft VISTA TCP/IP heap buffer underflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=20
Microsoft VISTA TCP/IP heap buffer underflow
Summary
- -----------------------------
Microsoft Device IO Control wrapped by an API shipping with Windows Vista 3=
2 bit and 64 bit contains a possibly exploitable, buffer underflow corrupti=
ng kernel memory.
Affected Systems
- -----------------------------
Using the sample proof of concept, it was possible to verify this issue on =
following operating systems and configurations:
* Microsoft Windows Vista Ultimate 32 bit
It is very likely that other versions of Windows Vista are affected by this=
issue.
This issue did not occur on Windows XP, Windows 2003 Advanced Server, Windo=
ws 2008 Server nor Windows Millenium Edition
Re-installation of Service Pack 1 and/or upgrading to SP2 had any effect in=
regards to resolve the random crashes.
To execute either the sample program or any other system command, the user =
has to be either the admin, in the admin group or the Administrators group.
Since this buffer underflow never makes it to kernel memory, it could be po=
ssible that propping up the underflow will make it overflow and take contro=
l over the operating system without any restriction.
Remedy
- ------------
No remedy available at this time.
Reported
- ------------
This vulnerability is being reported now
Relevant
- ------------
934b7a5c 85aa6fe4 00000000 934b7ac4 837100ee
tcpip!IppCreateUnicastRoute+0xf0
934b7ae8 85a5d121 00000001 858b6278 84d74ce8
tcpip!IppValidateSetAllRouteParameters+0x217
934b7b64 85a18a29 836c134c 00000000 92a84a70
tcpip!Ipv4SetAllRouteParameters+0x1d1
934b7ba4 8a844551 00000001 92a326b4 00000000 NETIO!NsiSetAllParametersEx+0x=
bd
934b7bf0 8a844eb8 00000000 836c1330 836c1378
nsiproxy!NsippSetAllParameters+0x1b1
934b7c14 8a844f91 92a32601 00000000 8371d290
nsiproxy!NsippDispatchDeviceControl+0x88
934b7c2c 818f0053 8590b448 92a32698 92a32698 nsiproxy!NsippDispatch+0x33
934b7c44 81a80515 8371d290 92a32698 92a32708 nt!IofCallDriver+0x63
934b7c64 81a80cba 8590b448 8371d290 0027f700
nt!IopSynchronousServiceTail+0x1d9
934b7d00 81a6a98e 8590b448 92a32698 00000000 nt!IopXxxControlFile+0x6b7
934b7d34 8188ba7a 00000044 00000048 00000000 nt!NtDeviceIoControlFile+0x2a
934b7d34 77529a94 00000044 00000048 00000000 nt!KiFastCallEntry+0x12a 0027f=
68c 77528444 777214b9 00000044 00000048 ntdll!KiFastSystemCallRet
0027f690 777214b9 00000044 00000048 00000000 ntdll!ZwDeviceIoControlFile+0x=
c
=3D=3D=3D=3D=3D=3D=3D=3D Disassembly with commands =3D=3D=3D=3D=3D=3D=3D=3D
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
test eax,eax
jl OMNOM!PtpCreateNOM+0x1b
push esi
push 74704D4Eh
push dword ptr [ebp+8] ; =3D 0x00000020
push 0
call ExAllocatePoolWithTag ; eax =3D ExAllocatePoolWithTag(0, 0x20, 0x74704=
D4E, esi); mov esi,eax ; =3D 0x83716380 allocated buffer address test esi,e=
si je NOM!CreateOMNOM+0x6d push dword ptr [ebp+8] ; =3D 0x00000020 push 0 p=
ush esi ; 0x83716380 allocated buffer address call NOM!memset (85a10543) ; =
memset((char*)0x83716380, 0, 0x20) mov eax,dword ptr [ebp+14h] mov dword pt=
r [esi],eax mov eax,dword ptr [ebp+18h] mov dword ptr [esi+0Ch],eax mov dwo=
rd ptr [eax],esi mov eax,dword ptr [ebp+0Ch] and word ptr [esi+14h],0 add e=
sp,0Ch push eax ; =3D 0x837100ee lea eax,[esi+18h] ; esi unchanged, holds t=
he alloc. buffer address
(=3D0x83716380)
push eax ; =3D 0x83716398 add offset of 0x18 bytes to the allocated buffer =
inc dword ptr [edi+8] mov eax,esi pop esi pop edi pop ebp ret 14h nop nop n=
op om nom nom
- --=20
=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D=
+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP
"It takes 20 years to build a reputation and five minutes to ruin it. If yo=
u think about that, you'll do things differently." - Warren Buffett
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371=
/pks/lookup?op=3Dget&search=3D0x2BF7D83F210A95AF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
=20
iD8DBQFNlhDEK/fYPyEKla8RAnWXAJ0XaB/D0Cd0eYt+6Vd00Tx6RYsRmQCfWwGk
QGt6mpCUiDKXxhCdg5xpi7M=3D
=3Dpjws
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/