Full Disclosure mailing list archives

Re: Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow

From: "Michele Cicciotti [Khamsa S.A.]" <mc () khamsa ch>
Date: Mon, 26 Jun 2006 13:12:20 +0200

Alexander Hristov wrote:

Author:    JAAScois
Date:      25.6.2006
Type:      Heap Overflow
Product:   http://live.com , http://messenger.msn.com
Patch:     N/A
Link : http://securitydot.net/xpl/exploits/vulnerabilities/articles/1108/exploit.html

This is most definitely *not* a heap overflow. Based on my analysis(Windows XP Professional, Service Pack 2, fully patched), severalnon-fatal exceptions occur inside FormatMessageW:


ntdll!fputwc+0x14:
7c92c24e 668902           mov     [edx],ax       ds:0023:022c1000=????

[...]

ChildEBP RetAddr
0006f23c 7c92c221 ntdll!fputwc+0x14
0006f24c 7c92c1f6 ntdll!_output+0x9d9
0006f260 7c92c314 ntdll!_output+0xa49
0006f6d8 7c92c2d2 ntdll!_woutput+0x9ae
0006f710 7c9399c8 ntdll!_snwprintf+0x31
0006fad0 7c828f98 ntdll!RtlFormatMessage+0x360
0006fb6c 7c829068 kernel32!BaseDllFormatMessage+0x1be
0006fb94 00762290 kernel32!FormatMessageW+0x21

[...]

If we continue execution, we see this is actually on-demand bufferextension at work:


ChildEBP RetAddr
0006ed98 7c809ad2 ntdll!ZwAllocateVirtualMemory
0006ede4 7c809a99 kernel32!VirtualAllocEx+0x47
0006ee00 7c85ea14 kernel32!VirtualAlloc+0x18
0006ee20 7c85ea7b kernel32!ExtendVirtualBuffer+0x40
0006ee30 7c840977 kernel32!VirtualBufferExceptionHandler+0x2a
0006ee40 7c839a54 kernel32!BaseDllFormatMessage+0x24b
0006ee68 7c9137bf kernel32!_except_handler3+0x61
0006ee8c 7c91378b ntdll!ExecuteHandler2+0x26
0006ef3c 7c91eafa ntdll!ExecuteHandler+0x24
0006ef3c 7c92c24e ntdll!KiUserExceptionDispatcher+0xe
0006f23c 7c92c221 ntdll!fputwc+0x14

[...]

And it's not even the heap:

0:000> !address 022c1000
    022c0000 : 022c0000 - 00001000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageIsVAD

It's just a random, non-descript 64 KB block reserved by an internalkernel32.dll function and allocated page by page on demand, and_snwprintf never writes outside of its bounds, and doesn't overwriteanything. What *really* happens is that FormatMessageW fails because themessage exceeds the 64 KB maximum and is truncated:


0:000> !gle
LastErrorValue: (Win32) 0xea (234) - Sono disponibili altri dati.

LastStatusValue: (NTSTATUS) 0x80000005 - {Overflow del buffer} Numerodi dati eccessivo per poter essere contenuti nel buffer specificato.


Messenger handles the error by throwing an exception:

Args to Child
e06d7363 00000001 00000003 kernel32!RaiseException+0x53
0006fbb4 005c2584 0006fbd8 MSVCR80!_CxxThrowException+0x46

At 005c2584 we have the exception type, which points to a type infotable at 00841dd8, which contain a table info entry at 00841de0, whichreveals that the exception is of type "?AVCAtlException@ATL@@". Theexception object itself, at 0006fbb4, begins with a doublewordcontaining 8007000e, which is a Win32 error wrapped in a HRESULT. 0xE isERROR_OUTOFMEMORY


The verdict is: unhandled exception

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow Alexander Hristov (Jun 25)
- Is Windows TCP/IP source routing PoC code available? Denis Jedig (Jun 25)
  - Re: Is Windows TCP/IP source routing PoC code available? 3APA3A (Jun 27)
    - Re[2]: Is Windows TCP/IP source routing PoC code available? Ìèíàåâ_Àíäðåé (Jun 28)
    - Re: Re[2]: Is Windows TCP/IP source routing PoC code available? 3APA3A (Jun 29)
- Re: Windows Live Messenger 8.0 ( Contact List *.ctt ) Heap Overflow Michele Cicciotti [Khamsa S.A.] (Jun 26)