Full Disclosure mailing list archives
Re: Windows Oday release
From: "crazy frog crazy frog" <i.m.crazy.frog () gmail com>
Date: Wed, 13 Jun 2007 20:42:10 +0530
dear all, thanks for this nice thread. --------------------------------------- http://www.secgeeks.com get a blog on SecGeeks :) register here:- http://secgeeks.com/user/register rss feeds :- http://secradar.com/node/feed http://www.newskicks.com Submit and kick for new stories from all around the world. On 6/13/07, Joey Mengele <joey.mengele () hushmail com> wrote:
Dear all, Gadi Evron is a brilliant genius, much smarter than Thomas Lim. J On Tue, 12 Jun 2007 16:21:56 -0400 ge () linuxbox org wrote:On 2007-06-13 02:58+0800, Thomas Lim wrote:dear allDear all, this is not a 0day, it is a public release of a responsibly disclosed vulnerability. Thank you for sharing your research, Gadi.SChannel Off-By-One Heap Corruption =================================== Discovery Date: 28th August 2006 Date reported to Microsoft: 19th March 2007 Summary: The Secure Channel (SChannel) library on WinXP-SP1/SP2 isvulnerable toa off-by-one heap buffer overwrite. The SChannel libraryimplementsPCT/TLS/SSL protocols exported via the Security Service ProviderInterface(SSPI). It is one of several Security Service Providers loaded-inandsupported by the privileged Local Security Authority (Lsass.exe) process. In SChannel's implementation of the client-side SSLv3 handshakeprotocol,specifically in the processing of the server-key-exchange SSLhandshakerecord, there is insufficient checks for malformed server-sentdigitalsignature, with its length-field set to 0. This results in a allocation of a0-length heap buffer (with a valid heap address). A reverse memory copy is thenperformed to copy-in the digital signature, by decrementing the 0-length by 1.Thisresults in an integer-underflow, causing the heap-buffer pointer todecrementbefore its start address, ultimately leading to an overwrite of exactly one-byteofuser-controlled value, into the heap control-block. Depending on the robustnessof theapplication in question, this may lead to an unrecoverable heap corruption condition, causing the application to terminate. In the case of Lsass.exe on WinXP-SP2, wecan crash it locally after several iterations, from a less-privileged user,causing a system reboot. Vulnerable code although also exists in WinXP-SP1 but itdoesnot cause an unrecoverable heap corruption in Lsass.exe. Vendor Affected: Microsoft Systems Affected: ======== WinXP-SP2 (DOS/Reboot) WinXP-SP1 (minimal impact) Exploitation: ============= 1) For local machine reboot via normal user account, on WinXP-SP2 OR For remote machine reboot by enticing user to visit HTTPS sitevia IE,on WinXP-SP2 (but over 2000 iterations required) POC (crash-test/reboot): ======================== 1) Run sctest.exe from a normal user account, on client machine running WinXP-SP2. 2) sctest.exe will attempt to use SChannel's SSL implementationtoparse pre-generated malformed SSL handshake records, over several iterations, causing multiple off-by-one overwriteswith0xFF byte, within the Lsass.exe process. 3) Attach Debugger to Lsass.exe to see crash. The system willnotifythe user and perform a 60sec. reboot count-down, afterdetectingthe Lsass.exe crash. ** Lsass.exe crash-test can also be done by forcing/enticingInternetExplorer to access a HTTPS site, serving out the same malformed SSLhandshakerecords (as shown in source code below). However, over 2000iterationsare needed (IE needs to access HTTPS site over 2000 times),beforeLsass.exe heap corruption occurs. Vuln Analysis: ============== (Based on schannel.dll/v5.1.2600.2180/WinXP-SP2) The vulnerability exists in schannel.dll component, thatimplements theSSPI-compliant PCT/TLS/SSL protocol handling implementation. For moreinformation onSSPI and how it relates to LSA, refer to 1) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/authentication_packages.asp2) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi.aspEssentially, in the case of SSPI authentication libraries likeschannel,kerberos, msv1_0 (ntlm), data is exchanged between less-privileged user applicationsrequringauthentication, and Lsass.exe. With LSA providing the authentication back-end support. Both LSAand theless-privileged application communicate indirectly via the SSPI interface. Specifically, inSSLauthentication, untrusted SSL record packets are passed from the less-privileged application totheprivileged LSA. While extensive efforts are made in LSA to validate the SSL records, on WinXP'sversionof schannel, an off-by-one vulnerability exists in the parsing of the less-common and less-used SSLserver-key-exchange record. The vulnerability can hence be triggered via less-privilegedclientapplications utilizing the schannel's client-side SSL protocol implementation. This includesInternet Explorer, whenever the user uses IE to browse a HTTPS site. The vulnerable code exists in the _ReverseMemCopy() function andisreachable from Ssl3ParseServerKeyExchange(): (via SPProcessHandshake()->PkcsGenerateClientExchangeValue()) ; On WinXP-SP1, the code below is located at 0x767FF976 (nosymbolsavailable) Ssl3ParseServerKeyExchange() ... .text:767FFFC8 movzx ebx, byte ptr [esi] ;MSB-byte of malformed signature length field .text:767FFFCB movzx eax, byte ptr [esi+1] ;LSB-byte of malformed signature length field .text:767FFFCF shl ebx, 8 .text:767FFFD2 add ebx, eax .text:767FFFD4 push ebx ;size=0.text:767FFFD5 call _SPExternalAlloc@4 ;HeapAlloc will return a valid 0-length heap buffer address .text:767FFFDA test eax, eax .text:767FFFDC mov [ebp+pbSignature], eax .text:767FFFDF jz loc_768000B9 .text:767FFFE5 push ebx ;size=0.text:767FFFE6 lea ecx, [esi+2] ;address of the signature data in our malformed record ;containing 0xFF,0x41,0x41... .text:767FFFE9 push ecx .text:767FFFEA push eax ;0-length heap buffer .text:767FFFEB call _ReverseMemCopy@12 _ReverseMemCopy() .text:767FF46F mov edi, edi .text:767FF471 push ebp .text:767FF472 mov ebp, esp .text:767FF474 mov eax, [ebp+arg_8] .text:767FF477 mov ecx, [ebp+arg_4] .text:767FF47A push esi .text:767FF47B mov esi, [ebp+arg_0] .text:767FF47E lea eax, [esi+eax-1]; EAX=0, ESI which points to 0-length heap buffer; is decremented to, before start of heap buffer .text:767FF482 mov dl, [ecx] .text:767FF484 mov [eax], dl; Off-by-one overwrite with 0xFF from our signature data .text:767FF486 dec eax .text:767FF487 inc ecx .text:767FF488 cmp eax, esi .text:767FF48A jnb short loc_767FF482; Just one-byte overwrite! .text:767FF48C pop esi .text:767FF48D pop ebp .text:767FF48E retn 0Ch Discovered by: Steven Security Researcher Vulnerability Research Lab COSEINC -- Thank you Thomas Lim COSEINC Private Limited -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.1 - not licensed for commercial use: www.pgp.com mQGiBEQM9cARBADvlIe8Ck5/u2EtX3ikd/eKjI7uZKyIFHNLxEYBB1AaHmEvYCPi VpvNr7ArKjbqlEpdsl6c9gQUY8vir5Lfk/p6siCD1aIYfCdPa64gKJQ66UVIUy7a hIlE8sJ86mcbvVGzA4f1LjwPUPwymeKEQeDJyRLlRnPkxWzaoiZqHuEa/QCg/2/t IAlQdVT7Q+ss51/NcL87RoEEANcf+ChnlH6vhXLSwnH1iXUMBbGA6t2F0/q29ROR lsMoUQW5hvjuOw+4yDzGzmBDQUYbN0GI7pNOBs7UwerGOInTGCFD6nan0JpONT51 bp5sfF93PNH12I1qVFf+h/qdX4me2mhyKfSNvc0qQMydwfsCJ3vBbEWTF7CqWZFO VadVA/9uJTKjJ7ZnN1enBBGUhLl6bA9estqH6lyP69B6Y1tGahDSqVyDe9Q9zs0T XDcM6aS+PRnybzX9gfgPfSYtDzX3AU6C7N2XgSK5DnjVZVr2Tdd/2ttM7ApvzaeV +ifO/nLGIQ38ik7mKlul5vlXsISShzHpUIdswuQtMp0R2sa+6bQfVGhvbWFzIExp bSA8dGhvbWFzQGNvc2VpbmMuY29tPokAXQQQEQIAHQUCRAz1wAcLCQgHAwIKAhkB BRsDAAAABR4BAAAAAAoJELxffA89J0fkz+cAn3cklzVq/VYiD9wgH0J2ULsuTbMl AJ9NMdYJHBlunYjbPJIcRgGwhAkY4LkCDQREDPXAEAgA9kJXtwh/CBdyorrWqULz Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq 01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O 9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TIL OwACAggAwTip4JFx4LCDazFSyTG7qzIlZonEf3QTHNH4jP15CLvVFxjaHE8g2EgL pt2+E6XDg7IGuZ2iXS9gwHkyLKzGR4bwpanAHyMZZbcQOglPHUkxuJZW+AjfcfOD 5jB+cUOtxk97ca/z9Fz+2qS8Q3sz2QSkHcZgBBxTS07cvd2P60ecVECBKG+dgxGw X13e5hgw2tzFRMqnty66lKXYEIUj4ZSl70UPAmy5xUaU4EahLURN29f3zM+EPy72 374v28ud28yO59iyRqoUGiHr3c87wumrDtjwm8qKIkWHsi+7AiES29nCqtm4zN45 3yXkalvQ/O97ZJSinzZb851ToowyFIkATAQYEQIADAUCRAz1wAUbDAAAAAAKCRC8 X3wPPSdH5MLbAKCIYtkvUPIoxm15I4UlvCIZjT8hdACdEWiQKWdlwZCJTePk4CF9 swkS3cQ= =Q3SR -----END PGP PUBLIC KEY BLOCK------- -- "beepbeep it, i leave work, stop reading sec lists and im still hearing gadi" - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- Click for a second home mortgage, fast & free, no fees, approval today http://tagline.hushmail.com/fc/CAaCXv1QbNMsbmnDafSnVJtW3sm0Gn5o/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- --------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Windows Oday release Thomas Lim (Jun 12)
- Re: Windows Oday release ge (Jun 12)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- Re: Windows Oday release Peter Dawson (Jun 13)
- Re: Windows Oday release Jared DeMott (Jun 13)
- Re: Windows Oday release Michal Zalewski (Jun 13)
- Re: Windows Oday release Joanna Rutkowska (Jun 13)
- <Possible follow-ups>
- Re: Windows Oday release Johnson, Richard (NY Int) (Jun 12)
- Re: Windows Oday release Joey Mengele (Jun 13)
- Re: Windows Oday release crazy frog crazy frog (Jun 13)
- Re: Windows Oday release ge (Jun 12)