Re: strcpy bug

["Dave Korn" <davek_throwaway () hotmail com>]

----- Original Message -----
From: "xenophi1e" <oliver.lavery () sympatico ca>
To: <vuln-dev () securityfocus com>
Sent: Sunday, June 01, 2003 1:23 AM
Subject: strcpy bug


> Noticed this while looking for something else. EIP is smacked with a 268
> byte filename argument. Anyone know an interesting bit of software that
> calls LZOpenFileA or W?
>
> .text:77EB63B6 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E
> ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
> .text:77EB63B6
> .text:77EB63B6 ; Attributes: bp-based frame
> .text:77EB63B6
> .text:77EB63B6 ; INT __stdcall LZOpenFileA(LPSTR,LPOFSTRUCT,WORD)
> .text:77EB63B6                 public LZOpenFileA

The windows "Search for files and folders" utility will search binaries and
can often find the linkage names of functions and dlls they call.  None
showed up when I searched my w2ksp2 \winnt\system32 folder.  The following
files link against lz32.dll:

fontext.dll   - calls LZOpenFileW
setupapi.dll - ditto
setupdll.dll
t2embed.dll - calls LZOpenFileA
version.dll - LZCreateFileW
iis.dll - LZOpenFileW

let's just see if the unicode version is equally lousy....

LZ32!LZOpenFileW:
759b15be 55 push ebp
759b15bf 8bec mov ebp,esp
759b15c1 81ec14010000 sub esp,0x114
759b15c7 8b4508 mov eax,[ebp+0x8]
759b15ca 50 push eax
759b15cb 8945fc mov [ebp-0x4],eax
759b15ce ff1580109b75 call dword ptr [LZ32!_imp__wcslen (759b1080)]
759b15d4 d1e0 shl eax,1
kd> u
LZ32!LZOpenFileW+18:
759b15d6 668945f8 mov [ebp-0x8],ax
759b15da 8b45f8 mov eax,[ebp-0x8]
759b15dd 83c002 add eax,0x2
759b15e0 59 pop ecx
759b15e1 668945fa mov [ebp-0x6],ax
759b15e5 8d85ecfeffff lea eax,[ebp-0x114]
759b15eb 8945f4 mov [ebp-0xc],eax
759b15ee 8d45f8 lea eax,[ebp-0x8]
kd> u
LZ32!LZOpenFileW+33:
759b15f1 6a00 push 0x0
759b15f3 50 push eax
759b15f4 8d45f0 lea eax,[ebp-0x10]
759b15f7 66c745f20401 mov word ptr [ebp-0xe],0x104
759b15fd 50 push eax
759b15fe ff1578109b75 call dword ptr
[LZ32!_imp__RtlUnicodeStringToAnsiString (759b1078)]
759b1604 85c0 test eax,eax
759b1606 7d05 jge LZ32!LZOpenFileW+0x4f (759b160d)
kd> u
LZ32!LZOpenFileW+4a:
759b1608 6afb push 0xfb
759b160a 58 pop eax
759b160b eb12 jmp LZ32!LZOpenFileW+0x61 (759b161f)
759b160d ff7510 push dword ptr [ebp+0x10]
759b1610 8d85ecfeffff lea eax,[ebp-0x114]
759b1616 ff750c push dword ptr [ebp+0xc]
759b1619 50 push eax
759b161a e807ffffff call LZ32!LZOpenFileA (759b1526)

Bah.  That 0x104 in the size field of the result string from the
RtlUnicodeStringToAnsiString call not only protects the stack frame, it also
stops us feeding too long a string through the W version to the A version.
D'oh.

However, t2embed.dll looks more promising perhaps, since it is linked by
mshtml.dll.  Hmmmmm.  A quick browse through the visible strings with PE
view shows it to be something font related, so my guess is that its the
true-type embedded font dll.  Now, perhaps an LZ-compressed true-type font
file with a very long name.... ??

So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe
and anything else that uses the IE browser engine.  Font-face style tag 
perhaps?



      DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger