Abysssec Research. 1) Advisory information. 2) Vulnerable version



Similar documents
Abysssec Research. 1) Advisory information. 2) Vulnerable version

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Violating Database - Enforced Security Mechanisms

Bypassing Windows Hardware-enforced Data Execution Prevention

Disassembly of False Positives for Microsoft Word under SCRAP

Windows XP SP3 Registry Handling Buffer Overflow

Software Fingerprinting for Automated Malicious Code Analysis

How To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux (Windows 3.5) On A Pc

Return-oriented programming without returns

Software Vulnerabilities

1. General function and functionality of the malware

Buffer Overflows. Security 2011

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Cloud Security Is Not (Just) Virtualization Security

Introduction. Figure 1 Schema of DarunGrim2

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

esrever gnireenigne tfosorcim seiranib

Fighting malware on your own

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

x64 Cheat Sheet Fall 2015

A Tiny Guide to Programming in 32-bit x86 Assembly Language

Analysis of Win32.Scream

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Off-by-One exploitation tutorial

Attacking x86 Windows Binaries by Jump Oriented Programming

Systems Design & Programming Data Movement Instructions. Intel Assembly

Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

For a 64-bit system. I - Presentation Of The Shellcode

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

64-Bit NASM Notes. Invoking 64-Bit NASM

Computer Organization and Architecture

Application-Specific Attacks: Leveraging the ActionScript Virtual Machine

OpenBSD Remote Exploit

Complete 8086 instruction set

X86-64 Architecture Guide

Win32.Winux.txt Wed Nov 21 13:30: ; ; : Win32/Linux.Winux : ; ; : by Benny/29A : ;

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

PCI-SIG ENGINEERING CHANGE REQUEST

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Computer Organization and Assembly Language

Machine-Level Programming II: Arithmetic & Control

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Reverse Engineering Malware Part 1

Reverse Engineering and Computer Security

Instruction Set Architecture

Assembly Language: Function Calls" Jennifer Rexford!

WLSI Windows Local Shellcode Injection. Cesar Cerrudo Argeniss (

Hotpatching and the Rise of Third-Party Patches

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Self Protection Techniques in Malware

Introduction to Reverse Engineering

Appendix F: Instructions for Downloading Microsoft Access Runtime

CS61: Systems Programing and Machine Organization

Stack Overflows. Mitchell Adair

Bypassing Anti- Virus Scanners

Harnessing Intelligence from Malware Repositories

Securing software by enforcing data-flow integrity

Metasploit Beginners

Inside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Packers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

What Happens In Windows 7 Stays In Windows 7

Defense in Depth: Protecting Against Zero-Day Attacks

CPU performance monitoring using the Time-Stamp Counter register

Understanding the Windows SMB NTLM Authentication Weak Nonce Vulnerability

PCI Vulnerability Validation Report

User s Manual. Transcend JetFlash SecureDrive. Contents

Fetch TV My Media Hub Quick Start Guide for USB Devices. Sharing your media content with the set top box from a USB device

Microsoft Patch Analysis

Using fuzzing to detect security vulnerabilities

System Requirements for Web Applications

Packers. (5th April 2010) Ange Albertini Creative Commons Attribution 3.0

HSLAB Print Logger 5 Installation Guide

Recommended operating systems and software for end user services. Operating systems and software not supported for end user services

Exploiting Trustzone on Android

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Practical taint analysis for protecting buggy binaries

PassReview. PassReview - IT Certification Exams Pass Review

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Dynamic Behavior Analysis Using Binary Instrumentation

A Museum of API Obfuscation on Win32

6. Exercise: Writing Security Advisories

Microsoft Smooth Streaming

The 80x86 Instruction Set

ATLAS.ti 6 Using Video Data

Where we are CS 4120 Introduction to Compilers Abstract Assembly Instruction selection mov e1 , e2 jmp e cmp e1 , e2 [jne je jgt ] l push e1 call e

Specification of the Broadcast Wave Format (BWF)

Using Heap Allocation in Intel Assembly Language

White paper: August Marcin Icewall Noga

Intel 8086 architecture

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Transcription:

Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter CVE : Microsoft MPEG Layer- 3 Audio Stack Based Overflow : l3codeca.acm (XP SP2 XP SP3) : http://www.abysssec.com : http://www.microsoft.com : Ciritical : shahin [at] abysssec.com, info [at] abysssec.com : @abysssec : CVE- 2010-0480 2) Vulnerable version Nortel Networks Symposium Nortel Networks Contact Center NCC 0 Nortel Networks Contact Center Manager Server 0 Nortel Networks Contact Center Express Nortel Networks Contact Center Administration 0 Nortel Networks Contact Center - TAPI Server 0 Nortel Networks CallPilot 703t Nortel Networks CallPilot 702t Nortel Networks CallPilot 600r Nortel Networks CallPilot 202i Nortel Networks CallPilot 201i Nortel Networks CallPilot 1005r Nortel Networks CallPilot 1002rp Microsoft Windows XP Tablet PC Edition SP3 Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Professional x64 Edition SP2 Microsoft Windows XP Professional SP3 Microsoft Windows XP Professional SP2 Microsoft Windows XP Media Center Edition SP3 Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Home SP3 Microsoft Windows XP Home SP2 Microsoft Windows Vista Ultimate 64- bit edition SP2

Microsoft Windows Vista Ultimate 64- bit edition SP1 Microsoft Windows Vista Ultimate 64- bit edition 0 Microsoft Windows Vista Home Premium 64- bit edition SP2 Microsoft Windows Vista Home Premium 64- bit edition SP1 Microsoft Windows Vista Home Premium 64- bit edition 0 Microsoft Windows Vista Home Basic 64- bit edition SP2 Microsoft Windows Vista Home Basic 64- bit edition SP1 Microsoft Windows Vista Home Basic 64- bit edition 0 Microsoft Windows Vista Enterprise 64- bit edition SP2 Microsoft Windows Vista Enterprise 64- bit edition SP1 Microsoft Windows Vista Enterprise 64- bit edition 0 Microsoft Windows Vista Business 64- bit edition SP2 Microsoft Windows Vista Business 64- bit edition SP1 Microsoft Windows Vista Business 64- bit edition 0 Microsoft Windows Vista Ultimate SP2 Microsoft Windows Vista Ultimate SP1 Microsoft Windows Vista Home Premium SP2 Microsoft Windows Vista Home Premium SP1 Microsoft Windows Vista Home Basic SP2 Microsoft Windows Vista Home Basic SP1 Microsoft Windows Vista Enterprise SP2 Microsoft Windows Vista Enterprise SP1 Microsoft Windows Vista Business SP2 Microsoft Windows Vista Business SP1 Microsoft Windows Server 2008 for x64- based Systems SP2 Microsoft Windows Server 2008 for x64- based Systems 0 Microsoft Windows Server 2008 for 32- bit Systems SP2 Microsoft Windows Server 2008 for 32- bit Systems 0 Microsoft Windows Server 2003 x64 SP2 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Advanced Server SP4 Microsoft MPEG Layer- 3 codecs 0 Avaya Messaging Application Server MM 3.1 Avaya Messaging Application Server MM 3.0 Avaya Messaging Application Server MM 2.0 Avaya Messaging Application Server MM 1.1 Avaya Messaging Application Server 5 Avaya Messaging Application Server 4 Avaya Messaging Application Server 0 Avaya Meeting Exchange - Webportal 0 Avaya Meeting Exchange - Web Conferencing Server 0 Avaya Meeting Exchange - Streaming Server 0 Avaya Meeting Exchange - Recording Server 0 Avaya Meeting Exchange - Client Registration Server 0

3) Vulnerability information Class 1- Code execution Impact Successfully exploiting this issue allows remote attackers to cause denial-ofservice conditions. Remotely Exploitable Yes Locally Exploitable Yes 4) Vulnerabilities detail The flaw exists because of not properly checking a malformed AVI contains MPEG Layer- 3(mp3) audio contents. In l3codecx.ax module which is a vulnerable codec there is sub_72cd1ef0 function responsible for processing data for movi section of AVI file (According to MPEGLAYER3WAVEFORMAT structure). sub_72cd1ef0 function takes 4 arguments, first argument is address of MPEGLAYER3WAVEFORMAT structure. Second is the address of part of AVI file data which is related to mp3 file frames. Third argument is length of data. And the last argument is an address that usually equals to zero. In part of the function value of nblocksize field of MPEGLAYER3WAVEFORMAT structure is checked not to be 1. 72CD1F03 72CD1F07 72CD1F0F 72CD1F13 MOV AX,WORD PTR DS:[ESI+18] MOV DWORD PTR SS:[ESP+10],0 CMP AX,1 JE l3codecx.72cd2079 Then third argument as length of audio data is divided by value of nblocksize and if remainder of division equals to zero, value of fourth argument ( usually zero ) is substituted from length of data and compared with nblocksize field. In case of greater than nblocksize field the examination is continued. 72CD1F19 MOV ECX,DWORD PTR SS:[ESP+B4]

72CD1F20 72CD1F22 72CD1F28 72CD1F2A 72CD1F2C 72CD1F2E 72CD1F30 72CD1F36 72CD1F3D 72CD1F3F 72CD1F41 MOV EBP,EAX AND EBP,0FFFF MOV EAX,ECX XOR EDX,EDX DIV EBP TEST EDX,EDX JNZ l3codecx.72cd2080 MOV EBX,DWORD PTR SS:[ESP+B8] SUB ECX,DWORD PTR DS:[EBX] CMP ECX,EBP JB l3codecx.72cd20ab Then value of mp3 frame header with "41434D00" and next 4bytes after header with "63726300" is compared. If results of these comparisons are positive, we reach in to sub_72cd1da0 function, otherwise skip it. 72CD1FA6 72CD1FAC 72CD1FB2 72CD1FBA 72CD1FBC 72CD1FC2 72CD1FC6 72CD1FC7 72CD1FCD 72CD1FD0 72CD1FD2 72CD1FD3 72CD1FD7 72CD1FD8 72CD1FD9 72CD1FDB CMP EDX,41434D00 JNZ l3codecx.72cd2032 CMP DWORD PTR SS:[ESP+14],63726300 JNZ SHORT l3codecx.72cd2032 MOV EAX,DWORD PTR DS:[EDI+DC] LEA ECX,DWORD PTR SS:[ESP+18] INC EAX MOV DWORD PTR DS:[EDI+DC],EAX MOV EDX,DWORD PTR DS:[ESI+4] PUSH EDX MOV AX,WORD PTR DS:[ESI+2] PUSH EAX PUSH ECX MOV ECX,EDI CALL l3codecx.72cd1da0 In fact sub_72cd1da0 function call, means value of nsamplepersec field from WAWFORMATEX structure need more examination. This function takes three arguments. First argument of that address is 144 bytes buffer. Second argument is value nchannels field form WAVEFORMATEX structure. And the third argument is value of nsamplespersec field. In this function known number of 144bytes buffer will be set to zero by REP STOS instruction which acts like memset function. 72CD1DA7 72CD1DAC 72CD1DAD 72CD1DAF 72CD1DB1 72CD1DB6 72CD1DBC 72CD1DC1 72CD1DC3 72CD1DC8 72CD1DCD CMP EAX,2B11 PUSH EDI JA SHORT l3codecx.72cd1ddb JE SHORT l3codecx.72cd1dcd CMP EAX,1F40 JNZ l3codecx.72cd1e88 MOV ESI,48 MOV ECX,800 JMP l3codecx.72cd1e94

72CD1DCF 72CD1DD4 72CD1DD6 72CD1DDB 72CD1E88 72CD1E8C 72CD1E90 72CD1E94 72CD1E98 72CD1E9C 72CD1E9F 72CD1EA1 72CD1EA3 72CD1EA5 72CD1EA8 72CD1EAE 72CD1EB1 72CD1EB3 72CD1EB5 72CD1EB7 72CD1EB9 72CD1EBB 72CD1EBE 72CD1EC0 72CD1EC2 72CD1EC5 MOV ESI,34 XOR ECX,ECX JMP l3codecx.72cd1e94 CMP EAX,3E80 MOV ESI,DWORD PTR SS:[ESP+1C] MOV EAX,DWORD PTR SS:[ESP+1C] MOV ECX,DWORD PTR SS:[ESP+1C] MOV EDX,DWORD PTR SS:[ESP+18] MOV EBX,DWORD PTR SS:[ESP+14] SUB EDX,2 MOV EDI,EBX NEG EDX SBB EDX,EDX AND EDX,3 OR EDX,FFFF8840 SHL EDX,6 OR EDX,ECX MOV ECX,ESI MOV EBP,ECX OR EDX,EAX SHR ECX, REP STOS DWORD PTR ES:[EDI] MOV ECX,EBP AND ECX,3 REP STOS BYTE PTR ES:[EDI] If you look at the code carefully, in the value of nsamplespersec field is not equal to values 2B11 EE0 3E80 5622 5DC0 7D00 AC44 and BB80, the count value indicating number of bytes that should be set to zero doesn t checked properly and will be set to value of nsamplespersec field. So if nsamplespersec is greater than 90h or 144, a stack overflow occurs. Here is the vulnerable (secondary) and patched (primary) version of the function. As you see in the first block an instruction is added. The value of esi register at next steps would be nsamplespersec field. In the patched version this value first is initialized by zero so in case of inequality with those exact values, number of bytes that should be null is zero.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information