BKIS Research 21/04/2008 - Microsoft Work ActiveX Insecure Method Exploit - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Exploit code.......................................................5 Solution.............................................................6 Time Table...........................................................7 Credits..............................................................8 References...........................................................9 About BKIS........................................................10 Contact detail........................................................11 ====================================================================== 1) Affected Software * Microsoft Work 7, Microsoft Work 9 Component. NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Important Impact: System compromise, local code execution. Where: Local ====================================================================== 3) Vendor's Description of Software "Microsoft(R) Works 9 gives you the basic home productivity tools you need to help make your everyday tasks easier from start to finish" Product Link: http://www.microsoft.com/products/works/ProductDetails.aspx?pid=003 ====================================================================== 4) Description of Vulnerability BKIS Center has performed a deep analysis of this vulnerability. The problem is in wkimgsrv.dll module shipped with many MS Offiice Suite (tested on MS OF 2003,MS OF 2007) Actually,this is not the case of buffer overflow attack,just a exploit of insecure method WKsPictureInterface. Setting this point to any where in memory and IE will crash when wkiimgsrv's trying to access an invalid memory location. Let's get into detail : 00D473BD PUSH EBP ; Begin of Set WksPictureInterface method 00D473BE MOV EBP,ESP 00D473C0 SUB ESP,1C 00D473C3 MOV EAX,DWORD PTR SS:[EBP+C] ; Move paramater to EAX 00D473C6 PUSH ESI 00D473C7 TEST EAX,EAX ; Checking whether EAX is NULL 00D473C9 JNZ SHORT wkimgsrv.00D473D5 ; OK,if it is not null continue 00D473CB MOV EAX,80004005 ; 00D473D0 JMP wkimgsrv.00D47456 ;No,it's is NULL,exit method 00D473D5 ==> MOV ESI,DWORD PTR SS:[EBP+8] ; Do some other stuffs, we don't care 00D473D8 LEA EDX,DWORD PTR SS:[EBP-1C] ; 00D473DB PUSH EDX 00D473DC PUSH EAX 00D473DD MOV DWORD PTR DS:[ESI+2A0],EAX ; ============= 00D473E3 ==> MOV ECX,DWORD PTR DS:[EAX] ; Here is the problem,the data stored by EAX is referenced and moved into ECX 00D473E5 CALL DWORD PTR DS:[ECX+30] ;Next the address in some struct pointed by ECX is called Now if we're able to setup memory satisfied : Create a struct in memory where the first DWORD in the struct point to itself and the DWORD at offset 0x30 from struct address is point to our shellcode. We should be able to exploit this vulnerability. This seem to be nightmare because there is nothing to inject except an integer as paramater for the method. Fortunately we have prefered heapspray method Howerver we can't spray with nop (0x90 ) anymore(if this happens, all address will be 90909090 which is invalid address) , The addresses and byte to spray must comply some restrictions - Byte to spray must be single byte length instruction (or somewhat that not change execution of the program or causing exception) - Combination of 4 byte must refer to valid memory address which will point to it self. I have chosen 0x0A to spay on IE 7, and 0x05 to spay on IE 6. In Internet Explorer 7 the number passes to method is 168430090 which is 0x0A0A0A0A in hexa mode.Let's assume that we has fill 0x0A into memory at 0x0A0A0A0A. EAX will hold value of 0x0A0A0A0A. Mov ECX,DWORD PTR DS:[EAX] ;=> ECX= 0x0A0A0A0A CALL DWORD DTR DS:[ECX+30] ;=> CALL DWORD DTR:[0x0A0A0A3A] => CALL 0x0A0A0A0A Memory at 0x0A0A0A0A is filled with 0x0A ~ instruction is OR CL,BYTE PTR DS:[EDX] Fortunately this hadn't caused exception and not changed execution path of our shellcode Shellcode should be executed as expected. ====================================================================== 5) Exploit code ======================================================================