[14596] in bugtraq
Re: More vulnerabilities in FP
daemon@ATHENA.MIT.EDU (Thomas Dullien)
Thu Apr 20 15:55:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20000420075907.21118.qmail@fhome15.rzmi.gmx.net>
Date: Fri, 21 Apr 2000 10:01:10 +0200
Reply-To: Thomas Dullien <dullien@gmx.de>
From: Thomas Dullien <dullien@GMX.DE>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
The Cyberiad <cyberiad@CYBERUS.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
On Wed, 19 Apr 2000 08:08:25 -0400, The Cyberiad wrote:
>I confirmed the 742-A's caused a page fault in KERNEL32.DLL
>at 0167:bff87ede under FP 3.0.2.1105, installed with PWS
>under Windows 98 (PWS.EXE Version 4.02.0690). However,
>this length did not force A's into the EIP. Instead the stack pointer
>is corrupted, now pointing to invalid memory (which caused the page
>fault). The relationship of the corrupted stack pointer to the input
>overflow data is unclear (its not 0x41414141) so I'll have to do
>some more reverse engineering; I did try longer strings with the
>same result.
I do not have access to a copy of frontpage, but I downloaded
htimage.exe (7.952 bytes) from some webserver with incorrect permissions set.
I could _not_ reproduce a crash in which EIP is taken. A rough look
at the disassembled code revealed that the crash happens like this:
If the fopen() call to the specified file fails, the program will create an
error message on the stack in a static buffer of 1000 bytes lenght.
The error message is:
"Picture config file no found, tried the following:"
Then, the program uses strcat() to append the PATH_TRANSLATED
and PATH_INFO environment variables (the data pased to the program)
to the error message on the stack. You can see that this will smash
the stack. Now comes the problem:
This overflow occurs within main(), and before main() ret's anywhere,
an Error-Output function is called which just printf()'s the error message
and then calls exit(). I don't know if this is exploitable at all.
On the other hand, I don't claim this is a correct analysis. As I said, all
I have is a single htimage.exe I downloaded from somewhere, and I
tried to get the overflow to work.
Shoddy coding in the file nonetheless.... strcat'ing user input onto the
stack :-o
Concerning the crash on 9x, might be that some important things for
the cleanup are on the stack... I didn't test under 9x, but under NT SP5,
so it might be that 9x doesn't like the overwriting of the stack.
Thomas Dullien
dullien@gmx.de
Win32 Security Consultant ;-> Hire me !
