Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Fax - Cover Page Editor 5.2.3790.3959 Double-Free Memory Corruption

🗓️ 24 Jan 2011 00:00:00Reported by Luigi AuriemmaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 24 Views

Microsoft Fax Cover Page Editor 5.2.3790.3959 Double-Free Memory Corruption in Windows. Allows code execution through modification of 16bit elements

Code
Source: http://aluigi.org/adv/fxscover_1-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Fax Cover Page Editor
              http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page
Versions:     <= 5.2.3790.3959
Platforms:    Windows
Bug:          double free
Exploitation: local
Date:         19 Jan 2011
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Fax Cover Page Editor is a program for the viewing and editing of
various formats of fax cover files.


#######################################################################

======
2) Bug
======


fxscover.exe is available on Windows after the installation of the Fax
Service.

The various "Text" elements have a 16bit field that seems used to index
them and by default it has a negative value like 0x8001.
By using a positive value major than 0 and lower than the total number
of elements is possible to cause a problem during the freeing of the
allocated object.

The provided proof-of-concept demonstrates the possibility of executing
code immediately after the acknoledgement of the initial message box
when is called FXSCOVER!CDrawDoc::Remove by
FXSCOVER!CDrawDoc::DeleteContents.

Modifications:
00005098   FE       CC  // code execution starts from here
000093F5   01       04  // 16bit in little endian
000093F6   80       00

Alternatively is also possible to exploit the bug when the program gets
closed or another file is opened by modifying the 16 bit at offset
0x94a5 instead of the one at 0x93f5, so that the file will be
considered valid.


#######################################################################

===========
3) The Code
===========

DoS:
http://aluigi.org/poc/fxscover_1.cov
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/16024-fxscover_1.cov

Bind Shell:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/fxscover_1_bind28876.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jan 2011 00:00Current
7High risk
Vulners AI Score7
microsoft fax cover page editordouble-freememory corruptionwindowscode executionproof of conceptdenial of servicebind shell
24