Alexander Sotirov the inverse out of the MS08-0 6 7 the problem a function of the pseudo-code-vulnerability warning-the black bar safety net

2008-10-27T00:00:00
ID MYHACK58:62200820826
Type myhack58
Reporter 佚名
Modified 2008-10-27T00:00:00

Description

Author: tombkeeper

This Biu vulnerability assigned to a small four. Small four said, Do not worry, someone will refer to this famous, and can be slightly and so on. Sure enough, lunch came up, someone put PoC out.

Yesterday evening, the“Father of China PT”and asked if I wanted to write ms08-0 6 7 code. I said so in a rush to write this, why?, we also do not hurry under the heavy rain.“ Father of China PT”said: this vulnerability is everyone staring at, wrote on the immortal. I said: the key is to think of a famous person so much, we're not urgent, wait two days, various code will certainly 乌泱乌泱 overwhelming, just like the year ms03-0 2 6, as we can pick up a ready-made.

Result today morning found Alexander Sotirov connected to the inverse of the code posted. This code is there in the teaching sense, I intend to receive my case in the library to go.

By the way, this Alexander Sotirov next month will come XCon speech“Bypassing browser memory protections in Windows Vista”in.

From http://www.phreedom.org/blog/2008/decompiling-ms08-067/ Decompiling the vulnerable function for MS08-0 6 7 Oct 2 4, 2 0 0 8

I spent a couple of hours tonight reversing the vulnerable code responsible for the MS08-0 6 7 vulnerability. This bug is pretty interesting, because it is in the same area of code as the MS06-0 4 0 buffer overflow, but it was completely missed by all security researchers and Microsoft. It's quite embarassing.

Here's the code of the vulnerable function on Windows XP SP3:

include <wchar. h>

// This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3

int ms08_067(wchar_t path) { wchar_t p; wchar_t q; wchar_t previous_slash = NULL; wchar_t* current_slash = NULL; wchar_t ch;

// If the path starts with a server name, skip it

if ((path[0] == L'\' || path[0] == L'/') && (path[1] == L'\' || path[1] == L'/')) { p = path+2;

while (p != L'\' || p != L'/') { if (*p == L'\0') return 0; p++; }

p++;

// make path point after the server name

path = p;

// make sure the server name is followed by a single slash

if (path[0] == L'\' || path[0] == L'/') return 0; }

if (path[0] == L'\0') // return if the path is empty return 1;

// Iterate through the path and canonicalize ..\ and .\

p = path;

while (1) { if (*p == L'\') { // we have a slash

if (current_slash == p-1) // don't allow consequtive slashes return 0;

// store the locations of the current and previous slashes

previous_slash = current_slash; current_slash = p; } else if (*p == L'.' && (current_slash == p-1 || p == path)) { // we have . or ^.

if (p[1] == L'.' && (p[2] == L'\' || p[2] == L'\0')) { // we have a..\, ..$, ^..\ or ^..$ sequence

if (previous_slash == NULL) return 0;

// example: aaa\bbb..\ccc // ^ ^ ^ // | | &p[2] // | | // | current_slash // | // previous_slash

ch = p[2];

wcscpy(previous_slash, &p[2]);

if (ch == L'\0') return 1;

current_slash = previous_slash; p = previous_slash;

// find the slash before p

// BUG: if previous_slash points to the beginning of the // string, we'll go beyond the start of the buffer // // example string: \a..\

q = p-1;

while (*q != L'\' && q != path) q--;

if (*p == L'\') previous_slash = q; elseprevious_slash = NULL; } else if (p[1] == L'\') { // we have .\ or ^.\

if (current_slash != NULL) { wcscpy(current_slash, &p[1]); goto end_of_loop; } else { // current_slash == NULL wcscpy(p, p+2); goto end_of_loop; } } else if (p[1] != L'\0') { // we have . or ^. followed by some other char

if (current_slash != NULL) { p = current_slash; } *p = L'\0'; return 1; } }

p++;

end_of_loop: if (*p == L'\0') return 1; } }

// Run this program to simulate the MS08-0 6 7 vulnerability

int main() { return ms08_067(L"\a\..\"); }