[NT] Visual Studio Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Visual Studio Buffer Overflow
------------------------------------------------------------------------


SUMMARY

A Buffer Overflow Vulnerability exists with Visual Studio parsing of some
files.

DETAILS

Vulnerable Systems:
* Microsoft Visual Studio 6.0 (with latest Service Pack 6)
* Microsoft Development Environment 6.0 (SP6) (Microsoft Visual InterDev
6.0)

A Buffer Overflow Vulnerability exists for the following file formats of
affected products:

* Visual Studio Database Project File (.dbp)
* Visual Studio Solution (.sln)

The vulnerability is caused due to a boundary error within the handling of
a ".dbp" file (.sln files are also affected) that contains an overly long
string in the "DataProject" field. This can be exploited to cause a
stack-based buffer overflow and allows arbitrary code execution when a
malicious ".dbp" file is opened.
A specially crafted project file can overwrite a stack based buffer
allowing for fully EIP register control resulting in code execution and
compromising the user's system.

Example:
# Microsoft Developer Studio Project File - Database Project
Begin DataProject = "ProjectName"
End

Carriage return and line feed (0x0d and 0x0a) characters and some others
(0x00 ...) can not be used in project name variable.

An example .dbp file which overwrites EIP register:

# Microsoft Developer Studio Project File - Database Project
Begin DataProject =
"Project1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXX
AAAA123456AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
End

The length must be 384 bytes long. Otherwise other registers will be
overwritten differently and exploitation method will be chanced. So 384
bytes long length is the most suitable way.

In this example when file is opened:

XXXX (0x58585858) characters will overwrite EIP.
And 123456AAAA... (3132333435364141... in hex) bytes will be on ESP.

So an attacker could create a malicious .dbp project file which includes a
payload which on ESP and EIP should point to this shellcode with a loaded
moduls jmp esp or call esp opcodes.

Proof of Concept:
The local path length of the dbp file changes the arragement of malformed
data. So, exploit has to re-align the data for total path length.
Copy the following file as c:\deneme\Project1.dbp

<http://www.spyinstructors.com/kozan/poc/vuln.dbp>
http://www.spyinstructors.com/kozan/poc/vuln.dbp


ADDITIONAL INFORMATION

The information has been provided by <mailto:kozan@xxxxxxxxxxxxxxxxxx>
kozan.
The original article can be found at:
<http://www.spyinstructors.com/show.php?name=Advisories&pa=showpage&pid=73> http://www.spyinstructors.com/show.php?name=Advisories&pa=showpage&pid=73



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Visual Studio 6.0 Buffer Overflow Vulnerability
    ... Visual Studio 6.0 Buffer Overflow Vulnerability ... Microsoft Visual Studio 6.0 ... A Buffer Overflow Vulnerability is exists for the following file formats of affected product. ... A specially crafted project file can overwrite a stack based buffer allowing for fully EIP register control and code execution and compromise user's system. ...
    (Bugtraq)
  • Re: New to ASP, trying to create a new project
    ... manually edit the project file to point to the correct path ... Visual Studio has it's moments, but this error should not be occuring. ... It sounds like something, most likely the .NET Framework itself, is not ... Is visual studio .net 2005 this buggy. ...
    (microsoft.public.vsnet.general)
  • Re: Sharing a project
    ... This integrates with Visual Studio and all devs on the team can just open the project and start playing with it, then check in when they've made their changes, we don't have "master" developers, they're all equal. ... When it's finished we publish to a Frontpage extended server over HTTP, not the code, just the compiled DLLs. ... is how to share a project file between multiple developers. ... How do I manage multiple developers editing the same project? ...
    (microsoft.public.vsnet.general)
  • [EXPL] Microsoft Visual Studio 6.0 SP6 Malformed .dbp (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Visual Studio 6.0 Sp6 Malformed .dbp File BoF Exploit by Kozan ...
    (Securiteam)
  • [NT] Visual Studio Code Execution (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Visual Studio Code Execution ... Microsoft Visual Studio has been designed to execute part of the user ... If a user click on the solution file and the form1.cs is ...
    (Securiteam)