Jump to content
Nytro

Microsoft OLE for Windows code execution

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Microsoft OLE for Windows code execution

#######################################################################

                             Luigi Auriemma

Application:  Microsoft OLE for Windows
              http://www.microsoft.com
Versions:     ole32.dll < 5.1.2600.6168
Platforms:    Windows XP and 2003 before 13 Dec 2011
              NOT vulnerable: any other OS from Windows Vista
Bug:          code execution
Exploitation: remote and via file
Date:         found     16 May 2011
              patched   13 Dec 2011
              adv/PoC   20 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

Additional references:
  http://technet.microsoft.com/en-us/security/bulletin/ms11-093
  http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=966
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3400


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From the iDefense's advisory:
"Many Windows applications that support the structured storage file
format (Office applications for example) contain support for reading
the SummaryInformation stream inside of the OLE document. This stream
contains various properties that describe the document (the author for
example). In addition to Office, Windows Explorer also supports parsing
these streams when a file is clicked and viewed via the preview pane."


#######################################################################

======
2) Bug
======


First a couple of links about the OLE compound format:
http://poi.apache.org/hpsf/internals.html
http://msdn.microsoft.com/en-us/library/aa380072%28v=vs.85%29.aspx

Example of an HPSF header referred to the provided Visio
proof-of-concept:

  offset  bytes   description
  1200    2       0xfffe
  1202    2       0
  1204    4       operating system
  1208    16      clsid:0
  1218    4       1

  121c    16      clsid:F29F85E0-4FF9-1068-AB91-08002B27B3D9
  122c    4       offset from the 0xfffe header
  1230    4       section size
  1234    4       number of properties (0xb)

  1238    4       property type (for example 2 for title, 4 author and so on)
  123c    4       property offset (relative to 0x1230)
  ...
  1288    4       property type 0x11 (VT_CF) used for PID_THUMBNAIL
  128c    4       the original was located at offset 1358, now 13da

For exploiting the vulnerability it's necessary to use the VT property
VT_VERSIONED_STREAM (0x49) which is the cause of the type confusion
vulnerability leading to a trivial to exploit code execution.

From ole32!CoWaitForMultipleHandles:

  7756edcc 8b4708          mov     eax,dword ptr [edi+8]
  7756edcf 8b4010          mov     eax,dword ptr [eax+10h]
  7756edd2 8b08            mov     ecx,dword ptr [eax]
  7756edd4 50              push    eax
  7756edd5 ff5108          call    dword ptr [ecx+8]        ; code execution

The vulnerability has been tested with PPT, XLS and VSD files with the
same effects:
- remote exploitation via Internet Explorer, for example if there are
  Office Viewers installed
- automatic exploiting of explorer.exe if the thumbnails previewing of
  the folder is enabled (if I'm not in error Windows XP has it
  activated by default) immediately with the opening of the folder
  where is located the modified PPT file
- if the preview mode is not enabled it's necessary to view the
  properties of the file (right mouse button -> Properties)
- the exploitation via the opening of the file may be possible only in
  some cases (Visio Viewer confirmed)

The proof-of-concept should be able to execute calc.exe via Internet
Explorer and Visio Viewer, the bug is so trivial to exploit that it's
even possible to not use heap spray with some additional work.


#######################################################################

===========
3) The Code
===========


Proof-of-concept for Visio Viewer exploitable remotely via Internet
Explorer:

  http://aluigi.org/poc/ole32_1.zip


#######################################################################

======
4) Fix
======


http://technet.microsoft.com/en-us/security/bulletin/ms11-093


#######################################################################

Sursa: http://aluigi.org/adv/ole32_1-adv.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...