############################################################## Windows live Messenger malformed file overflow remote exploitation. (windows ole32.dll ms07-024) (windows GDI MS07-046 ) vendor url: http://www.microsoft.com/ , http://get.live.com/messenger/overview Advisore: http://lostmon.blogspot.com/2007/09/ windows-live-messenger-jpg-overflow.html Vendor notify:YES Vendor Confirmed:yes(DoS issue) Explotation include:YES ############################################################# A buffer overflow exists in Windows MSN Live. The GDI engine fails to representate malformed data in image files resulting in a buffer overflow. With a specially crafted jpg or wmf or gif file or doc file or ico, an attacker can cause arbitrary code execution (not Shure RCE) or a DoS resulting in a loss of integrity. ############ History ############ after install this patch for a vulnerability in windows GDI MS07-046 i make several probes with some malformed image files (jpj,gif,wmf,ico,doc) and i have the same result before i install this patch and after install it :( ############### versions tested ############### All of this versions and Windows MSN live 8.1 I don´t know if other versions of windows are prone vulnerables too , but i think that is vulnerable all systems related in MS07-046 Microsoft Bulleting. win xp media Center version 2002 service pack 2 Win XP pro Win XP home ############### Solution ############### No solution was available at this time, but DON´T SHARE ANY FOLDER IN MSN UTIL HAVE A SOLUTION OR PATCH !!!!!! The vendor planing address this issue in the next service pack. ############### Timeline ############### Discovered:20-08-2007 Vendor initial contact:23-08-2007 Vendor response:24-08-2007 Vendor patch:--- Private disclosure:17-09-2007 Public disclosure: ############## Impact ############## A remote user can cause a DoS in the aplication. If the patch for windows meta files (wmf) does not work correctly , a remote user can execute arbitrari code but i´m not shure if the RCE can be done. ########################## Explanation Step By Step ########################## What we need?? - Two machines with windows msn live 8.1 and with - Two of the systems related in versions section. - A malformed image like jpg,gif, or wmf. Machine 1 => msn 8.1 & windows xp media center 2002 all fully patched.[victim´s] Machine 2 => msn 81. & windows xp home all fully patched.[evil_attack] In windows msn 8.1 we have a option to share folders with others contacts. The first time wen you share a folder with a contact msn ask for sharing, if you accept the folder is automatic sharing all times. To look the folder location you can go to my computer/msn folders/[VICTIM´S]@hotmail.com and the fisical path is: C:\Documents and Settings\[YOUR_USER]\Configuración local\ Datos de programa\Microsoft\Messenger\[ATTACKER]@hotmail.com\ Sharing Folders\[VICTIM´S]@hotmail.com 1 - login in msn in the two machines. 2 - machine 2 open a conversation window with machine 1 3 - Machine 2 click in the incon to share a folder. 4 - Mahine 1 accept to share. 5 - put in machine 1 in the share folder a new folder and inside it a malformed jpg file; but not by msn go to fisicall path and put there , because if you drag&drop the image to share folder inside msn,The aplication crash. 6 - close in all machines the share folder. now you have in the machine 1 in the fisical path for the share folder a folder with a malformed image. 7 - in machine 2 click in the icon to share and wen msn in machine 1 look for open and send the list of files inside the MSN in the machine 1 Crash , and if you don´t terminate the proccess crashing windows too with a Blue screen of death :S Now you can crash the MSN in the victim´s machine all times wen click in the icon to share. The victim need to delete this folder for stop this situation. OK think moore we need to put a image in the machine victim´s. Can we put it with no interaction of the victims?...yes the victim oly need to make one click. :) if we have a share folder with the victim, and victim and attacker are online... the victim can put in his local share folder a new folder with the malformed image, and in the attacker conversation window apears a new Message what say... The victim has add files to share folder would do you like to sincronice or update ?? ...or some similar... if the attacker click on yes... the MSN on the attacker machine is Crasing. and now the victim can crash Victim´s MSN all times . The attacker need to delete de folder with the evil jpg. i have a eassier way to exploit and/or manipulate the malformed file: 1 share a folder with a contact in msn. 2 close in msn the share folder. 3 open a cmd and go to the fisical path of the share folder. 4 generate the malformed file by perl python or similar. if the file is generated and you have open a conversation window with the victim, your msn say "all files are upload" wen your msn finish the sincronization with the msn victim`s, and in the victim´s MSN say " the user bla bla bla has update the sare folder" or some similar. Now the exploit is in your machine and in the machine´s victim. if you clik on share folder icon, and if you have the exploit in your machine wen you clik your MSN crashing , but if you after sincronization, you delete in your local folder the malformed file... wen you clik in share folder. wen MSN try to sincronize the share folder in victim´s machine with your share folder. the MSN on the machine´s victim is crashing. i think that some of this issues in malformed files... comming from the extended file attributes. if any like to profundice on it, here you have two related interesting articles: First part: http://lostmon.blogspot.com/2007/06/buffer-overflow-in-extended-file.html Second part : http://lostmon.blogspot.com/2007/08/windows-extended-file-attributes-buffer.html and the related Microsoft bulletins: Vulnerability in ole32.dll : http://www.microsoft.com/technet/security/bulletin/ms07-024.mspx Vulnerability in gdi32.dll : http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx ########################## €nd ##################### Thnx to extrella to be my ligth. Thnx to Dave from securiy center for his patience. Thnx to FalconDeOro ( la paciencia, es una virtud, pequeño Jedy) Thnx to All Lostmon Group Team. Thnx to N0xTrUm from N0xTrUm Tecnologies http://n0xtrum.blogspot.com/ Thnx To ANELKAOS from http://www.elhacker.net/ for his support. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....