Source: http://aluigi.org/adv/msreader_4-adv.txt ####################################################################### Luigi Auriemma Application: Microsoft Reader http://www.microsoft.com/reader Versions: <= 2.1.1.3143 (PC version) <= 2.6.1.7169 (Origami version) the non-PC versions have not been tested Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices Bug: array overflow Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Microsoft Reader is a software needed to read and catalog the ebooks in LIT format and the Audible audio books bought via internet, indeed the homepage acts also as online store for these protected contents. ####################################################################### ====== 2) Bug ====== Array overflow in the AOLL chunk caused by the usage of more sections than those available: 0107F59B |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; our number 0107F59E |. 8BF1 MOV ESI,ECX 0107F5A0 |. 8BF8 MOV EDI,EAX 0107F5A2 |. 8B8E A4000000 MOV ECX,DWORD PTR DS:[ESI+A4] 0107F5A8 |. C1E7 02 SHL EDI,2 0107F5AB |. 833C39 00 CMP DWORD PTR DS:[ECX+EDI],0 ; check the array, must be != 0 0107F5AF 75 0C JNZ SHORT msreader.0107F5BD 0107F5B1 |. 50 PUSH EAX 0107F5B2 |. 8BCE MOV ECX,ESI 0107F5B4 |. E8 36F5FFFF CALL msreader.0107EAEF ; alternative memory corruption 0107F5B9 |. 85C0 TEST EAX,EAX 0107F5BB |. 7C 34 JL SHORT msreader.0107F5F1 0107F5BD |> 8B86 A4000000 MOV EAX,DWORD PTR DS:[ESI+A4] 0107F5C3 |. 8B3C38 MOV EDI,DWORD PTR DS:[EAX+EDI] 0107F5C6 |. 8D43 20 LEA EAX,DWORD PTR DS:[EBX+20] 0107F5C9 |. 57 PUSH EDI 0107F5CA |. 50 PUSH EAX 0107F5CB |. E8 EAC9FEFF CALL msreader.0106BFBA ... 0106BFBA /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 0106BFBE |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; must point to our data 0106BFC1 |. FF7424 08 PUSH DWORD PTR SS:[ESP+8] 0106BFC5 |. E8 36E8FFFF CALL msreader.0106A800 ... 0106A800 /$ 56 PUSH ESI 0106A801 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C] 0106A805 |> 85F6 /TEST ESI,ESI 0106A807 |. 74 21 |JE SHORT msreader.0106A82A ; must be a valid memory address 0106A809 |. FF76 20 |PUSH DWORD PTR DS:[ESI+20] 0106A80C |. FF7424 0C |PUSH DWORD PTR SS:[ESP+C] 0106A810 |. E8 75180100 |CALL msreader.0107C08A 0106A815 |. 59 |POP ECX 0106A816 |. 85C0 |TEST EAX,EAX 0106A818 |. 59 |POP ECX 0106A819 |. 74 05 |JE SHORT msreader.0106A820 ; EAX must be 0 0106A81B |. 8B76 10 |MOV ESI,DWORD PTR DS:[ESI+10] 0106A81E |.^EB E5 \JMP SHORT msreader.0106A805 0106A820 |> 8B06 MOV EAX,DWORD PTR DS:[ESI] 0106A822 |. 56 PUSH ESI 0106A823 |. FF50 04 CALL DWORD PTR DS:[EAX+4] ; code execution Modified bytes in the proof-of-concept: 00000744 03 0A ; dynamic 64bit number, any value >= 4 (for this PoC) exploits the bug ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/msreader_4.zip http://www.exploit-db.com/sploits/17163.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################