Source: http://aluigi.org/adv/msreader_3-adv.txt ####################################################################### Luigi Auriemma Application: Microsoft Reader http://www.microsoft.com/reader Versions: <= 2.1.1.3143 (PC version) <= 2.6.1.7169 (Origami version) the non-PC versions have not been tested Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices Bug: integer overflow Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Microsoft Reader is a software needed to read and catalog the ebooks in LIT format and the Audible audio books bought via internet, indeed the homepage acts also as online store for these protected contents. ####################################################################### ====== 2) Bug ====== Heap overflow caused by controlled memmove: 0107100D /$ 55 PUSH EBP 0107100E |. 8BEC MOV EBP,ESP 01071010 |. 83EC 38 SUB ESP,38 01071013 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01071016 |. 53 PUSH EBX 01071017 |. 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14] 0107101A |. 56 PUSH ESI 0107101B |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20] 0107101E |. 57 PUSH EDI 0107101F |. 3B58 2C CMP EBX,DWORD PTR DS:[EAX+2C] 01071022 |. 72 07 JB SHORT msreader.0107102B 01071024 |. 33C0 XOR EAX,EAX 01071026 |. E9 38020000 JMP msreader.01071263 0107102B |> 8BF3 MOV ESI,EBX 0107102D |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20] ; 0x00002000 01071030 |. C1E6 05 SHL ESI,5 01071033 |. 0375 10 ADD ESI,DWORD PTR SS:[EBP+10] 01071036 |. 83E8 10 SUB EAX,10 ; 0x00001ff0 01071039 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 0107103C |. 8B7E 08 MOV EDI,DWORD PTR DS:[ESI+8] 0107103F |. 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14] 01071042 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 01071045 |. 8B57 04 MOV EDX,DWORD PTR DS:[EDI+4] 01071048 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX 0107104B |. 8D5439 10 LEA EDX,DWORD PTR DS:[ECX+EDI+10] 0107104F |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX 01071052 |. 33D2 XOR EDX,EDX 01071054 |. 3BDA CMP EBX,EDX 01071056 |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C] 01071059 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX 0107105C |. 75 2D JNZ SHORT msreader.0107108B 0107105E |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01071061 |. 8345 FC 20 ADD DWORD PTR SS:[EBP-4],20 01071065 |. 83E8 20 SUB EAX,20 ; 0x00001fd0 01071068 |. 3951 38 CMP DWORD PTR DS:[ECX+38],EDX 0107106B |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 0107106E |. 74 2E JE SHORT msreader.0107109E 01071070 |. FF73 0C PUSH DWORD PTR DS:[EBX+C] 01071073 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] 01071076 |. 50 PUSH EAX 01071077 |. E8 E7450100 CALL msreader.01085663 0107107C |. 59 POP ECX 0107107D |. 59 POP ECX 0107107E |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C] 01071081 |. 2BC1 SUB EAX,ECX 01071083 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 01071086 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] 01071089 |. EB 13 JMP SHORT msreader.0107109E 0107108B |> 3955 18 CMP DWORD PTR SS:[EBP+18],EDX 0107108E |. 74 0E JE SHORT msreader.0107109E 01071090 |. 8B56 1C MOV EDX,DWORD PTR DS:[ESI+1C] 01071093 |. 0356 18 ADD EDX,DWORD PTR DS:[ESI+18] 01071096 |. 03CA ADD ECX,EDX 01071098 |. 0155 FC ADD DWORD PTR SS:[EBP-4],EDX 0107109B |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 0107109E |> 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C] 010710A1 |. 034B 08 ADD ECX,DWORD PTR DS:[EBX+8] 010710A4 |. 034D F8 ADD ECX,DWORD PTR SS:[EBP-8] 010710A7 |. 3B4D EC CMP ECX,DWORD PTR SS:[EBP-14] 010710AA |. 894D 0C MOV DWORD PTR SS:[EBP+C],ECX 010710AD |. 0F87 61010000 JA msreader.01071214 010710B3 |. 2B45 EC SUB EAX,DWORD PTR SS:[EBP-14] ; substract AOLL size 010710B6 |. 2B45 F4 SUB EAX,DWORD PTR SS:[EBP-C] ; substract the size at the end of the chunk 010710B9 >|. 74 24 JE SHORT msreader.010710DF 010710BB |. 50 PUSH EAX 010710BC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 010710BF |. 03C8 ADD ECX,EAX 010710C1 |. 50 PUSH EAX 010710C2 |. 51 PUSH ECX 010710C3 |. E8 103C0200 CALL <JMP.&MSVCRT.memmove> ; memmove So through the controlling of the 32bit value after the AOLL tag and/or the 16bit one at the end of the chunk (offset 0x23ba of the provided PoC) is possible to exploit the integer overflow for performing the memmove of an arbitrary amount of data. In the proof-of-concept I have set the amount of bytes to move to 0xffffffff for a quick and easy demonstration. Modified bytes in the proof-of-concept: 000003DC 2B 6A ; little endian 32bit value 000003DD 17 18 from offset 0xb6e till 0x23b0 I have replaced the original data with a sequence of 'A's. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/msreader_3.zip http://www.exploit-db.com/sploits/17162.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################