Buffer overflow in extended file atributes in Explorer.exe

Monday, June 04, 2007
#######################################################
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
Buffer overflow in extended file atributes.
Vendor url: http://www.microsoft.com/
Advisore:http://lostmon.blogspot.com/2007/06/
buffer-overflow-in-extended-file.html
Vendor notify:yes Vendor confirmed:yes Exploit include:NO
#######################################################

################
SUMARY:
################

1- History (how and why)
2-explanation of buffer overflow
3-versions tested
4-solution
5-timeline
6-response from vendor
7-Test
8-related vulns and documentations



####################
1-History:
####################


If we look this m$ advisory the information in section :

http://www.microsoft.com/technet/security/advisory/933052.mspx

--
Mitigating Factors for Microsoft Word Remote Code Execution Vulnerability:

The vulnerability cannot be exploited automatically through e-mail.
For an attack to be successful, a user must open an attachment that
is sent in an e-mail message.
--

this is not all true :)

If the user download the file and put in a folder , wen open the
folder explorer crash...

If you open any program, what use windows API and ole32.dll for
open files,and you go to file/open and go to the folder with the
malformed doc file, explorer call ole32.dll and the program is
crashed and loosing all information not save.

Examples of this case :

notepad++ => http://notepad-plus.sourceforge.net/es/site.htm
(vendor notify on 27-05-2007 via Email (no response)

Multiple Macromedia family programs => http://www.macromedia.com
(Adobe vendor informed on 27-05-2007 via webform and Confirmed.
http://www.adobe.com/misc/securityform.html)

multiple others programs are afected.

Affter a simple study on the malformed word document exploit /vulns
i have a little observation and i think that this vuln could be done
in some other programs,not only in a word appz.

Affter monitoring explorer and some dlls i think what this is only
the first point of the iceberg.The overflow is done wen explorer
call the kernel module KERNEL32, wen make some system calls to
manage the information of any file whith ntdll.dll

In the function GetFileAttributesExW and GetFileAttributesW
(KERNEL32) and in the undocumented functions NtQueryInformationFile,
NtQueryDirectoryFile and NtSetInformationFile functions on ntdll.dll

Those functions obtain the extended file atributes if the information
is to long in subfunctions FileAllInformation() in FileNameInformation()
and other (look in file_information_class) we obtain a buffer overflow,
some others subfunctions can get the same error.

Windows show the extended file attributes in multiple parts of the system,
wen look a foƱder, wen put the mouse over a file or a folder.

Other applications use the same files for do the same :)

#######################
2-Explanation
#######################

Extended file attributes is a file system feature that enables users to
associate computer files with metadata not interpreted by the filesystem,
whereas regular attributes have a purpose strictly defined by the filesystem
(such as permissions or records of creation and modification times). Unlike
forks, which can usually be as large as the maximum file size, extended
attributes are usually limited in size to a value significantly smaller than
the maximum file size. Typical uses can be storing the author of a document,
the character encoding of a plain-text document,or a checksum.




A local buffer overflow exists in the windows explorer .
The extended file atributes functions have a small size of the buffer in 'FileAllInformation(),FileNameInformation' and other subfunctions in
Undocumented functions of NTDLL , resulting in a buffer overflow. With
a unknow impact.



This is the size of buffer in this related functions
and the main function involved

FileAllInformation
// 18 FILE_ALL_INFORMATION 0x68 NtQueryInformationFile

FileNameInformation
// 9 FILE_NAME_INFORMATION 0x08 NtQueryInformationFile

other functions can be vulnerables too
look this table:

http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/File/FILE_INFORMATION_CLASS.html


wen we put the hand over a file explorer.exe call the extended
file attributes and show this information in a 'bubble' or wen
open a folder explorer look for obtain directory listing, name
files and other information about the files.

how to locate the overflow ?

1-create a new txt file for example explorer.txt
2-rigth click on the file and try propierties
3-in all of the boxes (author ,tittle ,subject,and in special
in comment text area) write multiples A for example or moore:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


4-use filemon http://www.microsoft.com/technet/
sysinternals/FileAndDisk/Filemon.mspx

and include process explorer.exe

5-click on the txt propierties and click on accept or on aply .

6-go to filemon and look the log for explorer.exe you have some
similar to this :


21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Docf_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Options:
Create Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_CLOSE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_CREATE C:\Documents and
Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Options:
OverwriteIf Access: All
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA BUFFER
OVERFLOW FileFsAttributeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
0
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Length:
88
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_VOLUME_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA SUCCESS FileFsVolumeInformation
21:24:00.031 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\: SummaryInformation:$DATA BUFFER
OVERFLOW FileAllInformation
21:24:00.046 explorer.exe:1700 IRP_MJ_SET_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS Position:
30996
21:24:00.046 explorer.exe:1700 IRP_MJ_QUERY_INFORMATION C:\Documents
and Settings\Lostmon\Escritorio\explorer_overflow.txt\:Updt_ SummaryInformation:$DATA SUCCESS FilePositionInformation

the overflow is done :)

affter you can put the hand over the file and explorer show the extended file atributes
and some times filemon mark again the overflow


###################
3-versions tested
###################

i only test with :

Microsof windows XP Home edition all fixes 17/05/2007
Explorer.exe 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

###################
4-Solution
###################

Wait for a update or patch

####################
5-Timeline:
####################

Discovered:12-03-2007
Vendor notify:19-03-2007
Vendor response:22-03-2007
Private disclosure:17-05-2007
Public disclosure:04-06-2007

######################
6-Response from vendor
######################

Thank you for checking up on this case, We have concluded
our investigations on this matter and have found this crash
to be un-exploitable. This vulnerability is very similar to
another milworm posting (http://www.milw0rm.com/exploits/3419.
As we have not been able to find an exploitable angle for
this issue this crash will get tracking into the next available
Service Pack fix.

#####################
7- Test
#####################

1 download this exploit:
http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar
put uncompress it in c:\test or edit in EFA_test.vbs the correct
path were you put the malformed doc file.

2 copy EFA_test.vbs and edit the correct path to file.

3 execute EFA_test.vbs

the file look for the exteded file attributes
of the malformed doc file and wen try to read
the attribute "author" windows Scripting host
Is crashing.

Other overflows could be done in all boxes of
the file propperties.
The applications is crashing because we for look
the malformed doc file use a vbs script.
if any other aplication try to look the malformed
doc file crash too.

this is a simple test using a existing exploit for
microsoft ole32dll.dll , but the overflow is moore deep
is in ntdll.dll because ntdll.dll is the library what use
NtQueryInformationFile for obtain the extended file attributes.

is for that that this overflow it is posible to be
done in all file type with a malformed extended file attributes.



########################################
8-related vulns and documentations
########################################

########################
EFA_test.vbs
########################

Dim arrHeaders(35)
Set objShell = CreateObject("Shell.Application")
Set objFolder = objShell.Namespace("C:\test")
For i = 0 to 34
arrHeaders(i) = objFolder.GetDetailsOf(objFolder.Items, i)
Next
For Each strFileName in objFolder.Items
For i = 0 to 34
Wscript.Echo i & vbtab & arrHeaders(i) _
& ": " & objFolder.GetDetailsOf(strFileName, i)
Next
Next



###################
RELATED VULNS :
###################

http://secunia.com/advisories/10020/

http://secunia.com/advisories/10194/

http://osvdb.org/displayvuln.php?osvdb_id=31885

http://osvdb.org/displayvuln.php?osvdb_id=31886

http://osvdb.org/displayvuln.php?osvdb_id=31887

###################
Related Exploit
###################

http://www.milw0rm.com/sploits/03062007-Explorer_Crasher.tar

#################
Related Microsoft
security bulletin
#################

http://www.microsoft.com/technet/security/advisory/933052.mspx

##################
RElated functions
##################

extended file attributes
http://en.wikipedia.org/wiki/Extended_file_attributes

GetExtFileProperties()
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=160880&page=1

File information class:
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/
NT%20Objects/File/FILE_INFORMATION_CLASS.html

posible source code of ntdll
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.c
http://www.cybertech.net/~sh0ksh0k/projects/old/win32toolkit/ntdll.h
http://source.winehq.org/source/dlls/ntdll/file.c
the links of ntdll.c and ntdll.h aparently are dead you can try
to search it in google´s cache, sorry for the inconvenience

###############################€nd#########################

thnx To estrella to be my ligth
Thnx To FalconDeOro Hi is investigate and documented with me this issue.
Thnx to Icaro and Badchecksum Team for interesting in research.
Thnx To Jkouns and Jericho for his patience.
Thnx to All osvdb Maglers they are involved in a very nice project.
Thnx to Secunia Research Team They make a Very Good Co-Work with the researchers
They put in my hands all what i need in this and others researchs.
Thnx to All Lostmon´s Group Team
Thnx to Microsoft for the responses.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...