Microsoft Reader <= 2.1.1.3143 Array Overflow

2011-04-12 18:15:20

Source: http://aluigi.org/adv/msreader_4-adv.txt

#######################################################################

Luigi Auriemma

Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: <= 2.1.1.3143 (PC version)
<= 2.6.1.7169 (Origami version)
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: array overflow
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Array overflow in the AOLL chunk caused by the usage of more sections
than those available:

0107F59B |. 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14] ; our number
0107F59E |. 8BF1 MOV ESI,ECX
0107F5A0 |. 8BF8 MOV EDI,EAX
0107F5A2 |. 8B8E A4000000 MOV ECX,DWORD PTR DS:[ESI+A4]
0107F5A8 |. C1E7 02 SHL EDI,2
0107F5AB |. 833C39 00 CMP DWORD PTR DS:[ECX+EDI],0 ; check the array, must be != 0
0107F5AF 75 0C JNZ SHORT msreader.0107F5BD
0107F5B1 |. 50 PUSH EAX
0107F5B2 |. 8BCE MOV ECX,ESI
0107F5B4 |. E8 36F5FFFF CALL msreader.0107EAEF ; alternative memory corruption
0107F5B9 |. 85C0 TEST EAX,EAX
0107F5BB |. 7C 34 JL SHORT msreader.0107F5F1
0107F5BD |> 8B86 A4000000 MOV EAX,DWORD PTR DS:[ESI+A4]
0107F5C3 |. 8B3C38 MOV EDI,DWORD PTR DS:[EAX+EDI]
0107F5C6 |. 8D43 20 LEA EAX,DWORD PTR DS:[EBX+20]
0107F5C9 |. 57 PUSH EDI
0107F5CA |. 50 PUSH EAX
0107F5CB |. E8 EAC9FEFF CALL msreader.0106BFBA
...
0106BFBA /$ 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
0106BFBE |. FF70 04 PUSH DWORD PTR DS:[EAX+4] ; must point to our data
0106BFC1 |. FF7424 08 PUSH DWORD PTR SS:[ESP+8]
0106BFC5 |. E8 36E8FFFF CALL msreader.0106A800
...
0106A800 /$ 56 PUSH ESI
0106A801 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
0106A805 |> 85F6 /TEST ESI,ESI
0106A807 |. 74 21 |JE SHORT msreader.0106A82A ; must be a valid memory address
0106A809 |. FF76 20 |PUSH DWORD PTR DS:[ESI+20]
0106A80C |. FF7424 0C |PUSH DWORD PTR SS:[ESP+C]
0106A810 |. E8 75180100 |CALL msreader.0107C08A
0106A815 |. 59 |POP ECX
0106A816 |. 85C0 |TEST EAX,EAX
0106A818 |. 59 |POP ECX
0106A819 |. 74 05 |JE SHORT msreader.0106A820 ; EAX must be 0
0106A81B |. 8B76 10 |MOV ESI,DWORD PTR DS:[ESI+10]
0106A81E |.^EB E5 \JMP SHORT msreader.0106A805
0106A820 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
0106A822 |. 56 PUSH ESI
0106A823 |. FF50 04 CALL DWORD PTR DS:[EAX+4] ; code execution

Modified bytes in the proof-of-concept:
00000744 03 0A ; dynamic 64bit number, any value >= 4 (for this PoC) exploits the bug


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_4.zip
http://www.exploit-db.com/sploits/17163.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Fixes

No fixes

In order to submit a new fix you need to be registered.