ExploitFixes
Microsoft Reader <= 2.1.1.3143 Integer Overflow 2011-04-12 18:15:20

Source: http://aluigi.org/adv/msreader_3-adv.txt

#######################################################################

Luigi Auriemma

Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: <= 2.1.1.3143 (PC version)
<= 2.6.1.7169 (Origami version)
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: integer overflow
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Heap overflow caused by controlled memmove:

0107100D /$ 55 PUSH EBP
0107100E |. 8BEC MOV EBP,ESP
01071010 |. 83EC 38 SUB ESP,38
01071013 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
01071016 |. 53 PUSH EBX
01071017 |. 8B5D 14 MOV EBX,DWORD PTR SS:[EBP+14]
0107101A |. 56 PUSH ESI
0107101B |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
0107101E |. 57 PUSH EDI
0107101F |. 3B58 2C CMP EBX,DWORD PTR DS:[EAX+2C]
01071022 |. 72 07 JB SHORT msreader.0107102B
01071024 |. 33C0 XOR EAX,EAX
01071026 |. E9 38020000 JMP msreader.01071263
0107102B |> 8BF3 MOV ESI,EBX
0107102D |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20] ; 0x00002000
01071030 |. C1E6 05 SHL ESI,5
01071033 |. 0375 10 ADD ESI,DWORD PTR SS:[EBP+10]
01071036 |. 83E8 10 SUB EAX,10 ; 0x00001ff0
01071039 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0107103C |. 8B7E 08 MOV EDI,DWORD PTR DS:[ESI+8]
0107103F |. 8B4E 14 MOV ECX,DWORD PTR DS:[ESI+14]
01071042 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
01071045 |. 8B57 04 MOV EDX,DWORD PTR DS:[EDI+4]
01071048 |. 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
0107104B |. 8D5439 10 LEA EDX,DWORD PTR DS:[ECX+EDI+10]
0107104F |. 8955 FC MOV DWORD PTR SS:[EBP-4],EDX
01071052 |. 33D2 XOR EDX,EDX
01071054 |. 3BDA CMP EBX,EDX
01071056 |. 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C]
01071059 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0107105C |. 75 2D JNZ SHORT msreader.0107108B
0107105E |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
01071061 |. 8345 FC 20 ADD DWORD PTR SS:[EBP-4],20
01071065 |. 83E8 20 SUB EAX,20 ; 0x00001fd0
01071068 |. 3951 38 CMP DWORD PTR DS:[ECX+38],EDX
0107106B |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0107106E |. 74 2E JE SHORT msreader.0107109E
01071070 |. FF73 0C PUSH DWORD PTR DS:[EBX+C]
01071073 |. 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
01071076 |. 50 PUSH EAX
01071077 |. E8 E7450100 CALL msreader.01085663
0107107C |. 59 POP ECX
0107107D |. 59 POP ECX
0107107E |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
01071081 |. 2BC1 SUB EAX,ECX
01071083 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
01071086 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
01071089 |. EB 13 JMP SHORT msreader.0107109E
0107108B |> 3955 18 CMP DWORD PTR SS:[EBP+18],EDX
0107108E |. 74 0E JE SHORT msreader.0107109E
01071090 |. 8B56 1C MOV EDX,DWORD PTR DS:[ESI+1C]
01071093 |. 0356 18 ADD EDX,DWORD PTR DS:[ESI+18]
01071096 |. 03CA ADD ECX,EDX
01071098 |. 0155 FC ADD DWORD PTR SS:[EBP-4],EDX
0107109B |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
0107109E |> 8B4B 0C MOV ECX,DWORD PTR DS:[EBX+C]
010710A1 |. 034B 08 ADD ECX,DWORD PTR DS:[EBX+8]
010710A4 |. 034D F8 ADD ECX,DWORD PTR SS:[EBP-8]
010710A7 |. 3B4D EC CMP ECX,DWORD PTR SS:[EBP-14]
010710AA |. 894D 0C MOV DWORD PTR SS:[EBP+C],ECX
010710AD |. 0F87 61010000 JA msreader.01071214
010710B3 |. 2B45 EC SUB EAX,DWORD PTR SS:[EBP-14] ; substract AOLL size
010710B6 |. 2B45 F4 SUB EAX,DWORD PTR SS:[EBP-C] ; substract the size at the end of the chunk
010710B9 >|. 74 24 JE SHORT msreader.010710DF
010710BB |. 50 PUSH EAX
010710BC |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
010710BF |. 03C8 ADD ECX,EAX
010710C1 |. 50 PUSH EAX
010710C2 |. 51 PUSH ECX
010710C3 |. E8 103C0200 CALL <JMP.&MSVCRT.memmove> ; memmove

So through the controlling of the 32bit value after the AOLL tag and/or
the 16bit one at the end of the chunk (offset 0x23ba of the provided
PoC) is possible to exploit the integer overflow for performing the
memmove of an arbitrary amount of data.

In the proof-of-concept I have set the amount of bytes to move to
0xffffffff for a quick and easy demonstration.

Modified bytes in the proof-of-concept:
000003DC 2B 6A ; little endian 32bit value
000003DD 17 18
from offset 0xb6e till 0x23b0 I have replaced the original data with a
sequence of 'A's.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_3.zip
http://www.exploit-db.com/sploits/17162.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################