ExploitFixes
Microsoft Reader <= 2.1.1.3143 Integer Overflow 2011-04-12 18:15:20

Source: http://aluigi.org/adv/msreader_1-adv.txt

#######################################################################

Luigi Auriemma

Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: &lt;= 2.1.1.3143 (PC version)
the Origami 2.6.1.7169 version doesn't seem vulnerable
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: integer overflow
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


The software is affected by an integer overflow just during the
handling of the number of pieces of the initial ITLS header at offset
0x10:

0108306E |&gt; 8B7B 68 MOV EDI,DWORD PTR DS:[EBX+68]
01083071 &gt;|. 8BF7 MOV ESI,EDI
01083073 |. C1E6 04 SHL ESI,4
01083076 |. 837D 08 00 CMP DWORD PTR SS:[EBP+8],0
0108307A |. 7C 78 JL SHORT MSReader.010830F4
0108307C |. 8BC7 MOV EAX,EDI
0108307E |. C1E0 04 SHL EAX,4
01083081 |. 50 PUSH EAX
01083082 |. E8 A1870000 CALL MSReader.0108B828 ; LocalAlloc
01083087 |. 85C0 TEST EAX,EAX
01083089 |. 59 POP ECX
0108308A |. 74 06 JE SHORT MSReader.01083092
0108308C |. 4F DEC EDI
0108308D |. 897D 08 MOV DWORD PTR SS:[EBP+8],EDI
01083090 |. EB 02 JMP SHORT MSReader.01083094
01083092 |&gt; 33C0 XOR EAX,EAX
01083094 |&gt; 8943 44 MOV DWORD PTR DS:[EBX+44],EAX
01083097 |. 8B43 68 MOV EAX,DWORD PTR DS:[EBX+68]
0108309A |. C1E0 02 SHL EAX,2
0108309D |. 50 PUSH EAX
0108309E |. E8 85870000 CALL MSReader.0108B828 ; LocalAlloc
010830A3 |. 837B 44 00 CMP DWORD PTR DS:[EBX+44],0
010830A7 |. 59 POP ECX
010830A8 |. 8943 48 MOV DWORD PTR DS:[EBX+48],EAX
010830AB |. 74 40 JE SHORT MSReader.010830ED
010830AD |. 85C0 TEST EAX,EAX
010830AF |. 74 3C JE SHORT MSReader.010830ED
010830B1 |. 8B4B 68 MOV ECX,DWORD PTR DS:[EBX+68]
010830B4 |. C1E1 02 SHL ECX,2
010830B7 |. 51 PUSH ECX
010830B8 |. 6A 00 PUSH 0
010830BA |. 50 PUSH EAX
010830BB |. E8 0D6DFEFF CALL MSReader.01069DCD ; memset
010830C0 |. 6A 28 PUSH 28
010830C2 |. 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C]
010830C5 |. 59 POP ECX
010830C6 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
010830C9 |. 8B38 MOV EDI,DWORD PTR DS:[EAX]
010830CB |. 52 PUSH EDX
010830CC |. 56 PUSH ESI
010830CD |. 33D2 XOR EDX,EDX
010830CF |. FF73 44 PUSH DWORD PTR DS:[EBX+44]
010830D2 |. 52 PUSH EDX
010830D3 |. 51 PUSH ECX
010830D4 |. 50 PUSH EAX
010830D5 |. FF57 0C CALL DWORD PTR DS:[EDI+C] ; ReadFile
...
01082CD8 &gt;|. 8B5E 68 MOV EBX,DWORD PTR DS:[ESI+68]
01082CDB |&gt; 8BC3 /MOV EAX,EBX
01082CDD |. 4B |DEC EBX
01082CDE |. 85C0 |TEST EAX,EAX
01082CE0 |. 74 1C |JE SHORT MSReader.01082CFE
01082CE2 |. 8B46 48 |MOV EAX,DWORD PTR DS:[ESI+48]
01082CE5 |. 8B3C98 |MOV EDI,DWORD PTR DS:[EAX+EBX*4]
01082CE8 |. 3BFD |CMP EDI,EBP
01082CEA |.^74 EF |JE SHORT MSReader.01082CDB
01082CEC |&gt; 8B07 |/MOV EAX,DWORD PTR DS:[EDI]
01082CEE |. 57 ||PUSH EDI
01082CEF |. FF50 08 ||CALL DWORD PTR DS:[EAX+8] ; exploitation
...
010832D0 |&gt; 8B4E 48 MOV ECX,DWORD PTR DS:[ESI+48]
010832D3 |. 8BD8 MOV EBX,EAX
010832D5 |. C1E3 02 SHL EBX,2
010832D8 |. 8B3C19 MOV EDI,DWORD PTR DS:[ECX+EBX]
010832DB |. 85FF TEST EDI,EDI
010832DD |. 74 0F JE SHORT MSReader.010832EE
010832DF |. 8B07 MOV EAX,DWORD PTR DS:[EDI]
010832E1 |. 57 PUSH EDI
010832E2 |. FF50 04 CALL DWORD PTR DS:[EAX+4] ; exploitation

For exploiting the vulnerability there are some things to consider.
Exists a minimal heap spray that can be performed on the memory because
the pieces (the number involved in the integer overflow) or the
secondary data block with the size specified at offset 0x14 get loaded
correctly.
So it's necessary to tune the exploit for having a chance of EAX (or
another register, because there is also another location for the
exploitation) pointing to our code.

I have provided two examples written from scratch that show the usage
of the first (number of pieces) and second field (0200000098000000...)
for loading data.
This simple technique can be used as help also for exploiting the other
vulnerabilities reported in this software.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_1.zip
http://www.exploit-db.com/sploits/17160.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################