*The MS07-012 patch that came out on Black Tuesday in Feb 2007 is not a
complete solution to the problem.*

Title: MFC42u.dll Off-by-Two Overflow
Date: 15 March 2007
Affected: Windows 2000, XP, 2003 (those that were affected by the MS07-012
patch)
Reported by: Greg Sinclair (gssincla...nnlsoftware.com)

Overview:
The original MS07-012 patch was released to fix an issue in the MFC library
MFC42u.dll. The issue was the result of MS not taking into account that a
TCHAR string is actually twice as big as its CHAR counterparts. To fix this,
the patch readjusted the nMaxCount variable to half of its original value in
the GetMenuStringW(...) call. Unfortunately, GetMenuStringW will null
terminate a long string at the end adding two additional characters to the
string. This gives a returned string of (nMaxCount*2) + 2 bytes in size.

Details:
The original flaw was located in AfxOleSetEditMenu(). GetMenuString was
called with nMaxCount set to 0x200 for a buffer that was 0x200 bytes in
size. However, the buffer was TCHAR not char which lead to a buffer
overflow. According to Microsoft, the fixed source code now looks like:

TCHAR szBuffer[256];
pMenu->GetMenuString(iMenuItem, szBuffer, sizeof (szBuffer) / sizeof
(szBuffer[0]), MF_BYPOSITION);

If you look at the disassembly of this, you will see

lea eax, [ebp+szBuffer]
push 0x100 ; sizeof(szBuffer) / sizeof
(szBuffer[0]) == 0x100

This _should_ have provided an exact fit for the returned string since
nMaxCount is equal to the size of szBuffer.

If you look at the MSDN description of GetMenuStringW (which is the function
actually called thanks to macros, and I suspect the root of the original
problem), you see that it clearly give the following warning:

"The nMaxCount parameter should be one larger than the number of characters
in the label to accommodate the null character that terminates a string."

The reason for this is that a string copy is called within GetMenuStringW
which will terminate a long string at nMaxCount. Since this function is
dealing with wide strings, this means an additional two 00 bytes will be put
into the buffer. Since the only local variable in AfxOleSetEditMenu() is
szBuffer, the stack frame looks like

szBuffer db 0x200
saved_ebp dd
saved_eip dd

This means that the last two bytes (LSW) of the original EBP will be
overwritten with NULL bytes. The calling function that calls
AfxOleSetEditMenu(...) will now have a corrupted EBP once AfxOleSetEditMenu
tears down its stack frame.

Exploiting this is by no means a trivial matter. But nevertheless, having
the ability to control another register in a system, especially a stack
frame, makes exploitation possible.

Workarounds:

* None.

Vendor Contact:
17 March 2007 - Attempted to report this to Microsoft four different times.
After I was told "I've documented your case. If enough people call about
this issue, we will see about fixing the patch" I decided to just release
this information. MS really should make it easier to report bugs!

greg.
0? *?H?÷

 ?0?

10 +0? *?H?÷


 ? ä0?=0?
¦ͺVðßä¼Tþ"¬³rªU0
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
960129000000Z
280801235959Z0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0?0
 *?H?÷



0?å¿m£Va-?HqögÞ¹ë·???
?ú8%¯F??ås¨ ?$]
Ìen°ÐV????¡sß´X9knÁöÕ¨¨?ª1¬°4׏4g? ÍâNEVix?ÚÜG?)»6Éc\Åà×-?{¡·2°{0º*/1ªî£gÚÛ

0
 *?H?÷


L?¸?ÆhßîC3]é¦Ë?Mz3ÿ?ô6­Ø?"6hl|BÌó?.Ä?°Oÿ?vùâ¼JéÍ ?
÷Å)ñ?"]¸±Ý#£{%F0yøêK?ÂÈã·ô@<Ã_SèHä?´{¡5°{%º¸Ó?«?84?óÑq?0?b0?
Ë 
ÚÁ???« tz´Î.30
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
980512000000Z
080512235959Z0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0?0
 *?H?÷



0?»ZD?»Uýz?-?Ox6¸
J²o?T¿¼èw*¹ðh»?Ù1ApzK¹HV-Çá?B«À¢?«D\ªBð?é/ûÂ;»¾É'
]¶°6B3µnT?O?J¿Úùè?¶ãÌÆ??j$?ãüàeº§±~ïÉÛ7jÈJÈ ä?

£°0­0U0

ÿ
0GU @0>0<`?H
?øE


0-0++

www.verisign.com/repository/RPA01U
*0(0& $ "? http://crl.verisign.com/pca1.crl0U
0 `?H
?øB


0
 *?H?÷


}?oEK8 ¸ÞéSd!¼äL+þ?@¬Ø
9j¡2!,?«YþÒb}U8°7sÜôfcb½áSpR?ç¨ØRé[-ªáÞϬ1TÔ?ÈØ#¨ï+2},È|?¨.wòDÑe
MtµîÓ?st.?;5rç@1?ӲīçV¾?ãû0?90?¢ 
_?»ç:7ï?ÏçI@2s0
 *?H?÷


0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated0
070201000000Z
070620235959Z0?
10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)9810UPersona Not Validated1402U+Digital ID Class 1 - Microsoft Full Service10U
Greg Sinclair1'0% *?H?÷


gssincla (at) nnlsoftware (dot) com0 [email concealed]?0
 *?H?÷



0?Çõ2ò'ïãâ}çDNÆ*ÖêrIbQúì"?®ìù?X!AîΨ1*ñúX?_-Ū?êù
x}ªþ3§¾¤~ÿüSnTd&?Ò Ðóp½<É?Úê܏ÜóÑZ8¯áù?zþr\*}?jb??£{ʳ¨çµ=6S!

£Ë0È0 U00DU =0;09`?H
?øE
0*0(+

https://www.verisign.com/rpa0U
 0U%0+
+
0
`?H
?øE
None03U,0*0( & $?"http://crl.verisign.com/class1.crl0

 *?H?÷


sZL£ÕsÔíøhº¥
<Õw8^ú[þ:?ûìCòf1?ï?iFý¥õ?qì´KôG0xñÇY?Â?"W"0á]o+?º¡JÂ¥­ÛóÚÒNXàç?
o??F×Nøâóìf-÷é:ZÒ\¸³Ûâ.°Ò±Ã?bd
?1?>0?:

0á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated_?»ç:7ï?ÏçI@2s0 + ?²0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070316000311Z0# *?H?÷

1?Öáx^îÝ¥¦½APYË.b`0g *?H?÷

1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0
*?H?÷
0ò +

?71ä0á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated_?»ç:7ï?ÏçI@2s0ô*?H?÷

1ä á0Ì10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)981H0FU?VeriSign Class 1 CA Individual Subscriber-Persona Not Validated_?»ç:7ï?ÏçI@2s0
 *?H?÷



?
ÕíúR\S#Â&/?`æ¡qÆZâù????ÍìÞ=?ªõ¾?póË?I?R¾~Gé}Ä¡-?±³T¥??fç÷?§¸
ÑO²¾xÞ;sòå6ǯ?þ±;À8Å?¹HÁ?öú¯Ä?ï®­âº}%JÿP£6?½Ûø~³=âsw©

[ reply ]