exploitable buffer overflow when attacker can supply arbitrary data to CreateFileW.

thanks for pointing it out.

i'll fix it and make winblox open-source later tonight(many other guys suggested me to do this
also).

you can surely find more when you have source code. please publish all of them - we must fix all
asap, before operational uses.

best wishes,

die

--- Oliver Lavery <olavery (at) pivx (dot) com [email concealed]> wrote:
>
> Liu Die Yu, are you sure you don't want to be calling _snprintf
> here? ;) And since CreateFileW can be called with a 32,767 byte file name,
> I'm not sure what'll happen when you stuff it into a 200 byte buffer when
> it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
> to run this in a production environment (even though it's at version 6.0)
>
> Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)
>
> This is a good idea though, hooking is neat. I'm not so sure I'd say
> it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
> trick. Still, a nice hack.
>
> .text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
> lpWideCharStr,int,int,int,int,int,int)
> .text:10001AEB public My_CreateFileW
> .text:10001AEB My_CreateFileW proc near ; DATA XREF:
> DllMain(x,x,x)+47o
> .text:10001AEB ; DllMain(x,x,x)+75o
> .text:10001AEB
> .text:10001AEB var_CD0 = byte ptr -0CD0h
> .text:10001AEB var_8D0 = dword ptr -8D0h
> .text:10001AEB var_8CC = dword ptr -8CCh
> .text:10001AEB MultiByteStr = byte ptr -8C8h
> .text:10001AEB Text = byte ptr -800h
> .text:10001AEB lpWideCharStr = dword ptr 8
> .text:10001AEB arg_4 = dword ptr 0Ch
> .text:10001AEB arg_8 = dword ptr 10h
> .text:10001AEB arg_C = dword ptr 14h
> .text:10001AEB arg_10 = dword ptr 18h
> .text:10001AEB arg_14 = dword ptr 1Ch
> .text:10001AEB arg_18 = dword ptr 20h
> .text:10001AEB
> .text:10001AEB push ebp
> .text:10001AEC mov ebp, esp
> .text:10001AEE sub esp, 0CD0h
> .text:10001AF4 mov [ebp+var_8D0], 0
> .text:10001AFE call sub_100012EF ; _reg
> .text:10001B03 test eax, eax
> .text:10001B05 jnz loc_10001C42
> .text:10001B0B lea eax, [ebp+var_CD0]
> .text:10001B11 push eax
> .text:10001B12 mov ecx, [ebp+arg_4]
> .text:10001B15 push ecx
> .text:10001B16 call sub_10001383
> .text:10001B1B push 0 ; lpUsedDefaultChar
> .text:10001B1D push 0 ; lpDefaultChar
> .text:10001B1F push 0C8h ; cchMultiByte
> .text:10001B24 lea edx, [ebp+MultiByteStr]
> .text:10001B2A push edx ; lpMultiByteStr
> .text:10001B2B push 0FFFFFFFFh ; cchWideChar
> .text:10001B2D mov eax, [ebp+lpWideCharStr]
> .text:10001B30 push eax ; lpWideCharStr
> .text:10001B31 push 0 ; dwFlags
> .text:10001B33 push 0 ; CodePage
> .text:10001B35 call ds:WideCharToMultiByte
> .text:10001B3B mov [ebp+Text], 0
> .text:10001B42 lea ecx, [ebp+MultiByteStr]
> .text:10001B48 push ecx
> .text:10001B49 lea edx, [ebp+var_CD0]
> .text:10001B4F push edx
> .text:10001B50 call ds:GetCommandLineA
> .text:10001B56 push eax
> .text:10001B57 call sub_100010C9
> .text:10001B5C push eax
> .text:10001B5D push offset aCreatefileSSSS ;
> "CreateFile:%s > %s ==> %s --> %s"
> .text:10001B62 lea eax, [ebp+Text]
> .text:10001B68 push eax
> .text:10001B69 call _sprintf
> .text:10001B6E add esp, 18h
> .text:10001B71 mov [ebp+var_8D0], 0
> .text:10001B7B jmp short loc_10001B8C
>
> Cheers,
> ~x
>
>
> > -----Original Message-----
> > From: Liu Die Yu [mailto:liudieyuinchina (at) yahoo.com (dot) cn [email concealed]]
> > Sent: March 29, 2004 11:35 PM
> > To: bugtraq (at) securityfocus (dot) com [email concealed]
> > Subject: security enforcement - new monitor for winnt
> >
> >
> >
> >
> > i want to stop ie:
> >
> > writing EXE/CAB/LNK ... files,
> >
> > calling MSHTA.EXE to parse remote web pages,
> >
> > accessing files outside "favorites" and cache("content.ie5").
> >
> >
> >
> > i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.
> >
> >
> >
> > i want to stop the system running executable files located in
> > TEMP and cache.
> >
> >
> >
> > afaik, i can stop ie 0day exploits by doing these things.
> >
> >
> >
> > so, i made this:
> >
> http://umbrella.name/winblox/
>
> of course, free. and you can define your own rules easily(assuming you guys
> know a bit about regular expression).
>
>
>
> it's totally a new idea(afaik). so, not for operational uses.
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
>
>

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

[ reply ]