Microsoft Reader <= 2.1.1.3143 Integer Overflow



EDB-ID: 17162 CVE: N/A OSVDB-ID: 72686
Author: Luigi Auriemma Published: 2011-04-12 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
Source: http://aluigi.org/adv/msreader_3-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              <= 2.6.1.7169 (Origami version)
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          integer overflow
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Heap overflow caused by controlled memmove:

  0107100D  /$ 55             PUSH EBP
  0107100E  |. 8BEC           MOV EBP,ESP
  01071010  |. 83EC 38        SUB ESP,38
  01071013  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
  01071016  |. 53             PUSH EBX
  01071017  |. 8B5D 14        MOV EBX,DWORD PTR SS:[EBP+14]
  0107101A  |. 56             PUSH ESI
  0107101B  |. 8B40 20        MOV EAX,DWORD PTR DS:[EAX+20]
  0107101E  |. 57             PUSH EDI
  0107101F  |. 3B58 2C        CMP EBX,DWORD PTR DS:[EAX+2C]
  01071022  |. 72 07          JB SHORT msreader.0107102B
  01071024  |. 33C0           XOR EAX,EAX
  01071026  |. E9 38020000    JMP msreader.01071263
  0107102B  |> 8BF3           MOV ESI,EBX
  0107102D  |. 8B40 20        MOV EAX,DWORD PTR DS:[EAX+20]     ; 0x00002000
  01071030  |. C1E6 05        SHL ESI,5
  01071033  |. 0375 10        ADD ESI,DWORD PTR SS:[EBP+10]
  01071036  |. 83E8 10        SUB EAX,10                        ; 0x00001ff0
  01071039  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
  0107103C  |. 8B7E 08        MOV EDI,DWORD PTR DS:[ESI+8]
  0107103F  |. 8B4E 14        MOV ECX,DWORD PTR DS:[ESI+14]
  01071042  |. 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
  01071045  |. 8B57 04        MOV EDX,DWORD PTR DS:[EDI+4]
  01071048  |. 8955 EC        MOV DWORD PTR SS:[EBP-14],EDX
  0107104B  |. 8D5439 10      LEA EDX,DWORD PTR DS:[ECX+EDI+10]
  0107104F  |. 8955 FC        MOV DWORD PTR SS:[EBP-4],EDX
  01071052  |. 33D2           XOR EDX,EDX
  01071054  |. 3BDA           CMP EBX,EDX
  01071056  |. 8B5D 0C        MOV EBX,DWORD PTR SS:[EBP+C]
  01071059  |. 8955 F8        MOV DWORD PTR SS:[EBP-8],EDX
  0107105C  |. 75 2D          JNZ SHORT msreader.0107108B
  0107105E  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
  01071061  |. 8345 FC 20     ADD DWORD PTR SS:[EBP-4],20
  01071065  |. 83E8 20        SUB EAX,20                        ; 0x00001fd0
  01071068  |. 3951 38        CMP DWORD PTR DS:[ECX+38],EDX
  0107106B  |. 8945 F0        MOV DWORD PTR SS:[EBP-10],EAX
  0107106E  |. 74 2E          JE SHORT msreader.0107109E
  01071070  |. FF73 0C        PUSH DWORD PTR DS:[EBX+C]
  01071073  |. 8D45 E4        LEA EAX,DWORD PTR SS:[EBP-1C]
  01071076  |. 50             PUSH EAX
  01071077  |. E8 E7450100    CALL msreader.01085663
  0107107C  |. 59             POP ECX
  0107107D  |. 59             POP ECX
  0107107E  |. 8D4D E4        LEA ECX,DWORD PTR SS:[EBP-1C]
  01071081  |. 2BC1           SUB EAX,ECX
  01071083  |. 8945 F8        MOV DWORD PTR SS:[EBP-8],EAX
  01071086  |. 8B45 F0        MOV EAX,DWORD PTR SS:[EBP-10]
  01071089  |. EB 13          JMP SHORT msreader.0107109E
  0107108B  |> 3955 18        CMP DWORD PTR SS:[EBP+18],EDX
  0107108E  |. 74 0E          JE SHORT msreader.0107109E
  01071090  |. 8B56 1C        MOV EDX,DWORD PTR DS:[ESI+1C]
  01071093  |. 0356 18        ADD EDX,DWORD PTR DS:[ESI+18]
  01071096  |. 03CA           ADD ECX,EDX
  01071098  |. 0155 FC        ADD DWORD PTR SS:[EBP-4],EDX
  0107109B  |. 894D F4        MOV DWORD PTR SS:[EBP-C],ECX
  0107109E  |> 8B4B 0C        MOV ECX,DWORD PTR DS:[EBX+C]
  010710A1  |. 034B 08        ADD ECX,DWORD PTR DS:[EBX+8]
  010710A4  |. 034D F8        ADD ECX,DWORD PTR SS:[EBP-8]
  010710A7  |. 3B4D EC        CMP ECX,DWORD PTR SS:[EBP-14]
  010710AA  |. 894D 0C        MOV DWORD PTR SS:[EBP+C],ECX
  010710AD  |. 0F87 61010000  JA msreader.01071214
  010710B3  |. 2B45 EC        SUB EAX,DWORD PTR SS:[EBP-14]     ; substract AOLL size
  010710B6  |. 2B45 F4        SUB EAX,DWORD PTR SS:[EBP-C]      ; substract the size at the end of the chunk
  010710B9 >|. 74 24          JE SHORT msreader.010710DF
  010710BB  |. 50             PUSH EAX
  010710BC  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
  010710BF  |. 03C8           ADD ECX,EAX
  010710C1  |. 50             PUSH EAX
  010710C2  |. 51             PUSH ECX
  010710C3  |. E8 103C0200    CALL <JMP.&MSVCRT.memmove>        ; memmove

So through the controlling of the 32bit value after the AOLL tag and/or
the 16bit one at the end of the chunk (offset 0x23ba of the provided
PoC) is possible to exploit the integer overflow for performing the
memmove of an arbitrary amount of data.

In the proof-of-concept I have set the amount of bytes to move to
0xffffffff for a quick and easy demonstration.

Modified bytes in the proof-of-concept:
000003DC   2B       6A  ; little endian 32bit value
000003DD   17       18
from offset 0xb6e till 0x23b0 I have replaced the original data with a
sequence of 'A's.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_3.zip
http://www.exploit-db.com/sploits/17162.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################