Microsoft Fax - Cover Page Editor 5.2.3790.3959 Double-Free Memory Corruption

EDB-ID:

16024

CVE:

N/A




Platform:

Windows

Date:

2011-01-24


Source: http://aluigi.org/adv/fxscover_1-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Fax Cover Page Editor
              http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page
Versions:     <= 5.2.3790.3959
Platforms:    Windows
Bug:          double free
Exploitation: local
Date:         19 Jan 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Fax Cover Page Editor is a program for the viewing and editing of
various formats of fax cover files.


#######################################################################

======
2) Bug
======


fxscover.exe is available on Windows after the installation of the Fax
Service.

The various "Text" elements have a 16bit field that seems used to index
them and by default it has a negative value like 0x8001.
By using a positive value major than 0 and lower than the total number
of elements is possible to cause a problem during the freeing of the
allocated object.

The provided proof-of-concept demonstrates the possibility of executing
code immediately after the acknoledgement of the initial message box
when is called FXSCOVER!CDrawDoc::Remove by
FXSCOVER!CDrawDoc::DeleteContents.

Modifications:
00005098   FE       CC  // code execution starts from here
000093F5   01       04  // 16bit in little endian
000093F6   80       00

Alternatively is also possible to exploit the bug when the program gets
closed or another file is opened by modifying the 16 bit at offset
0x94a5 instead of the one at 0x93f5, so that the file will be
considered valid.


#######################################################################

===========
3) The Code
===========

DoS:
http://aluigi.org/poc/fxscover_1.cov
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/16024-fxscover_1.cov

Bind Shell:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/fxscover_1_bind28876.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################