Flag: Tornado! Hurricane!

Blogs >> pedram's Blog

Created: Thursday, October 5 2006 23:58.55 CDT Modified: Tuesday, October 10 2006 17:27.11 CDT
Printer Friendly ...
Owning Computer Associates BrightStor through Mailslots
Author: pedram # Views: 2872

Recall from blog/2006-07-11 and TSRT-06-02 that any code relying on the implicit message size limitation of Second-class Mailslots could be exposing a vulnerability. I mentioned that the rare usage of Mailslots will severely mitigate the impact of this new "class" of vulnerability. The fact that no Mailslot bugs have emerged since the initial disclosure is evidence that my assumption was true.

The one 3rd party exposure I have personally come across was just disclosed today: CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability. The exposed Mailslot name is 'CheyenneDS' and a no explicit MaxMessageSize is supplied in the call to CreateMailslot, an attacker can cause an exploitable stack-based buffer overflow. Here is the creation of the Mailslot:


casdscsvc.exe -> Asbrdcst.dll
    20C14E8C push 0                ; lpSecurityAttributes
    20C14E8E push 0                ; lReadTimeout
    20C14E90 push 0                ; nMaxMessageSize
    20C14E92 push offset Name      ; "\\\\.\\mailslot\\CheyenneDS"
    20C14E97 stosb
    20C14E98 call ds:CreateMailslotA
    20C14E9E cmp eax, INVALID_HANDLE_VALUE
    20C14EA1 mov mailslot_handle, eax


Later the mailslot handle is read from into a 4k buffer. The read data is also passed to a routine which calls vsprintf into a 1k buffer.


casdscsvc.exe -> Asbrdcst.dll
    20C15024 mov eax, mailslot_handle
    20C15029 lea edx, [esp+1044h+Buffer_4k]
    20C1502D push ecx                        ; nNumberOfBytesToRead
    20C1502E push edx                        ; lpBuffer
    20C1502F push eax                        ; hFile
    20C15030 call edi ; ReadFile
    20C15032 test eax, eax
    20C15034 jz  short read_failed
    20C15036 lea ecx, [esp+3Dh]
    20C1503A push ecx                        ; char
    20C1503B push offset str_ReadmailslotS   ; "ReadMailSlot: %s\n"
    20C15040 call not_interesting_call_to_vsnprtinf
    20C15045 add esp, 8
    20C15048 lea edx, [esp+3Dh]
    20C1504C push edx                        ; va_list
    20C1504D push offset str_ReadmailslotS_0 ; "ReadMailSlot: %s"
    20C15052 push 0                          ; for_debug_log
    20C15054 call vsprintf_into_1024_stack_buf_and_debug_log


One would imagine that at least one other instance of a Mailslot handling bug must exist elsewhere. Anyone?




Add New Comment
Comment:









There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit