OpenRCE

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Created: Thursday, October 5 2006 23:58.55 CDT Modified: Tuesday, October 10 2006 17:27.11 CDT

Printer Friendly ...

Owning Computer Associates BrightStor through Mailslots

Author: pedram

# Views: 2865

Recall from blog/2006-07-11 and TSRT-06-02 that any code relying on the implicit message size limitation of Second-class Mailslots could be exposing a vulnerability. I mentioned that the rare usage of Mailslots will severely mitigate the impact of this new "class" of vulnerability. The fact that no Mailslot bugs have emerged since the initial disclosure is evidence that my assumption was true.

The one 3rd party exposure I have personally come across was just disclosed today: CA BrightStor Discovery Service Mailslot Buffer Overflow Vulnerability. The exposed Mailslot name is 'CheyenneDS' and a no explicit MaxMessageSize is supplied in the call to CreateMailslot, an attacker can cause an exploitable stack-based buffer overflow. Here is the creation of the Mailslot:



casdscsvc.exe -> Asbrdcst.dll

    20C14E8C push 0                ; lpSecurityAttributes

    20C14E8E push 0                ; lReadTimeout

    20C14E90 push 0                ; nMaxMessageSize

    20C14E92 push offset Name      ; "\\\\.\\mailslot\\CheyenneDS"

    20C14E97 stosb

    20C14E98 call ds:CreateMailslotA

    20C14E9E cmp eax, INVALID_HANDLE_VALUE

    20C14EA1 mov mailslot_handle, eax

Later the mailslot handle is read from into a 4k buffer. The read data is also passed to a routine which calls vsprintf into a 1k buffer.



casdscsvc.exe -> Asbrdcst.dll

    20C15024 mov eax, mailslot_handle

    20C15029 lea edx, [esp+1044h+Buffer_4k]

    20C1502D push ecx                        ; nNumberOfBytesToRead

    20C1502E push edx                        ; lpBuffer

    20C1502F push eax                        ; hFile

    20C15030 call edi ; ReadFile

    20C15032 test eax, eax

    20C15034 jz  short read_failed

    20C15036 lea ecx, [esp+3Dh]

    20C1503A push ecx                        ; char

    20C1503B push offset str_ReadmailslotS   ; "ReadMailSlot: %s\n"

    20C15040 call not_interesting_call_to_vsnprtinf

    20C15045 add esp, 8

    20C15048 lea edx, [esp+3Dh]

    20C1504C push edx                        ; va_list

    20C1504D push offset str_ReadmailslotS_0 ; "ReadMailSlot: %s"

    20C15052 push 0                          ; for_debug_log

    20C15054 call vsprintf_into_1024_stack_buf_and_debug_log

One would imagine that at least one other instance of a Mailslot handling bug must exist elsewhere. Anyone?

There are 31,320 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
hi!	Jul/01
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit