Microsoft Reader 2.1.1.3143 - Integer Overflow (1)

EDB-ID:

17160

CVE:

N/A




Platform:

Windows

Date:

2011-04-12


Source: http://aluigi.org/adv/msreader_1-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              the Origami 2.6.1.7169 version doesn't seem vulnerable
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          integer overflow
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


The software is affected by an integer overflow just during the
handling of the number of pieces of the initial ITLS header at offset
0x10:

  0108306E  |> 8B7B 68        MOV EDI,DWORD PTR DS:[EBX+68]
  01083071 >|. 8BF7           MOV ESI,EDI
  01083073  |. C1E6 04        SHL ESI,4
  01083076  |. 837D 08 00     CMP DWORD PTR SS:[EBP+8],0
  0108307A  |. 7C 78          JL SHORT MSReader.010830F4
  0108307C  |. 8BC7           MOV EAX,EDI
  0108307E  |. C1E0 04        SHL EAX,4
  01083081  |. 50             PUSH EAX
  01083082  |. E8 A1870000    CALL MSReader.0108B828        ; LocalAlloc
  01083087  |. 85C0           TEST EAX,EAX
  01083089  |. 59             POP ECX
  0108308A  |. 74 06          JE SHORT MSReader.01083092
  0108308C  |. 4F             DEC EDI
  0108308D  |. 897D 08        MOV DWORD PTR SS:[EBP+8],EDI
  01083090  |. EB 02          JMP SHORT MSReader.01083094
  01083092  |> 33C0           XOR EAX,EAX
  01083094  |> 8943 44        MOV DWORD PTR DS:[EBX+44],EAX
  01083097  |. 8B43 68        MOV EAX,DWORD PTR DS:[EBX+68]
  0108309A  |. C1E0 02        SHL EAX,2
  0108309D  |. 50             PUSH EAX
  0108309E  |. E8 85870000    CALL MSReader.0108B828        ; LocalAlloc
  010830A3  |. 837B 44 00     CMP DWORD PTR DS:[EBX+44],0
  010830A7  |. 59             POP ECX
  010830A8  |. 8943 48        MOV DWORD PTR DS:[EBX+48],EAX
  010830AB  |. 74 40          JE SHORT MSReader.010830ED
  010830AD  |. 85C0           TEST EAX,EAX
  010830AF  |. 74 3C          JE SHORT MSReader.010830ED
  010830B1  |. 8B4B 68        MOV ECX,DWORD PTR DS:[EBX+68]
  010830B4  |. C1E1 02        SHL ECX,2
  010830B7  |. 51             PUSH ECX
  010830B8  |. 6A 00          PUSH 0
  010830BA  |. 50             PUSH EAX
  010830BB  |. E8 0D6DFEFF    CALL MSReader.01069DCD        ; memset
  010830C0  |. 6A 28          PUSH 28
  010830C2  |. 8B43 3C        MOV EAX,DWORD PTR DS:[EBX+3C]
  010830C5  |. 59             POP ECX
  010830C6  |. 8D55 FC        LEA EDX,DWORD PTR SS:[EBP-4]
  010830C9  |. 8B38           MOV EDI,DWORD PTR DS:[EAX]
  010830CB  |. 52             PUSH EDX
  010830CC  |. 56             PUSH ESI
  010830CD  |. 33D2           XOR EDX,EDX
  010830CF  |. FF73 44        PUSH DWORD PTR DS:[EBX+44]
  010830D2  |. 52             PUSH EDX
  010830D3  |. 51             PUSH ECX
  010830D4  |. 50             PUSH EAX
  010830D5  |. FF57 0C        CALL DWORD PTR DS:[EDI+C]     ; ReadFile
  ...
  01082CD8 >|. 8B5E 68        MOV EBX,DWORD PTR DS:[ESI+68]
  01082CDB  |> 8BC3           /MOV EAX,EBX
  01082CDD  |. 4B             |DEC EBX
  01082CDE  |. 85C0           |TEST EAX,EAX
  01082CE0  |. 74 1C          |JE SHORT MSReader.01082CFE
  01082CE2  |. 8B46 48        |MOV EAX,DWORD PTR DS:[ESI+48]
  01082CE5  |. 8B3C98         |MOV EDI,DWORD PTR DS:[EAX+EBX*4]
  01082CE8  |. 3BFD           |CMP EDI,EBP
  01082CEA  |.^74 EF          |JE SHORT MSReader.01082CDB
  01082CEC  |> 8B07           |/MOV EAX,DWORD PTR DS:[EDI]
  01082CEE  |. 57             ||PUSH EDI
  01082CEF  |. FF50 08        ||CALL DWORD PTR DS:[EAX+8]   ; exploitation
  ...
  010832D0  |> 8B4E 48        MOV ECX,DWORD PTR DS:[ESI+48]
  010832D3  |. 8BD8           MOV EBX,EAX
  010832D5  |. C1E3 02        SHL EBX,2
  010832D8  |. 8B3C19         MOV EDI,DWORD PTR DS:[ECX+EBX]
  010832DB  |. 85FF           TEST EDI,EDI
  010832DD  |. 74 0F          JE SHORT MSReader.010832EE
  010832DF  |. 8B07           MOV EAX,DWORD PTR DS:[EDI]
  010832E1  |. 57             PUSH EDI
  010832E2  |. FF50 04        CALL DWORD PTR DS:[EAX+4]     ; exploitation

For exploiting the vulnerability there are some things to consider.
Exists a minimal heap spray that can be performed on the memory because
the pieces (the number involved in the integer overflow) or the
secondary data block with the size specified at offset 0x14 get loaded
correctly.
So it's necessary to tune the exploit for having a chance of EAX (or
another register, because there is also another location for the
exploitation) pointing to our code.

I have provided two examples written from scratch that show the usage
of the first (number of pieces) and second field (0200000098000000...)
for loading data.
This simple technique can be used as help also for exploiting the other
vulnerabilities reported in this software.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17160.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################