Re: strcpy bug

• Original Message ----- From: "xenophi1e" <oliver.lavery@sympatico.ca> To: <vuln-dev@securityfocus.com> Sent: Sunday, June 01, 2003 1:23 AM Subject: strcpy bug

>
>
>
>Noticed this while looking for something else. EIP is smacked with a 268

The windows "Search for files and folders" utility will search binaries and can often find the linkage names of functions and dlls they call. None showed up when I searched my w2ksp2 \winnt\system32 folder. The following files link against lz32.dll:

fontext.dll - calls LZOpenFileW
setupapi.dll - ditto
setupdll.dll
t2embed.dll - calls LZOpenFileA
version.dll - LZCreateFileW
iis.dll - LZOpenFileW

let's just see if the unicode version is equally lousy....

LZ32!LZOpenFileW:
759b15be 55 push ebp
759b15bf 8bec mov ebp,esp
759b15c1 81ec14010000 sub esp,0x114
759b15c7 8b4508 mov eax,[ebp+0x8]
759b15ca 50 push eax
759b15cb 8945fc mov [ebp-0x4],eax
759b15ce ff1580109b75 call dword ptr [LZ32!_imp__wcslen (759b1080)] 759b15d4 d1e0 shl eax,1
kd> u
LZ32!LZOpenFileW+18:
759b15d6 668945f8 mov [ebp-0x8],ax
759b15da 8b45f8 mov eax,[ebp-0x8]
759b15dd 83c002 add eax,0x2
759b15e0 59 pop ecx
759b15e1 668945fa mov [ebp-0x6],ax
759b15e5 8d85ecfeffff lea eax,[ebp-0x114] 759b15eb 8945f4 mov [ebp-0xc],eax
759b15ee 8d45f8 lea eax,[ebp-0x8]
kd> u
LZ32!LZOpenFileW+33:
759b15f1 6a00 push 0x0
759b15f3 50 push eax
759b15f4 8d45f0 lea eax,[ebp-0x10]
759b15f7 66c745f20401 mov word ptr [ebp-0xe],0x104 759b15fd 50 push eax
759b15fe ff1578109b75 call dword ptr
[LZ32!_imp__RtlUnicodeStringToAnsiString (759b1078)] 759b1604 85c0 test eax,eax
759b1606 7d05 jge LZ32!LZOpenFileW+0x4f (759b160d) kd> u
LZ32!LZOpenFileW+4a:
759b1608 6afb push 0xfb
759b160a 58 pop eax
759b160b eb12 jmp LZ32!LZOpenFileW+0x61 (759b161f) 759b160d ff7510 push dword ptr [ebp+0x10] 759b1610 8d85ecfeffff lea eax,[ebp-0x114] 759b1616 ff750c push dword ptr [ebp+0xc] 759b1619 50 push eax
759b161a e807ffffff call LZ32!LZOpenFileA (759b1526)

Bah. That 0x104 in the size field of the result string from the RtlUnicodeStringToAnsiString call not only protects the stack frame, it also stops us feeding too long a string through the W version to the A version. D'oh.

However, t2embed.dll looks more promising perhaps, since it is linked by mshtml.dll. Hmmmmm. A quick browse through the visible strings with PE view shows it to be something font related, so my guess is that its the true-type embedded font dll. Now, perhaps an LZ-compressed true-type font file with a very long name.... ??

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So I guess the answer to your question is "Potentially, IE, OE, MSHta.exe and anything else that uses the IE browser engine. Font-face style tag perhaps?

       DaveK

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  
http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger 
http://www.msn.co.uk/messenger