Bugtraq mailing list archives

Re: More vulnerabilities in FP

From: dullien () GMX DE (Thomas Dullien)
Date: Fri, 21 Apr 2000 10:01:10 +0200


On Wed, 19 Apr 2000 08:08:25 -0400, The Cyberiad wrote:

I confirmed the 742-A's caused a page fault in KERNEL32.DLL
at 0167:bff87ede under FP 3.0.2.1105, installed with PWS
under Windows 98 (PWS.EXE Version 4.02.0690). However,
this length did not force A's into the EIP. Instead the stack pointer
is corrupted, now pointing to invalid memory (which caused the page
fault). The relationship of the corrupted stack pointer to the input
overflow data is unclear (its not 0x41414141) so I'll have to do
some more reverse engineering; I did try longer strings with the
same result.


I do not have access to a copy of frontpage, but I downloaded 
htimage.exe (7.952 bytes) from some webserver with incorrect permissions set.
I could _not_ reproduce a crash in which EIP is taken. A rough look
at the disassembled code revealed that the crash happens like this:

If the fopen() call to the specified file fails, the program will create an
error message on the stack in a static buffer of 1000 bytes lenght.
The error message is:
"Picture config file no found, tried the following:"
Then, the program uses strcat() to append the PATH_TRANSLATED
and PATH_INFO environment variables (the data pased to the program)
to the error message on the stack. You can see that this will smash
the stack. Now comes the problem:
This overflow occurs within main(), and before main() ret's anywhere,
an Error-Output function is called which just printf()'s the error message
and then calls exit(). I don't know if this is exploitable at all. 

On the other hand, I don't claim this is a correct analysis. As I said, all
I have is a single htimage.exe I downloaded from somewhere, and I 
tried to get the overflow to work. 
Shoddy coding in the file nonetheless.... strcat'ing user input onto the
stack:-o

Concerning the crash on 9x, might be that some important things for
the cleanup are on the stack... I didn't test under 9x, but under NT SP5,
so it might be that 9x doesn't like the overwriting of the stack.

Thomas Dullien
dullien () gmx de
Win32 Security Consultant ;-> Hire me !

Current thread:

Re: More vulnerabilities in FP .sozni (Apr 20)
- <Possible follow-ups>
- Re: More vulnerabilities in FP Thomas Dullien (Apr 21)
- Re: More vulnerabilities in FP Roman (Apr 22)
- Re: More vulnerabilities in FP Daniel Dočekal (Apr 24)
  - Re: More vulnerabilities in FP Ian McDonald (Apr 26)
  - ISS Security Advisory: Insecure file handling in IBM frcactrl program Aleph One (Apr 26)