####################################################################### Luigi Auriemma Application: Microsoft Reader http://www.microsoft.com/reader Versions: <= 2.1.1.3143 (PC version) the Origami 2.6.1.7169 version doesn't seem vulnerable the non-PC versions have not been tested Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices Bug: integer overflow Date: 11 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Microsoft Reader is a software needed to read and catalog the ebooks in LIT format and the Audible audio books bought via internet, indeed the homepage acts also as online store for these protected contents. ####################################################################### ====== 2) Bug ====== The software is affected by an integer overflow just during the handling of the number of pieces of the initial ITLS header at offset 0x10: 0108306E |> 8B7B 68 MOV EDI,DWORD PTR DS:[EBX+68] 01083071 >|. 8BF7 MOV ESI,EDI 01083073 |. C1E6 04 SHL ESI,4 01083076 |. 837D 08 00 CMP DWORD PTR SS:[EBP+8],0 0108307A |. 7C 78 JL SHORT MSReader.010830F4 0108307C |. 8BC7 MOV EAX,EDI 0108307E |. C1E0 04 SHL EAX,4 01083081 |. 50 PUSH EAX 01083082 |. E8 A1870000 CALL MSReader.0108B828 ; LocalAlloc 01083087 |. 85C0 TEST EAX,EAX 01083089 |. 59 POP ECX 0108308A |. 74 06 JE SHORT MSReader.01083092 0108308C |. 4F DEC EDI 0108308D |. 897D 08 MOV DWORD PTR SS:[EBP+8],EDI 01083090 |. EB 02 JMP SHORT MSReader.01083094 01083092 |> 33C0 XOR EAX,EAX 01083094 |> 8943 44 MOV DWORD PTR DS:[EBX+44],EAX 01083097 |. 8B43 68 MOV EAX,DWORD PTR DS:[EBX+68] 0108309A |. C1E0 02 SHL EAX,2 0108309D |. 50 PUSH EAX 0108309E |. E8 85870000 CALL MSReader.0108B828 ; LocalAlloc 010830A3 |. 837B 44 00 CMP DWORD PTR DS:[EBX+44],0 010830A7 |. 59 POP ECX 010830A8 |. 8943 48 MOV DWORD PTR DS:[EBX+48],EAX 010830AB |. 74 40 JE SHORT MSReader.010830ED 010830AD |. 85C0 TEST EAX,EAX 010830AF |. 74 3C JE SHORT MSReader.010830ED 010830B1 |. 8B4B 68 MOV ECX,DWORD PTR DS:[EBX+68] 010830B4 |. C1E1 02 SHL ECX,2 010830B7 |. 51 PUSH ECX 010830B8 |. 6A 00 PUSH 0 010830BA |. 50 PUSH EAX 010830BB |. E8 0D6DFEFF CALL MSReader.01069DCD ; memset 010830C0 |. 6A 28 PUSH 28 010830C2 |. 8B43 3C MOV EAX,DWORD PTR DS:[EBX+3C] 010830C5 |. 59 POP ECX 010830C6 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4] 010830C9 |. 8B38 MOV EDI,DWORD PTR DS:[EAX] 010830CB |. 52 PUSH EDX 010830CC |. 56 PUSH ESI 010830CD |. 33D2 XOR EDX,EDX 010830CF |. FF73 44 PUSH DWORD PTR DS:[EBX+44] 010830D2 |. 52 PUSH EDX 010830D3 |. 51 PUSH ECX 010830D4 |. 50 PUSH EAX 010830D5 |. FF57 0C CALL DWORD PTR DS:[EDI+C] ; ReadFile ... 01082CD8 >|. 8B5E 68 MOV EBX,DWORD PTR DS:[ESI+68] 01082CDB |> 8BC3 /MOV EAX,EBX 01082CDD |. 4B |DEC EBX 01082CDE |. 85C0 |TEST EAX,EAX 01082CE0 |. 74 1C |JE SHORT MSReader.01082CFE 01082CE2 |. 8B46 48 |MOV EAX,DWORD PTR DS:[ESI+48] 01082CE5 |. 8B3C98 |MOV EDI,DWORD PTR DS:[EAX+EBX*4] 01082CE8 |. 3BFD |CMP EDI,EBP 01082CEA |.^74 EF |JE SHORT MSReader.01082CDB 01082CEC |> 8B07 |/MOV EAX,DWORD PTR DS:[EDI] 01082CEE |. 57 ||PUSH EDI 01082CEF |. FF50 08 ||CALL DWORD PTR DS:[EAX+8] ; exploitation ... 010832D0 |> 8B4E 48 MOV ECX,DWORD PTR DS:[ESI+48] 010832D3 |. 8BD8 MOV EBX,EAX 010832D5 |. C1E3 02 SHL EBX,2 010832D8 |. 8B3C19 MOV EDI,DWORD PTR DS:[ECX+EBX] 010832DB |. 85FF TEST EDI,EDI 010832DD |. 74 0F JE SHORT MSReader.010832EE 010832DF |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 010832E1 |. 57 PUSH EDI 010832E2 |. FF50 04 CALL DWORD PTR DS:[EAX+4] ; exploitation For exploiting the vulnerability there are some things to consider. Exists a minimal heap spray that can be performed on the memory because the pieces (the number involved in the integer overflow) or the secondary data block with the size specified at offset 0x14 get loaded correctly. So it's necessary to tune the exploit for having a chance of EAX (or another register, because there is also another location for the exploitation) pointing to our code. I have provided two examples written from scratch that show the usage of the first (number of pieces) and second field (0200000098000000...) for loading data. This simple technique can be used as help also for exploiting the other vulnerabilities reported in this software. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/msreader_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################