Microsoft Visual Basic Buffer Overflow May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1010175 |
|
SecurityTracker URL: http://securitytracker.com/id/1010175
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 17 2004
|
Impact:
Execution of arbitrary code via local system, User access via local system
|
Exploit Included: Yes
|
Version(s): 6.0 version 8176
|
Description:
A buffer overflow vulnerability was reported in Microsoft Visual Basic. A local user may be able to gain elevated privileges in certain cases [but that was not confirmed in the report].
Dr_insane reported that the Visual Basic design time environment contains a buffer overflow in a print statement, potentially affecting various Microsoft applications such as Microsoft Office and Microsoft Internet Explorer.
It is reported that a Command1_Click() event to print a text box with about 170,000 characters can trigger the flaw.
Some demonstration exploit steps are provided in the Source Message and in the original advisory.
The original advisory is available at:
http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt
|
Impact:
A remote user can create a visual basic application to trigger a buffer overflow and crash. The report indicates but does not confirm that it may be possible to execute arbitrary code to gain elevated privileges [presumably by having a target user trigger the flaw].
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 17 May 2004 14:27:54 -0400
Subject: http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt
|
http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt
Visual Basic 6.0 version 8176 Print statement buffer overrun
Release date:
17-5-2004
Severity:
Medium
Vendor:
Microsoft
Systems affected:
Windows 9x
Windows 2000
Windows XP
windows 2003
Description:
A buffer overrun exists in the the visual basic design time enviroment that may allow a user
to elevate his privileges. This vulnerability may affect Microsoft Office series and other
Microsoft
applications such as Internet explorer.
Technical Description:
Perform the following steps to crash Visual basic:
1. Open Visual Basic and create a new project(project1)
2. Insert a textbox and a commandbutton
3. In the Command1_Click() event insert the following code:
print text1.text
4.Compile and run your program
5.Insert about 170,000 characters in your textbox and press the commandbutton
At this point your program will generate an "Out of stack space" error message and will
crash. Try to
compile and run it again and VB will crash. A second error message will be generated:
The instruction at "0x004a2e43" referenced memory at "0x00030274". The memory could not be
"read".
004A2E29 sub ecx,eax
004A2E2B mov eax,esp
004A2E2D test dword ptr [ecx],eax
004A2E2F mov esp,ecx
004A2E31 mov ecx,dword ptr [eax]
004A2E33 mov eax,dword ptr [eax+4]
004A2E36 push eax
004A2E37 ret
004A2E38 sub ecx,1000h
004A2E3E sub eax,1000h
004A2E43 test dword ptr [ecx],eax
004A2E45 cmp eax,1000h
004A2E4A jae 004A2E38
004A2E4C jmp 004A2E29
004A2E4E push ebp
004A2E4F mov ebp,esp
004A2E51 sub esp,104h
004A2E57 mov ecx,dword ptr ds:[59F700h]
004A2E5D push esi
004A2E5E test ecx,ecx
004A2E60 je 004A2E7E
004A2E62 mov eax,[0059F710]
004A2E67 test eax,eax
004A2E69 je 004A2EB9
004A2E6B push dword ptr [ebp+14h]
004A2E6E push dword ptr [ebp+10h]
004A2E71 push dword ptr [ebp+0Ch]
004A2E74 push dword ptr [ebp+8]
004A2E77 call eax
004A2E79 pop esi
004A2E7A leave
Credit:
dr_insane
http://members.lycos.co.uk/r34ct/
|
|
