<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7652.24">
<TITLE>Re: Windows Oday release</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<BR>
<BR>
<BR>
<P><FONT SIZE=2>-----Original Message-----<BR>
From: Thomas Lim <thomas@coseinc.com><BR>
To: full-disclosure@lists.grok.org.uk <full-disclosure@lists.grok.org.uk>; bugtraq@securityfocus.com <bugtraq@securityfocus.com>; dailydave@lists.immunitysec.com <dailydave@lists.immunitysec.com><BR>
Sent: Tue Jun 12 14:58:24 2007<BR>
Subject: Windows Oday release<BR>
<BR>
dear all<BR>
<BR>
SChannel Off-By-One Heap Corruption<BR>
===================================<BR>
<BR>
Discovery Date:<BR>
28th August 2006<BR>
<BR>
Date reported to Microsoft:<BR>
19th March 2007<BR>
<BR>
Summary:<BR>
The Secure Channel (SChannel) library on WinXP-SP1/SP2 is vulnerable to<BR>
a off-by-one heap buffer overwrite. The SChannel library implements<BR>
PCT/TLS/SSL protocols exported via the Security Service Provider Interface<BR>
(SSPI). It is one of several Security Service Providers loaded-in and<BR>
supported<BR>
by the privileged Local Security Authority (Lsass.exe) process.<BR>
<BR>
In SChannel's implementation of the client-side SSLv3 handshake protocol,<BR>
specifically in the processing of the server-key-exchange SSL handshake<BR>
record, there is insufficient checks for malformed server-sent digital<BR>
signature,<BR>
with its length-field set to 0. This results in a allocation of a<BR>
0-length heap<BR>
buffer (with a valid heap address). A reverse memory copy is then<BR>
performed to<BR>
copy-in the digital signature, by decrementing the 0-length by 1. This<BR>
results in<BR>
an integer-underflow, causing the heap-buffer pointer to decrement<BR>
before its start<BR>
address, ultimately leading to an overwrite of exactly one-byte of<BR>
user-controlled<BR>
value, into the heap control-block. Depending on the robustness of the<BR>
application<BR>
in question, this may lead to an unrecoverable heap corruption<BR>
condition, causing<BR>
the application to terminate. In the case of Lsass.exe on WinXP-SP2, we<BR>
can crash<BR>
it locally after several iterations, from a less-privileged user,<BR>
causing a system<BR>
reboot. Vulnerable code although also exists in WinXP-SP1 but it does<BR>
not cause an<BR>
unrecoverable heap corruption in Lsass.exe.<BR>
<BR>
Vendor Affected:<BR>
Microsoft<BR>
<BR>
<BR>
Systems Affected:<BR>
========<BR>
WinXP-SP2 (DOS/Reboot)<BR>
WinXP-SP1 (minimal impact)<BR>
<BR>
<BR>
Exploitation:<BR>
=============<BR>
1) For local machine reboot via normal user account, on WinXP-SP2<BR>
OR<BR>
For remote machine reboot by enticing user to visit HTTPS site via IE,<BR>
on WinXP-SP2 (but over 2000 iterations required)<BR>
<BR>
<BR>
POC (crash-test/reboot):<BR>
========================<BR>
1) Run sctest.exe from a normal user account, on client machine<BR>
running WinXP-SP2.<BR>
<BR>
2) sctest.exe will attempt to use SChannel's SSL implementation to<BR>
parse pre-generated malformed SSL handshake records, over<BR>
several iterations, causing multiple off-by-one overwrites with<BR>
0xFF byte, within the Lsass.exe process.<BR>
<BR>
3) Attach Debugger to Lsass.exe to see crash. The system will notify<BR>
the user and perform a 60sec. reboot count-down, after detecting<BR>
the Lsass.exe crash.<BR>
<BR>
** Lsass.exe crash-test can also be done by forcing/enticing Internet<BR>
Explorer<BR>
to access a HTTPS site, serving out the same malformed SSL handshake<BR>
records (as shown in source code below). However, over 2000 iterations<BR>
are needed (IE needs to access HTTPS site over 2000 times), before<BR>
Lsass.exe<BR>
heap corruption occurs.<BR>
<BR>
<BR>
Vuln Analysis:<BR>
==============<BR>
(Based on schannel.dll/v5.1.2600.2180/WinXP-SP2)<BR>
The vulnerability exists in schannel.dll component, that implements the<BR>
SSPI-compliant<BR>
PCT/TLS/SSL protocol handling implementation. For more information on<BR>
SSPI and<BR>
how it relates to LSA, refer to<BR>
1)<BR>
<A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/authentication_packages.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/authentication_packages.asp</A><BR>
2)<BR>
<A HREF="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/sspi.asp</A><BR>
<BR>
Essentially, in the case of SSPI authentication libraries like schannel,<BR>
kerberos, msv1_0 (ntlm),<BR>
data is exchanged between less-privileged user applications requring<BR>
authentication, and Lsass.exe.<BR>
With LSA providing the authentication back-end support. Both LSA and the<BR>
less-privileged application<BR>
communicate indirectly via the SSPI interface. Specifically, in SSL<BR>
authentication, untrusted SSL<BR>
record packets are passed from the less-privileged application to the<BR>
privileged LSA. While extensive<BR>
efforts are made in LSA to validate the SSL records, on WinXP's version<BR>
of schannel, an off-by-one<BR>
vulnerability exists in the parsing of the less-common and less-used SSL<BR>
server-key-exchange record.<BR>
The vulnerability can hence be triggered via less-privileged client<BR>
applications utilizing the<BR>
schannel's client-side SSL protocol implementation. This includes<BR>
Internet Explorer, whenever the user<BR>
uses IE to browse a HTTPS site.<BR>
<BR>
The vulnerable code exists in the _ReverseMemCopy() function and is<BR>
reachable from Ssl3ParseServerKeyExchange():<BR>
(via SPProcessHandshake()->PkcsGenerateClientExchangeValue())<BR>
<BR>
; On WinXP-SP1, the code below is located at 0x767FF976 (no symbols<BR>
available)<BR>
Ssl3ParseServerKeyExchange()<BR>
... <BR>
.text:767FFFC8 movzx ebx, byte ptr [esi] ;<BR>
MSB-byte of malformed signature length field <BR>
.text:767FFFCB movzx eax, byte ptr [esi+1] ;<BR>
LSB-byte of malformed signature length field<BR>
.text:767FFFCF shl ebx, 8<BR>
.text:767FFFD2 add ebx, eax<BR>
.text:767FFFD4 push ebx ; size=0<BR>
.text:767FFFD5 call _SPExternalAlloc@4 ;<BR>
HeapAlloc will return a valid 0-length heap buffer address<BR>
.text:767FFFDA test eax, eax<BR>
.text:767FFFDC mov [ebp+pbSignature], eax<BR>
.text:767FFFDF jz loc_768000B9<BR>
.text:767FFFE5 push ebx ; size=0<BR>
.text:767FFFE6 lea ecx, [esi+2] ;<BR>
address of the signature data in our malformed record<BR>
;<BR>
containing 0xFF,0x41,0x41...<BR>
.text:767FFFE9 push ecx<BR>
.text:767FFFEA push eax ;<BR>
0-length heap buffer<BR>
.text:767FFFEB call _ReverseMemCopy@12<BR>
_ReverseMemCopy()<BR>
.text:767FF46F mov edi, edi<BR>
.text:767FF471 push ebp<BR>
.text:767FF472 mov ebp, esp<BR>
.text:767FF474 mov eax, [ebp+arg_8]<BR>
.text:767FF477 mov ecx, [ebp+arg_4]<BR>
.text:767FF47A push esi<BR>
.text:767FF47B mov esi, [ebp+arg_0]<BR>
.text:767FF47E lea eax, [esi+eax-1] <BR>
; EAX=0, ESI which points to 0-length heap buffer<BR>
<BR>
; is decremented to, before start of heap buffer<BR>
.text:767FF482 mov dl, [ecx]<BR>
.text:767FF484 mov [eax], dl <BR>
; Off-by-one overwrite with 0xFF from our signature data<BR>
.text:767FF486 dec eax<BR>
.text:767FF487 inc ecx<BR>
.text:767FF488 cmp eax, esi<BR>
.text:767FF48A jnb short loc_767FF482 <BR>
; Just one-byte overwrite! <BR>
.text:767FF48C pop esi<BR>
.text:767FF48D pop ebp<BR>
.text:767FF48E retn 0Ch<BR>
<BR>
<BR>
Discovered by:<BR>
Steven<BR>
Security Researcher<BR>
Vulnerability Research Lab<BR>
COSEINC<BR>
<BR>
--<BR>
Thank you<BR>
Thomas Lim<BR>
COSEINC Private Limited<BR>
<BR>
-----BEGIN PGP PUBLIC KEY BLOCK-----<BR>
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com<BR>
<BR>
mQGiBEQM9cARBADvlIe8Ck5/u2EtX3ikd/eKjI7uZKyIFHNLxEYBB1AaHmEvYCPi<BR>
VpvNr7ArKjbqlEpdsl6c9gQUY8vir5Lfk/p6siCD1aIYfCdPa64gKJQ66UVIUy7a<BR>
hIlE8sJ86mcbvVGzA4f1LjwPUPwymeKEQeDJyRLlRnPkxWzaoiZqHuEa/QCg/2/t<BR>
IAlQdVT7Q+ss51/NcL87RoEEANcf+ChnlH6vhXLSwnH1iXUMBbGA6t2F0/q29ROR<BR>
lsMoUQW5hvjuOw+4yDzGzmBDQUYbN0GI7pNOBs7UwerGOInTGCFD6nan0JpONT51<BR>
bp5sfF93PNH12I1qVFf+h/qdX4me2mhyKfSNvc0qQMydwfsCJ3vBbEWTF7CqWZFO<BR>
VadVA/9uJTKjJ7ZnN1enBBGUhLl6bA9estqH6lyP69B6Y1tGahDSqVyDe9Q9zs0T<BR>
XDcM6aS+PRnybzX9gfgPfSYtDzX3AU6C7N2XgSK5DnjVZVr2Tdd/2ttM7ApvzaeV<BR>
+ifO/nLGIQ38ik7mKlul5vlXsISShzHpUIdswuQtMp0R2sa+6bQfVGhvbWFzIExp<BR>
bSA8dGhvbWFzQGNvc2VpbmMuY29tPokAXQQQEQIAHQUCRAz1wAcLCQgHAwIKAhkB<BR>
BRsDAAAABR4BAAAAAAoJELxffA89J0fkz+cAn3cklzVq/VYiD9wgH0J2ULsuTbMl<BR>
AJ9NMdYJHBlunYjbPJIcRgGwhAkY4LkCDQREDPXAEAgA9kJXtwh/CBdyorrWqULz<BR>
Bej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHT<BR>
UPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq<BR>
01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O<BR>
9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcK<BR>
ctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TIL<BR>
OwACAggAwTip4JFx4LCDazFSyTG7qzIlZonEf3QTHNH4jP15CLvVFxjaHE8g2EgL<BR>
pt2+E6XDg7IGuZ2iXS9gwHkyLKzGR4bwpanAHyMZZbcQOglPHUkxuJZW+AjfcfOD<BR>
5jB+cUOtxk97ca/z9Fz+2qS8Q3sz2QSkHcZgBBxTS07cvd2P60ecVECBKG+dgxGw<BR>
X13e5hgw2tzFRMqnty66lKXYEIUj4ZSl70UPAmy5xUaU4EahLURN29f3zM+EPy72<BR>
374v28ud28yO59iyRqoUGiHr3c87wumrDtjwm8qKIkWHsi+7AiES29nCqtm4zN45<BR>
3yXkalvQ/O97ZJSinzZb851ToowyFIkATAQYEQIADAUCRAz1wAUbDAAAAAAKCRC8<BR>
X3wPPSdH5MLbAKCIYtkvUPIoxm15I4UlvCIZjT8hdACdEWiQKWdlwZCJTePk4CF9<BR>
swkS3cQ=<BR>
=Q3SR<BR>
-----END PGP PUBLIC KEY BLOCK-----<BR>
<BR>
</FONT>
</P>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<p class=MsoNormal>DISCLAIMER: Man Financial Inc (“MFI”) is a US registered
futures commission merchant and a member of the NFA.<span
style='mso-spacerun:yes'> </span>Man Securities Inc (“MSI”) is a <st1:place
w:st="on"><st1:country-region w:st="on">US</st1:country-region></st1:place>
registered broker-dealer and a member of the NASD and SIPC.<span
style='mso-spacerun:yes'> </span>Except as otherwise indicated, references to
MFI and MSI also refer to all affiliates of MFI and MSI and to all companies or
divisions of companies that bear the “Man” name and that are owned directly or
indirectly by Man Group plc, a company organized under the laws of the United
Kingdom (collectively “Man”). Man does not warrant the correctness of any
information herein or the appropriateness of any transaction.<span
style='mso-spacerun:yes'> </span>The contents of this e-mail communication and
any attachments are for informational purposes only and under no circumstances
should they be construed as an offer to sell or a solicitation to buy any
futures contract, option, security, or derivative including foreign
exchange.<span style='mso-spacerun:yes'> </span>The information is intended
solely for the personal and confidential use of the recipient of this e-mail
communication.<span style='mso-spacerun:yes'> </span>If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution or copying of this communication is strictly prohibited and you
are requested to return this message to the sender immediately and delete all
copies from your system.<span style='mso-spacerun:yes'> </span>All e-mail may
be reviewed by authorized personnel and may be provided to regulatory
authorities or others with a legal right to access such information.<span
style='mso-spacerun:yes'> </span>At various times, MSI or its affiliates may
have positions in and effect transactions in securities or other financial
instruments referred to herein.<span style='mso-spacerun:yes'> </span>Opinions
expressed herein are statements only of the date indicated and are not given or
endorsed by Man unless otherwise indicated by an authorized
representative.<span style='mso-spacerun:yes'> </span>Due to the electronic
nature of e-mails, there is a risk that the information contained in this
message has been modified.<span style='mso-spacerun:yes'> </span>Consequently,
Man cannot guaranty that messages or attachments are virus free, do not contain
malicious code or are compatible with your electronic systems and Man does not
accept liability in respect of viruses, malicious code or any related problems
that you may experience. Trading in futures, securities, options or other
derivatives, and OTC products entails significant risks which must be
understood prior to trading and may not be appropriate for all investors.
Please contact your account representative for more information on these
risks.<span style='mso-spacerun:yes'> </span>Past performance of actual trades
or strategies cited herein is not necessarily indicative of future performance.
<span class=GramE>Privacy policy available upon request.</span> <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</BODY>
</HTML>