CVE-2015-2483

CVE-2015-2483 Information Disclosure Vulnerability

Vendor: https://technet.microsoft.com/library/security/dn903755.aspx
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2483

CVE-2010-0017 Technic Analysis

In this report I will analyze the procedure of a vulnerability of SMB protocol implemented in Microsoft. As it is not a secret one, you may find more details on the Internet.

Make a comment if you have any idea. SHARE IS ENCOURAGED.

Overview

By sending a malformed “Negotiate Protocol Response” packet, it may cause the SMB Client to trigger an overflow in kernel pool. A successful exploitation can result in a remote code execution. Besides, the attacker must convince the client to send a “Negotiate Protocol Request” to server.

Technical Details

0x01 Critical Parameter

According to some previous knowledge, we know that when a SMB server gets a “Negotiate Protocol Request” packet, it will send back a response to the client with some parameters as

“Word Count”, ”Dialect Index”, …… ,”Max Buffer Size”, etc.

The Parameter “Max Buffer Size” is defined in MSDN here

(http://msdn.microsoft.com/en-us/library/cc246326.aspx). It represents that the buffer size to send and receive SMB messages in the server. The max buffer size of clients to send SMB messages to the server depends on this value. The size is from the beginning of the SMB header to the end of the packet.

0x02 Procedure

In this part, I will show you how the parameter triggers the vulnerability.

Let’s take a look at the stack trace when the client crashes: 

Figure 1. Stack Trace

As it shows, we infer the pool is corrupt according to rdbss!_RxFreePool when it caused a bug check.

So, the entire process is :

The client firstly read the “MaxBufferSize” from the response packet sent by the server. Then it added 0x80 to that value as a final size to allocate a paged pool in memory.

Figure 2. Memory Allocation

Figure 3. Runtime Parameters

When the allocation succeeded, it returned the beginning of the pool address to EAX as below shows:

Figure 4. Returned Address

Let’s take a look at the pool allocated.

Figure 5.Pool information

When the allocation was done, following instructions initialized the memory with zero by obtaining the MaxBufferSize from ESI+138h.

Figure 6.Initialize the memory

When the program ran to 0xb2c73258, instruction here caused the overflow.

Figure 7. Overflow

We use !pool to see some information about this chunk

Figure 8. Pool Information

It is obvious that command at 0xb2c7325c overwrited the size of the next pool which caused a bug check when the program called mrxsmb!_RxFreePool to free the corrupt pool.

Figure 9 . Bug Check

0x03 Version information

Figure 10. Version

Peach Pits of GIF Model

I've been studying about peach 3 these days. Below is my first Peach Pit about GIF. There're several dissimilarities of version 3 vs 2. When writing this pit, I found one of the most obvious change is that there is no 'when' attribute in version 3, we should use 'choice' or 'constraint' instead.  Here is my pit, sorry to annotated little, ask me if you have any question or doubts:)

<?xml version="1.0" encoding="UTF-8"?>
<!--  
    Author:@Puzzor Weibo;@Puzzorsj twitter
    Date:2013.09.07
    Type:GIF
-->
<Peach xmlns="http://peachfuzzer.com/2012/Peach"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://peachfuzzer.com/2012/Peach file:/C:/Peach/peach.xsd">
    <Import import="math"/>
    <!-- Several Templates to ref-->
    <DataModel name="LogicalScreenDescriptorTemplate">
        <Number size="16" name="Width"></Number>
        <Number size="16" name="Height"></Number>
        <Number size="1" name="GlobalColor"/>
        <Number size="3" name="ColorResolution"/>
        <Number size="1" name="SortFlag"/>
        <Number size="3" name="SizeofGlobalColorTable" />
        <Number size="8" name="BackgroundColorIndex"></Number>
        <Number size="8" name="PixelAspectRatio"></Number>
    </DataModel>  
    <DataModel name="ImageDescriptorTemplate">
        <Blob name="ImageSeparator" length="1" value="2c" valueType="hex" mutable="false" token="true"></Blob>
        <Number size="16" name="ImageLeftPosition"/>
        <Number size="16" name="ImageTopPosition"/>
        <Number size="16" name="ImageWidth"/>
        <Number size="16" name="ImageHeight"/>
        <Number size="1" name="LocalColorTableFlag"/>
        <Number size="1" name="InterlaceFlag"/>
        <Number size="1" name="SortFlag"/>
        <Number size="2" name="Reserved"/>
        <Number size="3" name="SizeOfLocalColorTable"/>
    </DataModel>
    <DataModel name="DataSubBlocksTemplate">
        <Choice name="ChoiceOfDataSubBlocksSize" minOccurs="0">
            <Block>
                <Block name="DataSubBlocksWithSizeNotZero" >
                    <Number size="8" name="BlockSize" signed="false" constraint="int(element.DefaultValue) != 0">
                        <Relation type="size" of="DataValues"/>
                    </Number>
                    <Blob name="DataValues"/>
                </Block>
            </Block>
        </Choice>
        <Blob name="BlockTerminator" length="1" valueType="hex" value="00" mutable="false" token="true"/>
    </DataModel>
    <DataModel name="ExtensionHeaderTemplate">
        <Blob length="1" name="ExtensionIntroducer" value="21" valueType="hex" mutable="false" token="true"/>
        <Blob length="1" name="ExtensionLabel" valueType="hex" mutable="false" token="true"/>
    </DataModel>
    <!-- ################   Template   ################# -->
    <DataModel name="GIFHeader" mutable="false" minOccurs="1" maxOccurs="1">
        <String length="3" value="GIF" mutable="false" token="true"/>
        <Blob name="strVersion" length="3"/>
    </DataModel>
    <DataModel name="LogicalScreenDescriptorModel">
        <Choice name="GlobalColorChoice">
            <Block name="ChoiceOfGlobalColorT">
                <Block name="LogicalScreenDescriptorREF" ref="LogicalScreenDescriptorTemplate">
                    <Number size="1" name="GlobalColor" value="1"/>
                    <Number size="3" name="SizeofGlobalColorTable">
                        <Relation type="size" of="GlobalColorTableBlob" expressionGet="int(pow(2,(size+1)))*3" expressionSet="int(math.log(size/3,2))-1"/>
                    </Number>
                    <Blob name="GlobalColorTableBlob" maxOccurs="1"/>
                </Block>
            </Block>
            <Block name="ChoiceOfGlobalColorF" ref="LogicalScreenDescriptorTemplate">
                <Number size="1" name="GlobalColor" value="0"></Number>
            </Block>
        </Choice>  
    </DataModel>
    <DataModel name="ImageData">
        <Number size="8" name="LZWMinimumCodeSize"/>
        <Block name="ImageData" ref="DataSubBlocksTemplate"></Block>
    </DataModel>
    <DataModel name="ImageDescriptor">
        <Choice name="ImageDescriptorLocalColorTableChoice">
            <Block name="IDLocalColorTableT" ref="ImageDescriptorTemplate">
                <Number size="1" name="LocalColorTableFlag" value="1" token="true"></Number>
                <Number size="3" name="SizeOfLocalColorTable">
                    <Relation type="size" of="LocalColorTableBlob" expressionGet="int(pow(2,(size+1)))*3" expressionSet="int(math.log(size/3,2))-1"/>
                </Number>
                <Blob name="LocalColorTableBlob"/>
            </Block>
            <Block name="IDLocalColorTableF" ref="ImageDescriptorTemplate">
                <Number size="1" name="LocalColorTableFlag" value="0" token="true"></Number>
            </Block>
        </Choice>
        <Block ref="ImageData"/>
    </DataModel>
    <DataModel name="GraphicControlExtension">
        <Block name="ExtensionHeader" ref="ExtensionHeaderTemplate">
            <Blob name="ExtensionLabel" length="1" valueType="hex" value="F9" mutable="false" token="true"></Blob>
        </Block>
        <Block name="GraphicControlSubBlock">
            <Number size="8" name="BlockSize"></Number>
            <Flags name="PackedFields" size="8">
                <Flag name="Reserved" position="5" size="3"/>
                <Flag name="DisposalMethod" position="2" size="3"/>
                <Flag name="UserInputFlag" position="1" size="1"/>
                <Flag name="TransparentColorFlag" position="0" size="1"/>
            </Flags>
            <Number size="16" name="DelayTime"/>
            <Number size="8" name="TransparentColorIndex"/>
        </Block>
        <Blob name="BlockTerminator" length="1" valueType="hex" value="00" mutable="false"></Blob>
    </DataModel>
    <DataModel name="PlainTextExtension">
        <Block name="ExtensionHeader" ref="ExtensionHeaderTemplate">
            <Blob name="ExtensionLabel" value="01" length="1" valueType="hex" token="true" mutable="false"></Blob>
        </Block>
        <Block name="PlainText">
            <Number size="8" name="BlockSize"></Number>
            <Number size="16" name="TextGridLeftPosition"></Number>
            <Number size="16" name="TextGridTopPosition"></Number>
            <Number size="16" name="TextGridWidth"></Number>
            <Number size="16" name="TextGridHeight"></Number>
            <Number size="8" name="CharacterCellWidth"></Number>
            <Number size="8" name="CharacterCellHeight"></Number>
            <Number size="8" name="TextForegroundColorIndex"></Number>
            <Number size="8" name="TextBackgroundColorIndex"></Number>
        </Block>
        <Block name="DataSubBlocks" ref="DataSubBlocksTemplate"></Block>
    </DataModel>
    <DataModel name="CommentExtension">
        <Block name="ExtensionHeader" ref="ExtensionHeaderTemplate">
            <Blob name="ExtensionLabel" valueType="hex" value="FE" length="1" token="true" mutable="false"/>
        </Block>
        <Block name="DataSubBlocks" ref="DataSubBlocksTemplate"/>
    </DataModel>
    <DataModel name="ApplicationExtension">
        <Block name="ExtensionHeader" ref="ExtensionHeaderTemplate">
            <Blob name="ExtensionLabel" valueType="hex" value="FF" length="1" token="true" mutable="false"/>
        </Block>
        <Block name="ApplicationEntensionBlock">
            <Number size="8" name="BlockSize"></Number>
            <Blob name="ApplicationIdentifier" length="8"></Blob>
            <Blob name="ApplicationAuthenticationCode" length="3"></Blob>
        </Block>
        <Block name="DataSubBlocks" ref="DataSubBlocksTemplate" />
    </DataModel>
    <DataModel name="UndefinedData">
        <Block name="ExtensionHeader" ref="ExtensionHeaderTemplate">
            <Blob name="ExtensionLabel" length="1" valueType="hex" value="F9" token="true" mutable="false"/>
        </Block>
        <Block name="DataSubBlocks" ref="DataSubBlocksTemplate"/>
    </DataModel>
    <DataModel name="GIFTrailer">
        <Blob name="GIFTrailer" value="3B" valueType="hex" mutable="false" length="1" token="true"></Blob>
    </DataModel>
    <DataModel name ="Data">
        <Choice minOccurs="1">
            <Block ref="ImageDescriptor"/>
            <Block ref="GraphicControlExtension"/>
            <Block ref="CommentExtension"/>
            <Block ref="PlainTextExtension"/>
            <Block ref="ApplicationExtension"/>
            <Block ref="UndefinedData"/>
        </Choice>
    </DataModel>
    <DataModel name="GIF" >
        <Block ref="GIFHeader"></Block>
        <Block ref="LogicalScreenDescriptorModel"></Block>
        <Block ref="Data"></Block>
        <Block ref="GIFTrailer"></Block>
    </DataModel>
    <StateModel name="TheState" initialState="Initial">
        <State name="Initial">
            <Action type="output">
                <DataModel ref="GIF"/>
                <Data fileName="sample.gif"/>
            </Action>
            <Action type="close"/>
        </State>
    </StateModel>
    <Test name="Default">
        <StateModel ref="TheState"/>
        <Publisher class="File">
            <Param name="FileName" value="fuzzed.gif"/>
        </Publisher>
        <Logger class="Filesystem">
            <Param name="Path" value="logs" />
        </Logger>
    </Test>
</Peach>