Skypher » PoC

Ultra-Edit buffer overflow in GNU Aspell

SkyLined — Fri, 16 Jul 2010 08:26:23 +0000

While looking at logs from my fuzzers, I found a bug in UltraEdit that triggered when I loaded a file with a long string of alphabetic characters. A bit of debugging indicated that UltraEdit was using a version of GNU Aspell that had a buffer overflow when handling long words. UltraEdit has been using Aspell since version 11^[1]. I’ve not looked at exploitability, but the application seems to detect the overflow and terminate cleanly, so they may be saved by mitigations. IDM, the creators of UltraEdit, have since released a new version that fixes the issue.

Case history: http://code.google.com/p/skylined/issues/detail?id=2

Apple QuickTime memory corruption when loading BMP file

SkyLined — Mon, 12 Apr 2010 11:53:01 +0000

From http://support.apple.com/kb/HT4104:
CVE-ID: CVE-2010-0536

Impact: Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the handling of BMP images. Opening a maliciously crafted BMP image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of BMP images.

More details here:
http://code.google.com/p/skylined/issues/detail?id=11

MSIE 9 regular expression related crashes

SkyLined — Mon, 12 Apr 2010 11:32:07 +0000

The following code snippets will crash MSIE 9 platform review. Because this is not a stable release, but a preview of a product in development, it is expected to have a few bugs here and there – so don’t go browsing the web with it .

More details here: http://code.google.com/p/skylined/issues/detail?id=13

Internet Exploiter 2 – bypassing DEP

SkyLined — Mon, 01 Mar 2010 15:22:53 +0000

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits. The exploit I released would not work if you had DEP turned on for MSIE. However, I also created a version of the exploit that used ret-into-libc to bypass DEP, which I never released until today.

I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms. 32-bits does not provide sufficient address space to randomize memory to the point where guessing addresses becomes impractical, considering heap spraying can allow an attacker to allocate memory across a considerable chunk of the address space and in a highly predictable location. The code in this exploit shows how to abuse this to perform a ret-into-libc attack when you can predict or, through information leakage, determine the location of modules (exe, dll) in the process’ memory.

The source code, which has inline documentation, can be found here.

***UPDATE*** It appears that some people need a little more detail to figure out what is going on:

this exploit targets a bug that was already fixed in MSIE 6.0 in 2005,

This exploit does not defeat ASLR, it only shows how to defeat DEP if ASLR is disabled or if you can bypass it.

ALPHA3 released

SkyLined — Sun, 10 Jan 2010 13:33:53 +0000

I realized that if I would wait until I had fully documented everything in ALPHA3, it would probably never get released. So, without further ado, documentation or explanations:

It has been developed and tested on Windows, but it should not be to hard to get it to run on other platforms. If you are having difficulty on other platforms and manage to create patches to fix this, please let me know and/or become a commiter to the project!

PS. My appologees for my lack of 1337 Python coding skills to whomever gets to port it to Metasploit – I did this project in Python while I was learning the language

MS09-014: EMBED element memory corruption

SkyLined — Sun, 19 Apr 2009 13:05:21 +0000

Microsoft has just released a fix for an issue I reported to them on December 4th, 2008. A simple repro can be found here.
Though I did not investigate the issue, it appears to be similar to MS05-20: it is triggered by having JavaScript running in one window create and delete EMBED elements with existing mime-types in another window in rapid succession. Because each window is running in its own thread in MSIE, the code must be thread-safe for two windows to interact correctly. This issues appears to be a re-entrancy problem that causes one thread to access data after that data was freed by another thread.

MSIE screen[""] NULL ptr DoS details

SkyLined — Wed, 07 Jan 2009 14:00:09 +0000

MSIE can be made to crash with a NULL ptr Read AV by executing a very small piece of JavaScript. This affects MSIE 6.0, 7.0 and 8.0 beta2. It should be fixed in 8.0 rc1.

The following HTML triggers the issue:

I am amazed that a bug that is so simple to trigger has apparently gone unnoticed for years.

Repro here.
List of software vulnerabilities here.

Safari arguments integer overflow PoC (CVE-2008-2303)

SkyLined — Mon, 05 Jan 2009 20:03:12 +0000

CVE-2008-2303 covers an integer overflow in the handling of indices in the “arguments” array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November.
More details here.
Repro here.

I have also created proof of concept code that shows potential exploitability and demonstrates how to use heap-spraying in Safari. AFAIK this is the first use of heap spraying in Safari, but I may be wrong. Heap spraying in Safari is not that different from other browsers, just backwards The code can be found here.