Microsoft Agent Heap Overflow Vulnerability

COSEINC Alert
http://www.coseinc.com/alert.html

Vendor:
Microsoft

Systems Affected:
Windows 2000 All Service Packs
Windows XP All Service Packs

Overview:
Microsoft Agent is a software technology that enables an enriched form of
user interaction that makes learning to use a computer easier. With the
software service, developers can enhance the user interface of their
applications and Web pages with interactive personalities in the form of
animated characters.

This feature is preinstalled on Win2k/XP and allows loading of remote
character data via HTTP through Internet Explorer. Microsoft actually
utilizes a custom compression algorithm to compress the character data file
(.acf) which we presume is to speed up the distribution over network.

A security researcher of COSEINC Vulnerability Research Lab has discovered
that Microsoft Agent has a heap overflow vulnerability. This vulnerability
is triggered when Microsoft Agent parses the malformed character file in its
uncompressed state in memory, by having an overly large value in a length
field. This will lead to an integer overflow during the allocation of
buffer. Subsequently, when data is copied to the buffer, the heap overflow
will occur. The result is possible remote code execution.

Technical Details:
The vulnerability exists in the ReadWideString function in agentdpv.dll:

711a2cc4     mov     eax,[ebp+0xc]
711a2cc7     cmp     eax,ebx
711a2cc9     jz      agentdpv!ReadWideStringW+0x6b (711a2d0e)
711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

The .acf format when uncompressed in memory, stores strings with their
lengths prepended to them. To trigger the vulnerability, a large value
7FFFFFFF can be set in the length field of a string before compression takes
place to create a malformed .acf file (This can be done using the Microsoft-
supplied Agent Character Editor and editing the memory contents when
creating the .acf file). When Microsoft Agent parses the .acf file, this
length is read after uncompressing the file in memory:

711a2cc4     mov     eax,[ebp+0xc] ; length of string

An integer overflow occurs presumably during the calculation of the size of
the memory to allocate for a widestring using the supplied length, resulting
in an allocation of 0 bytes:

711a2ccb     lea     eax,[eax+eax+0x2]
711a2ccf     push    eax
711a2cd0     call    agentdpv!operator new (711aaa6c)

Sometime after, the string will be read from memory allocated earlier and
copied to the buffer leading to the overflow and corrupting the heap.

711a2ce8     push    ebx
711a2ce9     add     edx,edx
711a2ceb     push    edx
711a2cec     push    eax
711a2ced     push    edi
711a2cee     call    dword ptr [ecx+0xc]{ole32!CMemStm::Read (771e7a1f)}

Notes:
The string has been earlier written (together with other data) to a
temporary buffer as a result of the uncompressing procedure. The 2nd DWORD
in the .acf file specifies the total size of the file in its uncompressed
state and is used internally to allocate the required memory for the
temporary buffer.

The number of bytes to copy from this temporary buffer is apparently
determined by subtracting from the total size, the size of previous data
chunks and does not utilize the supplied string length.

Hence, the amount of overflow can be controlled by simply using a string of
the desired length. This is why the large length of 7FFFFFFF does not result
in continuous copying leading to access violation (usually in the case of an
integer overflow). Consequently, an arbitrary 4-byte overwrite will occur
resulting in possible code execution.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/ms06-068.mspx

Credit:
This vulnerability was discovered by Willow, a Windows security researcher
of the COSEINC Vulnerability Research Lab (VRL).

Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
no warranties, implied or express, with regard to this information. In no
event shall the author or the company be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or spread of
this information. Any use of this information is at the user's own risk.