-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Microsoft Jet DB engine vulnerabilities Classification: =============== Level: low-med-[HIGH]-crit ID: HEXVIEW*2005*03*31*1 URL: http://www.hexview.com/docs/20050331-1.txt Overview: ========= Microsoft Jet database is a lightweight database widely used by MS Office applications. msjet40.dll is the main component of the Microsoft Jet database engine which evaluates and carries out requests for data. The library handles reading and writing of the data for Microsoft Access databases. HexView noticed multiple occurrences where file data was not validated or improperly validated leading to system crashes, null pointer memory access conditions, and arbitrary code execution. This advisory is focused on just one vulnerability that we confirmed to be exploitable. Affected products: ================== All tests were performed using the latest avaliable msjet40.dll library (version 4.00.8618.0). We did not test earlier versions, but it should be assumed that all earlier releases of the library are also vulnerable. Please note that MS JetDB OLE Provider (msjetoledb40.dll) is not affected by this problem. Only software products that utilize msjet40.dll are affected, including Microsoft Access. Cause and Effect: ================= Sufficient data validation is not performed when msjet40.dll parses the database file. As a result, it is possible to modify database file to cause a code of attacker's choice to be launched when MS Jet database is opened. Demonstration: ============== Below is a fragment of an empty *.mdb file. Note the sequence of 0x77 characters on line #3. When msjet40.dll parses this part of the file, it triggers an exception. 000023B0: 00 00 04 00-49 00 64 00-18 00 50 00-61 00 72 00 ....I.d...P.a.r. 000023C0: 65 00 6E 00-74 00 49 00-64 00 4E 00-61 00 6D 00 e.n.t.I.d.N.a.m. 000023D0: 65 00 77 77-77 77 00 00-05 06 00 00-08 00 02 06 e.wwww.......... 000023E0: 00 00 03 06-00 00 0D 00-08 06 00 00-09 06 00 00 ................ 000023F0: 10 00 0E 06-00 00 0F 06-00 00 0F 00-0C 06 00 00 ................ Explanation: ============ Below is a code fragment from msjet40.dll that is responsible for the crash. Atacker directly controls the value of AX. The value goes through a signed expansion that is used to access 32-bit pointer to the variable that stores the address of a call table. movsx eax, ax mov ecx, [edi+eax*4+0B0h] mov edx, [ecx] call dword ptr [edx+10h] The accessible memory range contains portions of original file, which makes possible to load instruction pointer with the value pointing to malicious code embedded in the document. The issue is trivial to exploit and the exploit is very portable as the attacker does not need to know absolute code addresses. Vendor Status: ============== Microsoft was notified on March 30, 2005. Message acknowledged by an automated reply. No human response received. About HexView: ============== HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. We also offer a variety of consulting services. For more information visit http://www.hexview.com Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. Please direct all questions to vtalk@hexview.com HexView Disclosure Policy: ========================== HexView notifies vendors with publicly available contact e-mail addresses 24 hours before disclosing any information to the public. If we are unable to find vendor's e-mail address or if no human reply is received within 24 hours, HexView will publish vulnerability notification including all technical details unless the issue is rated as "critical". If vendor does not reply within 72 hours, HexView may disclose all details for critical vulnerabilities as well. HexView will publish all details of low-rated vulnerabilities 24 hours after vendor notification unless there are considerable factors not to do so. For vulnerabilities rated "high" and "critical": If vendor replies within the above mentioned time period, HexView will announce the vulnerability, but will not disclose the details required to reproduce it. HexView will also specify the date when a full disclosure containing all the details will be published. The time period between the announcement and full disclosure is 30 days unless there is an agreement with vendor and appropriate justification for extension. If vendor resolves the issue earlier than 30 days after announcement, HexView may publish full disclosure earlier providing that vendor's patch is available to the public. HexView reserves the right to publish any detail of any vulnerability at any time. Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk@hexview.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCTG+cDPV1+KQrDqQRAsgKAKCi4tIPn8PooReYStHq3KEYdzgW8wCgiNaP Trdxg5c6kCkoLlyYeodIhPU= =rglE -----END PGP SIGNATURE-----