Microsoft Video ActiveX Control 0day Technical Details
* By Cody Pierce
* Thu 09 Jul 2009 18:09pm
As reports came out regarding the new Microsoft 0day[1] in msvidctl.dll I started to take interest, as information about the specifics of the vulnerability were nonexistent. I was curious about the origin of the issue, what is required to trigger it, whether it is only present in the MPEG2TuneRequest interface, and what other CLSIDs may be affected (besides the 40+ they kill in their advisory). When dealing with 0day we must be aware of very specific details of a vulnerability so we can properly protect ourselves.
Grabbing a copy of the exploit from one of the many sites publicly reporting the issue I narrowed down the needed html to trigger the vulnerability.
var myObject=document.createElement('object');
myObject.data='logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
Everything else in the exploit is unrelated to the actual vulnerability. The heap fill is for exploitation, and the height and width properties are unnecessary. This can also be written using a single line of html.
Let's take a look at what the data property is since it appears to be responsible for triggering the vulnerability. From the w3c HTML 4.0 documentation[2].
The data property is used to specify a URL to the object's persistent data. In the exploit it is named "logo.gif", but in reality it can be named anything, and does not follow any particular file format. Instead, it contains data the object can reference upon instantiation. This feature exists so programmers can save and restore data to an object across uses. The contents of this file follow.
0000h 00 03 00 00 11 20 34 00 00 00 00 00 00 00 00 00
0010h 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0020h 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030h 00 00 00 00 00 00 FF FF FF FF 0C 0C 0C 0C 00
We can infer, before we even run the exploit, that the problem is in the handling of this data. We can verify this by running the PoC with a debugger attached to Internet Explorer.
(7ec.2e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=018a8de8 ebp=018a8e08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
+0xc0c0c0b:
0c0c0c0c ?? ???
0:005> !exchain
018a91dc: +c0c0c0b (0c0c0c0c)
Invalid exception stack at ffffffff
0:005> dc 018a91dc L2
018a91dc ffffffff 0c0c0c0c ........
Looking again at the data we supply to the myObject.data property we can deduce that the bytes from offset 0x36 are used to overwrite an exception chain entry, allowing for code execution. But is this a stack overflow? Short answer kind of, but not like you may be thinking.
The vulnerability lies in the ATL template interface IPersistStreamInit[3], specifically the Load method. Without going into excruciating detail the class allows a developer to use persistent storage in their COM object. By implementing this interface the COM object can save and load persistent data passed by URL to the