regsvr32.exe commandline overflow

[warl0ck7]

1.What is it ?

The windows regsvr32.exe, used for registering ActiveX,COM etc
components has a commandline stack overflow.On passing a large string
on the commandline the program causes an access viation.For ex. on
issuing the command

c:\>regsvr32.exe (About 1200 A's).dll

A messagebox pops up saying LoadLibrary("AAAAAAAAAAAAAA......AAA") failed
after which an access violation occcurs on a Windows 2000 Pro SP0.

2.Systems Affected

The problem is confirmed on the follwing systems:
1.Windows 2000 Professional SP0
2.Windows XP Professional SP0
3.Windows XP Professional SP1

3. The problem

The problem is in a routine in regsvr32.exe which displays the
MessageBox saying "LoadLibrary failed for (THE INPUT FILE NAME) File
name or extension is too long".The buffer with the file name overwrites
the stack completely.

4. Expoitable ?

The problem is completely exploitable in Windows 2000 Professional but is
difficult on Windows XP due to unicode storage of the string,the instruction
pointer is compelety overwritten.The only problem would be the annoying
message box which first pops up before an access violation occurs.

[Tiger Shark]

This would only be a remote exploit insofar as command line access would be a pre-requisite on the target machine for this to even be possible.... right? Or is there a devious way of issuing a regsvr32 command that I am having a brain dump on?

[SirDice]

Somehow this looks vaguely familiar but I cannot seem to find the old post.

Have the same question though (never got answered):

What will I gain if I overflow regsvr32?

[Nokia]

If you could manage to get netcat installed on a tgt machine, connect to it that way, FTP a peice of code succeptable to a buffer overflow, get a cmd prompt up via nc, run the regsvr32 exploit , that overflows and your code is ran instead! Voilla!

Its not quite a simple as that i know, but in a nut shell that is what you could gain from it!

[SirDice]

Why? If you can ftp a piece of susceptible code you might aswell ftp your malware.

There's no privilege elevation involved here.
Buffer overflows are "A Bad Thing(tm)" but there's no security risk from this overflow.

[Nokia]

There's a security risk from ANY overflow.

If you can cause something to execute a peice of code, surley thats a security risk?

There's no privilege elevation involved here.

What says the code you ftp'd cant make an account with admin privilages??

If you have the code you can use any buffer overflow to execute it, providing you know where it is in memory- thats the security risk.

[SirDice]

Originally posted here by Nokia
If you can cause something to execute a peice of code, surley thats a security risk?

Not really. It depends alot on other things.

1st: As said there's no privilege elevation involved here. Everything that gets executed would have the same privileges as the user executing it. So why not execute your code directly?

2nd: If you've restricted what kind of executables a user can run you may have something to execute code of your choice. BUT no (regular) user should have a need for regsvr32 so why permit it?

What says the code you ftp'd cant make an account with admin privilages??

Because the (regular) user running the exploit doesn't gain any extra privileges (i.e. isn't allowed to create accounts) this would be impossible. Unless the code contains something to elevate the privileges but then again you could run that directly so why overflow?

[Nokia]

Not really. It depends alot on other things.

1st: As said there's no privilege elevation involved here. Everything that gets executed would have the same privileges as the user executing it. So why not execute your code directly?

No, it depends on the privilage of the application running that overflowed to execute the code. The code executed will have the same privilage. Thats the whole idea of a buffer overflow.

If you executed your code directly, then you would have the same privilage as the user logged on


regsvr32 = a Command line application that is used to register dynamic-link libraries and ActiveX controls in the registry.


When this System Process executes if you make it execute a peice of code you have stored on the tgt machine instead, at that specific moment in time windows will think it is executing a system task- therefore you wouldnt need to elevate your privilages as what ever code you have executed will have the same rights a regsvr32.

But hey look, it changes the registry, so any security measures in place will notice something changing the registry but will then see its a system process called regsvr32, even if it throws a warning up to who ever is at the console(which it more than likley wont) they will see the name of it and if they dont know it, they would more than likley google it, find it is a system process and proberbly allow it!

And whaddya ya know, you could have installed anything, changed anything in the registry even though the machine in question has got firewalls, ids's etc etc.

Maybe reading this could explain it better?

[mohaughn]

regsvr32 runs in the context of the account that initiated the command.. It does not run as localsystem, which is what you are implying by saying it is a system process.. It's not a system process... lsass.exe, svchost.exe, winlogin.exe those are system processes... One of the main reasons you need administrative access to install many different types of applications is because a regular user invoking regsvr32 does not have the proper permissions to make changes to all registry keys.. so regsvr32 would fail, which is why the install bombs when it checks permissions.

In order to use a buffer overflow to do something that you otherwise would not have permissions to do, you must overflow a process that is running at a higher level of permissions... regsvr32 isn't a process that runs at an administrative level if invoked by a normal user, so no, there is no privilege elevation possible here... regsvr32 itself doesn't have any permissions, it's just an application.. Even though it is a system application, it doesn't run as the localsystem account..

But hey look, it changes the registry, so any security measures in place will notice something changing the registry but will then see its a system process called regsvr32, even if it throws a warning up to who ever is at the console(which it more than likley wont) they will see the name of it and if they dont know it, they would more than likley google it, find it is a system process and proberbly allow it!

It's not a system process.. It is a system application.. And regsvr32 would only be running if something is being installed. If the people watching your security monitoring know that nothing should be installed because there are no change controls at that time, red flags should be set off.. However, if they were to investigate the security context under which regsvr32 was running, they would find which user account is running that process, because, as I said regsvr32 does not run under the context of localsystem(which is equivalent to administrative access...)

What says the code you ftp'd cant make an account with admin privilages??

If you have the code you can use any buffer overflow to execute it, providing you know where it is in memory- thats the security risk.

If you can just run any piece of code and get administrative access why do you even need a buffer overflow? You are already logged into the system, and you can run any command, so just run it.. In order to create an administrative account with a buffer overflow you need to overflow a process that is running with administrative or localsystem privileges. Buffer overflows are only a security risk if they can be overflowed remotely, or if you are overflowing an administrative process. If you have to login to the system to be able to overflow the application, and the application is running as the account that you logged in as, what good did that overflow do?

[jinxy]

No, i do not no that much about what am talking about here but:

There's a security risk from ANY overflow.

The above has got to be true from a logical stand point. Perhaps a system crash could be caused to unexpected results.

Even if you can not execute some shell code.