SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Visual Basic Vendors:   Microsoft
Microsoft Visual Basic Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1010175
SecurityTracker URL:  http://securitytracker.com/id/1010175
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2004
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 6.0 version 8176
Description:   A buffer overflow vulnerability was reported in Microsoft Visual Basic. A local user may be able to gain elevated privileges in certain cases [but that was not confirmed in the report].

Dr_insane reported that the Visual Basic design time environment contains a buffer overflow in a print statement, potentially affecting various Microsoft applications such as Microsoft Office and Microsoft Internet Explorer.

It is reported that a Command1_Click() event to print a text box with about 170,000 characters can trigger the flaw.

Some demonstration exploit steps are provided in the Source Message and in the original advisory.

The original advisory is available at:

http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt

Impact:   A remote user can create a visual basic application to trigger a buffer overflow and crash. The report indicates but does not confirm that it may be possible to execute arbitrary code to gain elevated privileges [presumably by having a target user trigger the flaw].
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt


http://members.lycos.co.uk/r34ct/main/ms-vb/MS-vb.txt

Visual Basic 6.0 version 8176 Print statement buffer overrun

Release date:
17-5-2004


Severity:
Medium

Vendor:
Microsoft

Systems affected:
Windows 9x
Windows 2000
Windows XP
windows 2003


Description:
A buffer overrun exists in the the visual basic design time enviroment that may allow a user
to elevate his privileges. This vulnerability may affect Microsoft Office series and other 
Microsoft
applications such as Internet explorer.


Technical Description:
Perform the following steps to crash Visual basic:
1. Open Visual Basic and create a new project(project1)
2. Insert a textbox and a commandbutton
3. In the Command1_Click() event insert the following code:
    print text1.text
4.Compile and run your program
5.Insert about 170,000 characters in your textbox and press the commandbutton

At this point your program will generate an "Out of stack space" error message and will 
crash. Try to
compile and run it again and VB will crash. A second error message will be generated:

The instruction at "0x004a2e43" referenced memory at "0x00030274". The memory could not be 
"read".

004A2E29   sub         ecx,eax
004A2E2B   mov         eax,esp
004A2E2D   test        dword ptr [ecx],eax
004A2E2F   mov         esp,ecx
004A2E31   mov         ecx,dword ptr [eax]
004A2E33   mov         eax,dword ptr [eax+4]
004A2E36   push        eax
004A2E37   ret
004A2E38   sub         ecx,1000h
004A2E3E   sub         eax,1000h
004A2E43   test        dword ptr [ecx],eax
004A2E45   cmp         eax,1000h
004A2E4A   jae         004A2E38
004A2E4C   jmp         004A2E29
004A2E4E   push        ebp
004A2E4F   mov         ebp,esp
004A2E51   sub         esp,104h
004A2E57   mov         ecx,dword ptr ds:[59F700h]
004A2E5D   push        esi
004A2E5E   test        ecx,ecx
004A2E60   je          004A2E7E
004A2E62   mov         eax,[0059F710]
004A2E67   test        eax,eax
004A2E69   je          004A2EB9
004A2E6B   push        dword ptr [ebp+14h]
004A2E6E   push        dword ptr [ebp+10h]
004A2E71   push        dword ptr [ebp+0Ch]
004A2E74   push        dword ptr [ebp+8]
004A2E77   call        eax
004A2E79   pop         esi
004A2E7A   leave



Credit:
dr_insane
http://members.lycos.co.uk/r34ct/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC