SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Visual Studio Vendors:   Microsoft
Visual Studio Buffer Overflow in '.dbp' and '.sln' Files Let Remote Users Cause Arbitrary Code to Be Executed
SecurityTracker Alert ID:  1015721
SecurityTracker URL:  http://securitytracker.com/id/1015721
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 4 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 6.0 SP6
Description:   Kozan reported a vulnerability in Visual Studio. A remote user can cause arbitrary code to be executed on the target system.

The software does not properly validate the contents of database project files (.dbp) and solution files (.sln). A remote user can create a specially crafted project file or solution file that, when opened by the target user, will trigger a stack overflow and execute arbitrary code. The code will run with the privileges of the target user.

A demonstration exploit is available at:

http://www.spyinstructors.com/kozan/poc/vuln.dbp

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Visual Studio 6.0 Buffer Overflow Vulnerability

Visual Studio 6.0 Buffer Overflow Vulnerability

Bug Discovered by Kozan
Credits to ATmaCA
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

Affected Vendor:

Microsoft (www.microsoft.com)


Affected Products:

Microsoft Visual Studio 6.0 (with latest Service Pack 6)
Microsoft Development Environment 6.0 (SP6) (Microsoft Visual InterDev 6.0)


Vulnerability Details:

A Buffer Overflow Vulnerability is exists for the following file formats
of affected product.


Visual Studio Database Project File (.dbp)
Visual Studio Solution (.sln)



The vulnerability is caused due to a boundary error within the handling of
a ".dbp" file (.sln files are also affected) that contains an overly long
string in the "DataProject" field. This can be exploited to cause a
stack-based buffer overflow and allows arbitrary code execution when a
malicious ".dbp" file is opened.
A specially crafted project file can overwrite a stack based buffer
allowing for fully EIP register control and code execution and compromise
user's system.



An example .dbp file:

# Microsoft Developer Studio Project File - Database Project
Begin DataProject = "ProjectName"
End


Carriage return and line feed (0x0d and 0x0a) characters and some others
(0x00 ...) can not be used in project name variable.


An example .dbp file which overwrites EIP register:

# Microsoft Developer Studio Project File - Database Project
Begin DataProject =
"Project1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXXXX
AAAA123456AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
End

The lenght must be 384 bytes long. Otherwise other registers will be
overwriten differently and exploitation method will be chanced. So 384
bytes long length is the most suitable way.

In this example when file is opened:

XXXX (0x58585858) characters will overwrite EIP.
And 123456AAAA... (3132333435364141... in hex) bytes will be on ESP.

So an attacker could create a malicious .dbp project file which includes a
payload which on ESP and EIP should point to this shellcode with a loaded
moduls jmp esp or call esp opcodes.


PoC:

The local path length of the dbp file changes the arragement of malformed
data. So, exploit has to re-align the data for total path length.

Copy the following file as c:\deneme\Project1.dbp

http://www.spyinstructors.com/kozan/poc/vuln.dbp
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC