AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution tested against: Microsoft Windows Vista sp2 Microsoft Windows Server 2003 r2 sp2 Mozilla Firefox 14.0.1 download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe (this was the update for a previous vulnerability, see ZDI-12-098) see also the installer aol_toolbar_pricecheck.exe url: http://toolbar.aol.com/download_files/download-helper.html?brand=aol&a=111&ncid=txtlnkusdown00000043 vulnerability: the mentioned product installs a Firefox plugin: File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll Mime type: applicatiotn/x-vend.aol.dnupdater2.1 Extension: ocp By embedding this plugin inside an html page is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. Example crash: EAX 00000000 ECX 01101470 EDX 01135208 ASCII "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" EBX 00000000 ESP 0013F618 EBP 0013F634 ESI 00000002 EDI 0013F668 EIP 61616161 C 1 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 1 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 1 FS 003B 32bit 7FFDD000(4000) T 0 GS 0000 NULL D 0 O 0 LastErr 00000000 ERROR_SUCCESS EFL 00000297 (NO,B,NE,BE,S,PE,L,LE) ST0 empty 0.0 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty 8.0000000000000000000 ST7 empty 0.2500000000000000000 CONST 1/4. 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Last cmnd 001B:10571FBD xul.10571FBD XMM0 00000000 00000000 00000000 00000000 XMM1 61616161 61616161 61616161 61616161 XMM2 61616161 61616161 61616161 61616161 XMM3 61616161 61616161 61616161 61616161 XMM4 61616161 61616161 61616161 61616161 XMM5 61616161 61616161 61616161 61616161 XMM6 61616161 61616161 61616161 61616161 XMM7 61616161 61616161 61616161 61616161 P U O Z D I MXCSR 00001F80 FZ 0 DZ 0 Err 0 0 0 0 0 0 Rnd NEAR Mask 1 1 1 1 1 1 EIP is overwritten, also EDX points to user-supplied code (this can be done by setting an overlong fake parameter, see poc). As attachment, proof of concept code. a copy loop [*] is involved in overwriting a certain memory region. The subsequent code can be used to call inside this memory region [**]. See npdnupdater2.dll: CPU Disasm Address Hex dump Command Comments 01A91C10 /$ 55 PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1) 01A91C11 |. 56 PUSH ESI 01A91C12 |. 8BE9 MOV EBP,ECX 01A91C14 |. 57 PUSH EDI 01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1] 01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C 01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 01A91C22 |. 33F6 XOR ESI,ESI 01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 01A91C27 |. C645 08 00 MOV BYTE PTR SS:[EBP+8],0 01A91C2B |. C745 10 00000 MOV DWORD PTR SS:[EBP+10],0 01A91C32 |. 66:3977 0A CMP WORD PTR DS:[EDI+0A],SI 01A91C36 |. 7E 3E JLE SHORT 01A91C76 01A91C38 |. EB 06 JMP SHORT 01A91C40 01A91C3A | 8D9B 00000000 LEA EBX,[EBX] 01A91C40 |> 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C] 01A91C43 |. 8B14B1 |MOV EDX,DWORD PTR DS:[ESI*4+ECX] 01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4 ; /Arg2 = ASCII "SRC" 01A91C4B |. 52 |PUSH EDX ; |Arg1 01A91C4C |. E8 E06F0000 |CALL 01A98C31 <------------- ; \npdnupdater2.01A98C31 01A91C51 |. 83C4 08 |ADD ESP,8 01A91C54 |. 85C0 |TEST EAX,EAX 01A91C56 |. 75 15 |JNE SHORT 01A91C6D 01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10] 01A91C5B |. 8B0CB0 |MOV ECX,DWORD PTR DS:[ESI*4+EAX] 01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII "aaaa..." 01A91C63 |> 8A01 |/MOV AL,BYTE PTR DS:[ECX] <----------------- [*] 01A91C65 |. 41 ||INC ECX 01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL 01A91C68 |. 42 ||INC EDX 01A91C69 |. 84C0 ||TEST AL,AL 01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63 01A91C6D |> 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A] 01A91C71 |. 46 |INC ESI 01A91C72 |. 3BF1 |CMP ESI,ECX 01A91C74 |.^ 7C CA \JL SHORT 01A91C40 01A91C76 |> 5F POP EDI 01A91C77 |. 5E POP ESI 01A91C78 |. 8BC5 MOV EAX,EBP 01A91C7A |. 5D POP EBP 01A91C7B \. C2 0400 RETN 4 01A91C7E CC INT3 01A91C7F CC INT3 01A91C80 /. 8B4424 04 MOV EAX,DWORD PTR SS:[ARG.1] 01A91C84 |. 85C0 TEST EAX,EAX 01A91C86 |. 56 PUSH ESI 01A91C87 |. 8BF1 MOV ESI,ECX 01A91C89 |. 74 09 JE SHORT 01A91C94 01A91C8B |. 8B00 MOV EAX,DWORD PTR DS:[EAX] 01A91C8D |. 85C0 TEST EAX,EAX 01A91C8F |. 8946 0C MOV DWORD PTR DS:[ESI+0C],EAX 01A91C92 |. 75 06 JNE SHORT 01A91C9A 01A91C94 |> 32C0 XOR AL,AL 01A91C96 |. 5E POP ESI 01A91C97 |. C2 0400 RETN 4 01A91C9A |> 57 PUSH EDI 01A91C9B |. 8B3D 0CA1A901 MOV EDI,DWORD PTR DS:[<&USER32.SetWindow 01A91CA1 |. 68 501BA901 PUSH 01A91B50 ; /NewValue = npdnupdater2.1A91B50 01A91CA6 |. 6A FC PUSH -4 ; |Index = GWL_WNDPROC 01A91CA8 |. 50 PUSH EAX ; |hWnd 01A91CA9 |. FFD7 CALL EDI ; \USER32.SetWindowLongA 01A91CAB |. 56 PUSH ESI 01A91CAC |. A3 3CDCA901 MOV DWORD PTR DS:[1A9DC3C],EAX 01A91CB1 |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0C] 01A91CB4 |. 6A EB PUSH -15 01A91CB6 |. 50 PUSH EAX 01A91CB7 |. FFD7 CALL EDI 01A91CB9 |. B0 01 MOV AL,1 01A91CBB |. 5F POP EDI 01A91CBC |. 8846 08 MOV BYTE PTR DS:[ESI+8],AL 01A91CBF |. 5E POP ESI 01A91CC0 \. C2 0400 RETN 4 .. 01A98C31 /$ 55 PUSH EBP ; npdnupdater2.01A98C31(guessed Arg1,Arg2) 01A98C32 |. 8BEC MOV EBP,ESP 01A98C34 |. 51 PUSH ECX 01A98C35 |. 53 PUSH EBX 01A98C36 |. E8 C9BDFFFF CALL 01A94A04 ; [npdnupdater2.01A94A04 .. .. CPU Disasm Address Hex dump Command Comments 01A94A04 /$ 53 PUSH EBX ; npdnupdater2.01A94A04(guessed void) 01A94A05 |. 56 PUSH ESI 01A94A06 |. FF15 14A0A901 CALL DWORD PTR DS:[<&KERNEL32.GetLastErr ; [NTDLL.RtlGetLastWin32Error 01A94A0C |. FF35 9CC1A901 PUSH DWORD PTR DS:[1A9C19C] 01A94A12 |. 8BD8 MOV EBX,EAX 01A94A14 |. FF15 BCDDA901 CALL DWORD PTR DS:[1A9DDBC] <------------------------------------- [**] boom! .. .. 01A9DDBC 61 POPAD <--------------boom!! 01A9DDBD 61 POPAD 01A9DDBE 61 POPAD 01A9DDBF 61 POPAD 01A9DDC0 61 POPAD 01A9DDC1 61 POPAD 01A9DDC2 61 POPAD 01A9DDC3 61 POPAD 01A9DDC4 61 POPAD .. poc: http://retrogod.altervista.org/9sg_aol_dnu_src_poc.htm rgod PROOF OF CONCEPT: