Trend Micro SSAPI Long Path Buffer Overflow Vulnerability

This is my last discovered vulnerability. It’s a vulnerability in a Trend Micro product. Read the Idefense advisory.

I had developed a PoC for W2K SP4 however a PoC for WinXP is hard to develop because i couldn’t find a call esp, or similar instruction, with an unicode address format.

This is the technical analysis of the vulnerability:

ADVANCED DESCRIPTION

According to MSDN you cannot use any file functions (CreateFile, GetFileAttributes, etc)
with a path which is longer than MAX_PATH, unless you prefix it with \\?\.
Paths longer than 256 characters will cause Spyware Service (PcScnSrv) to crash.
Code execution is not possible.

The affected component is vstlib32.dll. A call to wcscpy_s is made, but there isn’t an exception
handler defined when invalid parameter is found, so the service calls Dr. Watson:

.ext:67105510 sub_67105510 proc near ; CODE XREF: sub_67105790+A8p
.text:67105510 ; sub_67105790+11Cp
.text:67105510
.text:67105510 var_628 = word ptr -628h
.text:67105510 szLongPath = word ptr -61Ch
.text:67105510 var_414 = word ptr -414h
.text:67105510 var_20E = word ptr -20Eh
.text:67105510 szShortPath = word ptr -20Ch
.text:67105510 var_4 = dword ptr -4
.text:67105510 arg_0 = dword ptr 4
.ext:67105510 sub esp, 620h
.text:67105516 mov eax, dword_6711C138
.text:6710551B xor eax, esp
.text:6710551D mov [esp+620h+var_4], eax
.text:67105524 push esi
.text:67105525 mov esi, [esp+624h+arg_0]
.text:6710552C push edi
.text:6710552D push esi
.text:6710552E mov edi, ecx
.text:67105530 call sub_67104110
.text:67105535 test eax, eax
.text:67105537 push esi ; strDestination
.text:67105538 jz loc_67105673

[…]

.ext:67105673 loc_67105673: ; CODE XREF: sub_67105510+28j
.text:67105673 lea eax, [esp+62Ch+var_414]
.text:6710567A push 104h ; MAX_PATH
.text:6710567F push eax ; strSource
.text:67105680 call _wcscpy_s ; invalid parameter error inside wcscpy_s invoke
; Dr. Watson. There isn’t an exception handler
; defined (with set_invalid_parameter_handler) so
; the process crash

According to MSDN:
“If strDestination or strSource is a null pointer, or if the destination string is too small, the invalid parameter handler
is invoked as described in Parameter Validation.”

Invalid Parameter Handler Routine
“The behavior of the C Runtime when an invalid parameter is found is to call the currently assigned invalid parameter handler.
The default invalid parameter invokes Watson crash reporting, which causes the application to crash and asks the user if they
want to load the crash dump to Microsoft for analysis. In Debug mode, an invalid parameter also results in a failed assertion.
This behavior can be changed by using the function _set_invalid_parameter_handler to set the invalid parameter handler to your
own function”

An exception handler for invalid parameter would have to be set with set_invalid_parameter_handler, so the program wouldn’t have
to invoke Dr. Watson.

Leave a reply

You must be logged in to post a comment.