####################################################################### Luigi Auriemma Application: Microsoft Fax Cover Page Editor http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page Versions: <= 5.2.3790.3959 Platforms: Windows Bug: double free Exploitation: local Date: 19 Jan 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Fax Cover Page Editor is a program for viewing and editing various formats of fax cover files. ####################################################################### ====== 2) Bug ====== fxscover.exe is available on Windows after the installation of the Fax Service. The various "Text" elements have a 16bit field that seems used to index them and by default it has a negative value like 0x8001. By using a positive value major than 0 and lower than the total number of elements is possible to cause a problem during the freeing of the allocated object. The provided proof-of-concept demonstrates the possibility of executing code immediately after the acknoledgement of the initial message box when is called FXSCOVER!CDrawDoc::Remove by FXSCOVER!CDrawDoc::DeleteContents. Modifications: 00005098 FE CC // code execution starts from here 000093F5 01 04 // 16bit in little endian 000093F6 80 00 Alternatively is also possible to exploit the bug when the program gets closed or another file is opened by modifying the 16 bit at offset 0x94a5 instead of the one at 0x93f5, so that the file will be considered valid. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/fxscover_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################