Application: Microsoft Reader
http://www.microsoft.com/reader
Versions: <= 2.1.1.3143 (PC version)
the Origami 2.6.1.7169 version doesn't seem vulnerable
the non-PC versions have not been tested
Platforms: Windows, Windows Mobile, Tablet PC and UMPC devices
Bug: writing of NULL byte in arbitrary location
Date: 11 Apr 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.
The first allocation must succeed to avoid problems during the
reading operations (like memcpy on 0x00000000).
Note that is not possible to exploit the visible integer overflow
caused by malloc(size + 1) because the function that reads the data
goes in endless loop, yeah bad.
The provided proof-of-concept first tries to allocate 0x44000000 bytes
and it should succeed without problems and then will try to allocate
the second size that MUST fail so that is possible to use the size
value as an arbitrary memory offset.
Modified bytes in the proof-of-concept:
000000BD 00 43 ; first size needed to steal memory to the next size
000000BE 00 FF
000000BF 00 FF
000000C0 0A FF
000000C1 00 61 ; second size, will try to write 0x00 at address 0x61616161
000000C2 00 61
000000C3 00 61
000000C4 16 61