exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

year3000.txt

year3000.txt
Posted Feb 13, 2007
Authored by 3APA3A | Site SecurityVulns.com

Microsoft Visual C++ version 8.0 suffers from a denial of service condition.

tags | advisory, denial of service
advisories | CVE-2007-0842
SHA-256 | f7fe00818ea85c70a2896433664c42f3b88ce3298aa19b8e8bdf63471623ff38

year3000.txt

Change Mirror Download

Title: Microsoft Visual C++ 8.0 standard library time functions
invalid assertion DoS (Problem 3000).
Product: Visual Studio 2005
Vendor: Microsoft
Vulnerability
class: Denial of Service
Remote: application dependant, remote vector is possible
CVE: CVE-2007-0842
Author: 3APA3A, http://SecurityVulns.com/
Advisory URL: http://SecurityVulns.com/advisories/year3000.asp

Intro:

Since Microsoft Visual Studio 5.0, Visual C++ compiler defaults time_t
type to 64 bit integer and time functions to their 64-bit variants.

Vulnerability:

64-bit versions of time functions:

localtime()
localtime_s()

gmtime()
gmtime_s()

ctime()
ctime_s()
wctime()
wctime_s()

fstat()

and may be others

incorrectly behave for a time_t argument larger than or equal to
_MAX__TIME64_T (representing January, 1 3000 00:00:00). According to
MSDN documentation, time functions must indicate error by returning NULL
pointer or EINVAL (depending on function class) and must not invoke any
invalid parameter handler. Instead, time function calls invalid
parameter assert()-like macro, terminating calling application and
creating Denial of Service condition for calling application.

An example is within localtime_s function (loctim64.c):


/*
* Check for illegal __time64_t value
*/
_VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
_VALIDATE_RETURN_ERRCODE( (*ptime <= _MAX__TIME64_T), EINVAL);

Last string initiates assertion, it's invalid
_VALIDATE_RETURN_ERRCODE_NOEXC must be used for both negative and
oversized value. Valid code is:

/*
* Check for illegal __time64_t value
*/
_VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
_VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime <= _MAX__TIME64_T), EINVAL);

Both static and dynamic (MSVCR80.DLL) versions of C library are
vulnerable.


Who is vulnerable?

Any application compiled with Microsoft Visual C++ 8.0 compiler with
either static or dynamic libraries is vulnerable, if it uses one of
named functions with user-controlled data.

Possible attack vectors:

1. Network protocols and applications where time_t value is used and/or
transmitted as 8-octets (64 bit) in seconds or milliseconds and can be
behind January, 1, 3000. Example: different SQL databases.

2. Windows applications where time_t is result of conversion from
FILETIME or SYSTEMTIME structures. E. g. GetFileTime/SetFileTime
functions can be used to get/set NTFS file time to values behind
January, 1, 3000. You can try to exploit different applications by using
this very simple trick. This is also true for Java and JavaScript
timestamps.

3. Application where date_t is calculated as a result from user input +
some offset (e.g. timezone conversions for date December, 29 2999 23:01
GMT-01:00). An example: e-mail messages, HTTP requests, etc.

Example of vulnerable application:

/*

D:\>cl localtime_s.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

localtime_s.c
Microsoft (R) Incremental Linker Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.

/out:localtime_s.exe
localtime_s.obj

D:\>localtime_s.exe

(Dr.Watson comes, expected result: "Invalid value")
*/

#include <time.h>
#include <stdio.h>
#include <error.h>

int main(){
struct tm tm;
time_t t = 0x3a3a3a3a3a3a3a3a;

if(localtime_s(&tm, &t) != 0) {
printf("Invalid value\n");
}
else {
printf("OK\n");
}
return 0;
}


Workarounds:

Developer can use one if this workarounds:

1. Define _USE_32BIT_TIME_T to use 32-bit functions (not available on
64-bit platforms).
2. Explicitly check 'time' argument of named functions to be below
_MAX__TIME64_T. It should be noted, that this workaround is not
reliable, because it doesn't covers the vector where time_t is
calculated as a result of time arithmetics.

Exploitation:

Test application to set file date to 27.09.14896 3touch.c is available
from http://SecurityVulns.com/news/MICROSOFT/Time/Assert.html.

Application compiled with MSVC 8.0, e.g. MSDN sample fstat.c, crashes on
attempt to fstat() this file.

It may also be used to get interesting results with "dir" command (shows
"Invalid argument") if FILETIME is changed to 0x7FFFFF00, but it seems
to be different issue.

Vendor:

23.08.2006 Initial vendor notification through secure@microsoft.com
25.08.2006 Second vendor notification
25.08.2006 Initial vendor reply
30.08.2006 Vendor asks for additional details
31.08.2006 Additional details with example of crashing application
are sent to vendor
12.09.2006 Additional details are sent again because of no response
11.10.2006 Vendor response:

"We believe this is not a security vulnerability but in fact a
deliberate security feature to mitigate problems with invalid data
propagating through the system".

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close