Microsoft Visual C++标准库时间函数拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191721 漏洞类型 资源管理错误
发布时间 2007-02-13 更新时间 2007-02-13
CVE编号 CVE-2007-0842 CNNVD-ID CNNVD-200702-245
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/86602
https://cxsecurity.com/issue/WLB-2007020041
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-245
|漏洞详情
MicrosoftVisualC++是基于Windows平台的C++编译器。MicrosoftVisualC++标准库时间函数实现上存在漏洞,攻击者可能利用此漏洞导致相关的应用程序崩溃。在64位版本的时间函数中,如:localtime()localtime_s()gmtime()gmtime_s()ctime()ctime_s()wctime()wctime_s()fstat()如果time_t参数大于等于_MAX__TIME64_T(代表3000年1月1日00:00:00)的话,就可能出现异常行为。根据MSDN文档,时间函数必须通过返回空指针或EINVAL指示错误,具体取决于函数类,但不应该调用任何无效的参数处理程序。实际上时间函数调用了无效的类似于assert()的宏,导致所调用的应用程序拒绝服务。localtime_s函数(loctim64.c)中的示例:/**Checkforillegal__time64_tvalue*/_VALIDATE_RETURN_ERRCODE_NOEXC((*ptime>=0),EINVAL);_VALIDATE_RETURN_ERRCODE((*ptime<=_MAX__TIME64_T),EINVAL);最后的字符串初始化了断言,对于负数和超大的值都必须使用无效的VALIDATE_RETURN_ERRCODE_NOEXC。有效代码为:/**Checkforillegal__time64_tvalue*/_VALIDATE_RETURN_ERRCODE_NOEXC((*ptime>=0),EINVAL);_VALIDATE_RETURN_ERRCODE_NOEXC((*ptime<=_MAX__TIME64_T),EINVAL);如果使用了任何上述函数的话,使用MicrosoftVisualC++8.0编译器动态或静态函数库所编译的应用程序都受这个漏洞影响。
|漏洞EXP
Title:        Microsoft Visual C++ 8.0 standard library time functions
              invalid assertion DoS (Problem 3000).
Product:      Visual Studio 2005
Vendor:       Microsoft
Vulnerability
class:        Denial of Service
Remote:       application dependant, remote vector is possible
CVE:          CVE-2007-0842
Author:       3APA3A, http://SecurityVulns.com/
Advisory URL: http://SecurityVulns.com/advisories/year3000.asp

Intro:

Since  Microsoft  Visual Studio 5.0, Visual C++ compiler defaults time_t
type to 64 bit integer and time functions to their 64-bit variants.

Vulnerability:

64-bit versions of time  functions:

localtime()
localtime_s()

gmtime()
gmtime_s()

ctime()
ctime_s()
wctime()
wctime_s()

fstat()

and  may  be others

incorrectly  behave  for  a  time_t  argument  larger  than  or equal to
_MAX__TIME64_T  (representing  January,  1  3000 00:00:00). According to
MSDN documentation, time functions must indicate error by returning NULL
pointer  or EINVAL (depending on function class) and must not invoke any
invalid   parameter   handler.  Instead,  time  function  calls  invalid
parameter  assert()-like  macro,  terminating  calling  application  and
creating Denial of Service condition for calling application.

An example is within localtime_s function (loctim64.c):

/*
         * Check for illegal __time64_t value
         */
        _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
        _VALIDATE_RETURN_ERRCODE( (*ptime <= _MAX__TIME64_T), EINVAL);

Last       string       initiates      assertion,      it's      invalid
_VALIDATE_RETURN_ERRCODE_NOEXC  must  be  used  for  both  negative  and
oversized value. Valid code is:

/*
         * Check for illegal __time64_t value
         */
        _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
        _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime <= _MAX__TIME64_T), EINVAL);

Both  static  and  dynamic  (MSVCR80.DLL)  versions  of  C  library  are
vulnerable.

Who is vulnerable?

Any  application  compiled  with  Microsoft Visual C++ 8.0 compiler with
either  static  or  dynamic  libraries  is vulnerable, if it uses one of
named  functions  with user-controlled data.

Possible attack vectors:

1.  Network protocols and applications where time_t value is used and/or
transmitted  as  8-octets (64 bit) in seconds or milliseconds and can be
behind January, 1, 3000. Example: different SQL databases.

2.  Windows  applications  where  time_t  is  result  of conversion from
FILETIME   or   SYSTEMTIME  structures.  E.  g.  GetFileTime/SetFileTime
functions  can  be  used  to  get/set  NTFS  file  time to values behind
January, 1, 3000. You can try to exploit different applications by using
this  very  simple  trick.  This  is  also  true for Java and JavaScript
timestamps.

3.  Application where date_t is calculated as a result from user input +
some  offset (e.g. timezone conversions for date December, 29 2999 23:01
GMT-01:00). An example: e-mail messages, HTTP requests, etc.

Example of vulnerable application:

/*

D:>cl localtime_s.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

localtime_s.c
Microsoft (R) Incremental Linker Version 8.00.50727.42
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:localtime_s.exe
localtime_s.obj

D:>localtime_s.exe

(Dr.Watson comes, expected result: "Invalid value")
*/

#include <time.h>
#include <stdio.h>
#include <error.h>

int main(){
        struct tm tm;
        time_t t = 0x3a3a3a3a3a3a3a3a;

if(localtime_s(&tm, &t) != 0) {
                printf("Invalid valuen");
        }
        else {
                printf("OKn");
        }
        return 0;
}

Workarounds:

Developer can use one if this workarounds:

1.  Define  _USE_32BIT_TIME_T  to use 32-bit functions (not available on
    64-bit platforms).
2.  Explicitly  check  'time'  argument  of  named functions to be below
    _MAX__TIME64_T.  It  should  be  noted,  that this workaround is not
    reliable,   because   it  doesn't  covers the vector where time_t is
    calculated as a result of time arithmetics.

Exploitation:

Test  application  to set file date to 27.09.14896 3touch.c is available
from http://SecurityVulns.com/news/MICROSOFT/Time/Assert.html.

Application compiled with MSVC 8.0, e.g. MSDN sample fstat.c, crashes on
attempt to fstat() this file.

It may also be used to get interesting results with "dir" command (shows
"Invalid  argument")  if FILETIME is changed to 0x7FFFFF00, but it seems
to be different issue.

Vendor:

23.08.2006    Initial vendor notification through secure (at) microsoft (dot) com [email concealed]
25.08.2006    Second vendor notification
25.08.2006    Initial vendor reply
30.08.2006    Vendor asks for additional details
31.08.2006    Additional  details  with example of crashing application
              are sent to vendor
12.09.2006    Additional details are sent again because of no response
11.10.2006    Vendor response:

"We  believe  this  is  not  a  security  vulnerability  but  in  fact a
deliberate  security  feature  to  mitigate  problems  with invalid data
propagating through the system".
|受影响的产品
Microsoft Visual Studio 2005 Microsoft Visual C++ 8.0
|参考资料

来源:XF
名称:visualstudio-time-dos(32454)
链接:http://xforce.iss.net/xforce/xfdb/32454
来源:BUGTRAQ
名称:20070212SecurityVulns.com:MicrosoftVisualC++8.0standardlibrarytimefunctionsinvalidassertionDoS(Problem3000).
链接:http://www.securityfocus.com/archive/1/archive/1/459847/100/0/threaded
来源:SREASON
名称:2237
链接:http://securityreason.com/securityalert/2237
来源:OSVDB
名称:33626
链接:http://osvdb.org/33626
来源:MISC
链接:http://msdn2.microsoft.com/en-us/library/a442x3ye%28VS.80%29.aspx