Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16037
HistoryFeb 13, 2007 - 12:00 a.m.

SecurityVulns.com: Microsoft Visual C++ 8.0 standard library time functions invalid assertion DoS (Problem 3000).

2007-02-1300:00:00
vulners.com
56

Title: Microsoft Visual C++ 8.0 standard library time functions
invalid assertion DoS (Problem 3000).
Product: Visual Studio 2005
Vendor: Microsoft
Vulnerability
class: Denial of Service
Remote: application dependant, remote vector is possible
CVE: CVE-2007-0842
Author: 3APA3A, http://SecurityVulns.com/
Advisory URL: http://SecurityVulns.com/advisories/year3000.asp

Intro:

Since Microsoft Visual Studio 5.0 Visual C compiler defaults time_t type
to 64 bit integer and time functions to their 64-bit variants.

Vulnerability:

64-bit versions of time functions:

localtime()
localtime_s()

gmtime()
gmtime_s()

ctime()
ctime_s()
wctime()
wctime_s()

and may be others

incorrectly behave for a time_t argument larger than or equal to
_MAX__TIME64_T (representing January, 1 3000 00:00:00). According to
MSDN documentation, time functions must indicate error by returning NULL
pointer or EINVAL (depending on function class) and must not invoke any
invalid parameter handler. Instead, time function calls invalid
parameter assert()-like macro, terminating calling application and
creating Denial of Service condition.

An example is within localtime_s function (loctim64.c):

    /*
     * Check for illegal __time64_t value
     */
    _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
    _VALIDATE_RETURN_ERRCODE( (*ptime <= _MAX__TIME64_T), EINVAL);

Last string initiates assertion, it's invalid
_VALIDATE_RETURN_ERRCODE_NOEXC must be used for both negative and
oversized value. Valid code is:

    /*
     * Check for illegal __time64_t value
     */
    _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime >= 0), EINVAL);
    _VALIDATE_RETURN_ERRCODE_NOEXC( (*ptime <= _MAX__TIME64_T), EINVAL);

Both static and dynamic (MSVCR80.DLL) versions of C library are
vulnerable.

Who is vulnerable?

Any application compiled with Microsoft Visual C++ 8.0 compiler with
either static or dynamic libraries is vulnerable, if it uses one of
named functions with user-controlled data.

Possible attack vectors:

  1. Network protocols and applications where time_t value is used and/or
    transmitted as 8-octets (64 bit) in seconds or milliseconds and can be
    behind January, 1, 3000. Example: different SQL databases.

  2. Windows applications where time_t is result of conversion from
    FILETIME or SYSTEMTIME structures. E. g. GetFileTime/SetFileTime
    functions can be used to get/set NTFS file time to values behind
    January, 1, 3000. You can try to exploit different applications by using
    this very simple trick. This is also true for Java and JavaScript
    timestamps.

BTW: it seems there is additional problem with FILETIME, if you set file
time to 0x7FFFFF00 even dir commands sometimes fails to work ("Invalid
parameter" then this file is first in directory list).

  1. Application where date_t is calculated as a result from user input +
    some offset (e.g. timezone conversions for date December, 29 2999 23:01
    GMT-01:00). An example: e-mail messages, HTTP requests, etc.

Example of vulnerable application:

/*

D:\>cl localtime_s.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 14.00.50727.42 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

localtime_s.c
Microsoft (R) Incremental Linker Version 8.00.50727.42
Copyright (C) Microsoft Corporation. All rights reserved.

/out:localtime_s.exe
localtime_s.obj

D:\>localtime_s.exe

(Dr.Watson comes, expected result: "Invalid value")
*/

#include <time.h>
#include <stdio.h>
#include <error.h>

int main(){
struct tm tm;
time_t t = 0x3a3a3a3a3a3a3a3a;

    if&#40;localtime_s&#40;&amp;tm, &amp;t&#41; != 0&#41; {
            printf&#40;&quot;Invalid value&#92;n&quot;&#41;;
    }
    else {
            printf&#40;&quot;OK&#92;n&quot;&#41;;
    }
    return 0;

}

Developer can use one if this workarounds:

  1. Define _USE_32BIT_TIME_T to use 32-bit functions (not available on
    64-bit platforms).
  2. Explicitly check 'time' argument of named functions to be below
    _MAX__TIME64_T. It should be noted, that this workaround is not
    reliable, because it doesn't covers the vector where time_t is
    calculated as a result of time arithmetics.

Exploitation:

Test application which sets file date to 27.09.14896 is available from
http://SecurityVulns.com/news/MICROSOFT/Time/Assert.html

Vendor:

23.08.2006 Initial vendor notification through [email protected]
25.08.2006 Second vendor notification
25.08.2006 Initial vendor reply
30.08.2006 Vendor asks for additional details
31.08.2006 Additional details with example of crashing application
are sent to vendor
12.09.2006 Additional details are sent again because of no response
11.10.2006 Vendor response:

"We believe this is not a security vulnerability but in fact a
deliberate security feature to mitigate problems with invalid data
propagating through the system".

Related for SECURITYVULNS:DOC:16037