NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

CVE-2014-1824 – A New Windows Fuzzing Target

November 26, 2014

  • Blog
  • Archive
As time progresses, due to constant fuzzing and auditing many common Microsoft products are becoming reasonably hard targets to fuzz and find interesting crashes. There are two solutions to this: write a better fuzzer (http://lcamtuf.coredump.cx/afl/) or pick a less audited target. In a search for less audited attack surface, we are brought to MS14-038, Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689). Before we start attacking this application, we would like to understand the vulnerability addressed by MS14-038. Windows Journal is a tablet component shipped with Windows Vista forward, meant for taking notes and such. It has a file association of ‘.jnt’. The bulletin doesn’t give too much information, but reveals the problem is some kind of parsing issue. The patch seems to address issues in NBDoc.dll, so let’s look at the bindiff of pre/post patch. 1_changed The diff is ugly, many functions have changed and a few have been added/removed. So where do we go from here? Looking at the individual changes, we come across a few fixes that look security related, but after numerous dead-ends, one is more attractive than the rest – sub_2ECE0B90. A high level view of this function is seen below. 2_InterestingFunciton This function is somewhat big and has quite a few changes, but is interesting for a couple reasons: First off, apart from some structural changes, there are several calls to memcpy in the unpatched function. Only one of these has been converted to a memcpy_s in the patched function, the count of which is now passed in as an argument to the function. 4_why_intersting_0 Secondly, the function looks like it contains some kind of magic value at the top. In the very first basic block, further processing is determined by a call to strncmp, searching for the string “PTC+MSHM”. Perhaps this could be a useful marker for which to search. 3_why_interseting2 Assuming that this string is in fact a marker for a path to the vulnerable function we perform a quick Google search. 5_gotresults After digging around on archive-ro.com, we end up with a link to a journal file: Popping this guy open in a hex editor, we get dozens of hits for PTC+MSHM on a free text search 6_ptc_marker We now proceed dynamically, attempting to trigger a breakpoint in the affected function. We set one in the first block of the function of the unpatched DLL near the call to strncmp on “PTC+MSHM”. Upon hitting it the first time it, the str1 argument looks like this: first_bp_hit Grabbing all the bytes up till the second occurrence of 0f61 and flipping the endian, we get two hits in our hex editor, one at offset 0x04df and one at offset 0x2bcb. file_hex_edit_1 The second hit is different from the dump, lacking the next word 0b70. So it looks like we are handling this blob at offset 0x04df in the file during the first function call. Continuing on, we set a breakpoint above the memcpy of interest at the top of the block. After some stepping we get to this situation: second_bp_hit Well, that 0x0b70 looks familiar… Furtermore, it appears to be pushed as the size parameter to the memcpy. Let's modify the initial file, changing 700B to FFFF. source_of_size Restarting the application and opening our modified file, we receive an access violation. b00m So as hoped, we crash in the memcpy and have exercised the vulnerable code. More than this particular vulnerability we are trying to isolate, this crash seems like it may be more indicative of less audited code then, say, MS Word. With visions of unbounded memcpy’s in our eyes, we fired a dumb fuzzer at the current version of Journal – and as expected it fell over pretty quickly and in several unique ways -- we encourage you to do the same.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.