-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft Jet DB engine vulnerabilities

Classification:
===============
Level: low-med-[HIGH]-crit
ID: HEXVIEW*2005*03*31*1
URL: http://www.hexview.com/docs/20050331-1.txt

Overview:
=========
Microsoft Jet database is a lightweight database widely used by MS Office
applications. msjet40.dll is the main component of the Microsoft Jet database
engine which evaluates and carries out requests for data. The library handles
reading and writing of the data for Microsoft Access databases. HexView
noticed multiple occurrences where file data was not validated or improperly
validated leading to system crashes, null pointer memory access conditions, and
arbitrary code execution. This advisory is focused on just one vulnerability
that we confirmed to be exploitable.

Affected products:
==================
All tests were performed using the latest avaliable msjet40.dll library
(version 4.00.8618.0). We did not test earlier versions, but it should be
assumed that all earlier releases of the library are also vulnerable. Please
note that MS JetDB OLE Provider (msjetoledb40.dll) is not affected by this
problem. Only software products that utilize msjet40.dll are affected,
including Microsoft Access.

Cause and Effect:
=================
Sufficient data validation is not performed when msjet40.dll parses the
database file. As a result, it is possible to modify database file to cause
a code of attacker's choice to be launched when MS Jet database is opened.

Demonstration:
==============
Below is a fragment of an empty *.mdb file. Note the sequence of 0x77
characters on line #3. When msjet40.dll parses this part of the file, it
triggers an exception.

000023B0:  00 00 04 00-49 00 64 00-18 00 50 00-61 00 72 00  ....I.d...P.a.r.
000023C0:  65 00 6E 00-74 00 49 00-64 00 4E 00-61 00 6D 00  e.n.t.I.d.N.a.m.
000023D0:  65 00 77 77-77 77 00 00-05 06 00 00-08 00 02 06  e.wwww..........
000023E0:  00 00 03 06-00 00 0D 00-08 06 00 00-09 06 00 00  ................
000023F0:  10 00 0E 06-00 00 0F 06-00 00 0F 00-0C 06 00 00  ................

Explanation:
============
Below is a code fragment from msjet40.dll that is responsible for the crash.
Atacker directly controls the value of AX. The value goes through a signed
expansion that is used to access 32-bit pointer to the variable that stores
the address of a call table.

  movsx   eax, ax
  mov     ecx, [edi+eax*4+0B0h]
  mov     edx, [ecx]
  call    dword ptr [edx+10h]

The accessible memory range contains portions of original file, which makes
possible to load instruction pointer with the value pointing to malicious 
code embedded in the document. The issue is trivial to exploit and the
exploit is very portable as the attacker does not need to know absolute code
addresses.

Vendor Status:
==============
Microsoft was notified on March 30, 2005. Message acknowledged by an
automated reply. No human response received.

About HexView:
==============
HexView contributes to online security-related lists for almost a decade.
The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms,
network applications, and embedded devices. We also offer a variety of
consulting services. For more information visit http://www.hexview.com

Distribution:
=============
This document may be freely distributed through any channels as long as
the contents are kept unmodified. Commercial use of the information in
the document is not allowed without written permission from HexView
signed by our pgp key. Please direct all questions to vtalk@hexview.com

HexView Disclosure Policy:
==========================
HexView notifies vendors with publicly available contact e-mail addresses
24 hours before disclosing any information to the public. If we are unable
to find vendor's e-mail address or if no human reply is received within 24
hours, HexView will publish vulnerability notification including all technical
details unless the issue is rated as "critical". If vendor does not reply
within 72 hours, HexView may disclose all details for critical vulnerabilities
as well. HexView will publish all details of low-rated vulnerabilities 24 hours
after vendor notification unless there are considerable factors not to do so.

For vulnerabilities rated "high" and "critical":
If vendor replies within the above mentioned time period, HexView will announce
the vulnerability, but will not disclose the details required to reproduce it.
HexView will also specify the date when a full disclosure containing all the
details will be published. The time period between the announcement and full
disclosure is 30 days unless there is an agreement with vendor and appropriate
justification for extension. If vendor resolves the issue earlier than 30 days
after announcement, HexView may publish full disclosure earlier providing that
vendor's patch is available to the public.

HexView reserves the right to publish any detail of any vulnerability at
any time.

Feedback and comments:
======================
Feedback and questions about this disclosure are welcome at vtalk@hexview.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCTG+cDPV1+KQrDqQRAsgKAKCi4tIPn8PooReYStHq3KEYdzgW8wCgiNaP
Trdxg5c6kCkoLlyYeodIhPU=
=rglE
-----END PGP SIGNATURE-----