MS14-068 Kerberos - Key Disstribution Center の脆弱性の解析
MS14-068 について、 Kerberos の脆弱性は KDCSVC.DLL にあるんだから、サーバの方はどうなってるんだよ!
って外人の方から突っ込まれたので追加で解析しました。
lea eax,[ebp-1Ch] push eax push [ebp+10h] call jmp_cryptdll.dll!CDLocateCheckSum mov ebx,eax test ebx,ebx jl L63A8D507 mov eax,[ebp-1Ch] cmp dword ptr [eax+04h],00000014h jbe L63A924D4_ mov ebx,C000000Dh jmp L63A8D513 L63A924D4_: mov ecx,[eax+20h] test ecx,ecx jnz L63A924DE lea ecx,[ebp-20h] push ecx push 00000011h push [esi+04h] push [esi+08h] call [eax+1Ch] |
まず、 MS10-014 で配布されたバージョン1
lea eax,[ebp-1Ch] push eax push [ebp+10h] call jmp_cryptdll.dll!CDLocateCheckSum mov ebx,eax test ebx,ebx jl L63A8D514 mov eax,[ebp-1Ch] cmp dword ptr [eax],FFFFFF76h jz L63A924F8 jmp L63A92515 L63A924F8: cmp dword ptr [eax+04h],00000014h jbe L63A92508 mov ebx,C000000Dh jmp L63A8D520 L63A92508: test dword ptr [eax+08h],00000002h jnz L63A8D4A5 L63A92515: mov ebx,80080342h jmp L63A8D520 L63A8D4A5: mov ecx,[eax+20h] test ecx,ecx jnz L63A9251F mov eax,[eax+1Ch] test eax,eax jz L63A9254A lea ecx,[ebp-20h] push ecx push 00000011h push [esi+04h] push [esi+08h] call eax |
修正版1
call jmp_cryptdll.dll!CDLocateCheckSum test eax,eax jl L63A91D3F mov edx,[ebp-48h] jmp L63A893C2_ L63A89282: push SSZ63A89298_Pac_was_modified___server_checks jmp L63A91DD7 L63A8928C: mov dword ptr [ebp-44h],0000003Ch jmp L63A91DE9 SSZ63A89298_Pac_was_modified___server_checks: db 'Pac was modified - server checksum doesn',27h,'t match',0Ah,0 L63A893C2_: cmp dword ptr [edx+04h],00000014h ja L63A91D7C |
MS10-014 で配布されたバージョン2
call jmp_cryptdll.dll!CDLocateCheckSum test eax,eax jl L63A91D5B mov edx,[ebp-48h] cmp dword ptr [edx],FFFFFF76h jnz L63A91DA0 jmp L63A893C2 L63A89379: push SSZ63A89390_Pac_was_modified___server_checks jmp L63A91DFB L63A89383: mov dword ptr [ebp-44h],0000003Ch jmp L63A91E0D SSZ63A89390_Pac_was_modified___server_checks: db 'Pac was modified - server checksum doesn',27h,'t match',0Ah,0 L63A893C2: cmp dword ptr [edx+04h],00000014h ja L63A91DA0 |
修正版2
&nb sp; cmp eax,ebx mov [ebp-00000098h],eax jnz L63A8C324 test byte ptr [ebp-000000D2h],01h jz L63A8EC15 mov dword ptr [ebp-000000D8h],00000010h L63A8BBB2: |
MS10-014 で配布されたバージョン3
cmp eax,ebx mov [ebp-00000098h],eax jnz L63A8B729 test byte ptr [ebp-000000D2h],01h jz L63A8EC1D mov dword ptr [ebp-000000D8h],00000010h jmp L63A8EC1D L63A8B73B: test byte ptr [edi],08h jz L63A8B759 push [edi+54h] lea eax,[ebp-00000100h] |
修正版3
L63A91D4B: mov eax,[ebp-48h] mov ecx,[eax+20h] test ecx,ecx jz L63A91D69 lea eax,[ebp-4Ch] push eax push 00000011h lea eax,[ebp-40h] push eax push [esi+04h] push [esi+08h] call ecx jmp L63A91D78 |
MS10-014 で配布されたバージョン4
L63A91D67: mov ecx,[ebp-48h] cmp dword ptr [ecx],FFFFFF76h jnz L63A91DA0 mov eax,[ecx+20h] test eax,eax jz L63A91D8D lea ecx,[ebp-4Ch] push ecx push 00000011h lea ecx,[ebp-40h] push ecx push [esi+04h] push [esi+08h] call eax jmp L63A91D9C |
修正版4
思ったより、単純でした・ω・
問題は、Windows 2000上での関数の互換性ですね
Comments