Patch Analysis of MS011-002 - CVE-2011-0027

As per the MS bulletin MS011-002 CVE-2011-0027, a remote code execution vulnerability exists in the way that Microsoft Data Access Components validates memory allocation. This vulnerability could allow code execution if a user visited a specially crafted Web page. I decided to investigate how the vulnerability has been fixed. This study enabled us to have a better understanding of the vulnerability, which in turn led to the development of the best quality signature for our customers. I took a vulnerable Windows XP machine and applied the patch issued by Microsoft.

When I performed binary diffing between the patched and the unpatched version of msado15.dll, it can be observered that two functions have changed.

When I investigated the patched function, as shown in the left, it can be observered that in order to prevent integer overflow, function ULongLongToULong has been added. The function ULongLongToULong takes the input [ebp+lcid], and performs a check on it to prevent integer overflow. The parameter [ebp+lcid] is later passed to HeapAlloc which was the vulnerable function. AlertLogic Customers are protected against the vulnerability. Acknowledgement I would like to express my gratitude and thanks to Johnathan for his feedback.