Source: http://aluigi.org/adv/msreader_4-adv.txt

#######################################################################

                             Luigi Auriemma

Application:  Microsoft Reader
              http://www.microsoft.com/reader
Versions:     <= 2.1.1.3143 (PC version)
              <= 2.6.1.7169 (Origami version)
              the non-PC versions have not been tested
Platforms:    Windows, Windows Mobile, Tablet PC and UMPC devices
Bug:          array overflow
Date:         11 Apr 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Microsoft Reader is a software needed to read and catalog the ebooks in
LIT format and the Audible audio books bought via internet, indeed the
homepage acts also as online store for these protected contents.


#######################################################################

======
2) Bug
======


Array overflow in the AOLL chunk caused by the usage of more sections
than those available:

  0107F59B  |. 8B43 14        MOV EAX,DWORD PTR DS:[EBX+14] ; our number
  0107F59E  |. 8BF1           MOV ESI,ECX
  0107F5A0  |. 8BF8           MOV EDI,EAX
  0107F5A2  |. 8B8E A4000000  MOV ECX,DWORD PTR DS:[ESI+A4]
  0107F5A8  |. C1E7 02        SHL EDI,2
  0107F5AB  |. 833C39 00      CMP DWORD PTR DS:[ECX+EDI],0  ; check the array, must be != 0
  0107F5AF     75 0C          JNZ SHORT msreader.0107F5BD
  0107F5B1  |. 50             PUSH EAX
  0107F5B2  |. 8BCE           MOV ECX,ESI
  0107F5B4  |. E8 36F5FFFF    CALL msreader.0107EAEF        ; alternative memory corruption
  0107F5B9  |. 85C0           TEST EAX,EAX
  0107F5BB  |. 7C 34          JL SHORT msreader.0107F5F1
  0107F5BD  |> 8B86 A4000000  MOV EAX,DWORD PTR DS:[ESI+A4]
  0107F5C3  |. 8B3C38         MOV EDI,DWORD PTR DS:[EAX+EDI]
  0107F5C6  |. 8D43 20        LEA EAX,DWORD PTR DS:[EBX+20]
  0107F5C9  |. 57             PUSH EDI
  0107F5CA  |. 50             PUSH EAX
  0107F5CB  |. E8 EAC9FEFF    CALL msreader.0106BFBA
  ...
  0106BFBA  /$ 8B4424 08      MOV EAX,DWORD PTR SS:[ESP+8]
  0106BFBE  |. FF70 04        PUSH DWORD PTR DS:[EAX+4]     ; must point to our data
  0106BFC1  |. FF7424 08      PUSH DWORD PTR SS:[ESP+8]
  0106BFC5  |. E8 36E8FFFF    CALL msreader.0106A800
  ...
  0106A800  /$ 56             PUSH ESI
  0106A801  |. 8B7424 0C      MOV ESI,DWORD PTR SS:[ESP+C]
  0106A805  |> 85F6           /TEST ESI,ESI
  0106A807  |. 74 21          |JE SHORT msreader.0106A82A   ; must be a valid memory address
  0106A809  |. FF76 20        |PUSH DWORD PTR DS:[ESI+20]
  0106A80C  |. FF7424 0C      |PUSH DWORD PTR SS:[ESP+C]
  0106A810  |. E8 75180100    |CALL msreader.0107C08A
  0106A815  |. 59             |POP ECX
  0106A816  |. 85C0           |TEST EAX,EAX
  0106A818  |. 59             |POP ECX
  0106A819  |. 74 05          |JE SHORT msreader.0106A820   ; EAX must be 0
  0106A81B  |. 8B76 10        |MOV ESI,DWORD PTR DS:[ESI+10]
  0106A81E  |.^EB E5          \JMP SHORT msreader.0106A805
  0106A820  |> 8B06           MOV EAX,DWORD PTR DS:[ESI]
  0106A822  |. 56             PUSH ESI
  0106A823  |. FF50 04        CALL DWORD PTR DS:[EAX+4]     ; code execution

Modified bytes in the proof-of-concept:
00000744   03       0A  ; dynamic 64bit number, any value >= 4 (for this PoC) exploits the bug


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/msreader_4.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17163.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################