Publish-It 3.6d - Buffer Overflow Vulnerability

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
 
Publish-It Buffer Overflow Vulnerability
 
 
1. *Advisory Information*
 
Title: Publish-It Buffer Overflow Vulnerability
Advisory ID: CORE-2014-0001
Advisory URL:
http://www.coresecurity.com/advisories/publish-it-buffer-overflow-vulnerability
Date published: 2014-02-05
Date of last update: 2014-02-05
Vendors contacted: Poster Software
Release mode: User release
 
 
2. *Vulnerability Information*
 
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0980
 
 
3. *Vulnerability Description*
 
Publish-It [1] is prone to a (client side) security vulnerability when
processing .PUI files. This vulnerability could be exploited by a remote
attacker to execute arbitrary code on the target machine, by enticing
the user of Publish-It to open a specially crafted .PUI file.
  
 
4. *Vulnerable Packages*
 
 . Publish-It v3.6d for Win XP.
 . Publish-It v3.6d for Win 7.
 . Other versions are probably affected too, but they were not checked.
 
  
5. *Vendor Information, Solutions and Workarounds*
 
There was no official answer from vendor after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted .PUI
files. Contact vendor for further information.
  
  
6. *Credits*
 
This vulnerability was discovered and researched by Daniel Kazimirow
from Core Exploit Writers Team.
 
 
7. *Technical Description / Proof of Concept Code*
 
Below is shown the result of opening the Proof of concept file [2] on
Windows XP SP3 (EN).
     
/-----
EAX 04040404
ECX 00000325
EDX FFFFFF99
EBX 77F15B70 GDI32.SelectObject
ESP 0012F5D4
EBP 77F161C1 GDI32.GetStockObject
ESI 0103A1E8
EDI A50107D3
EIP 04040404
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty -??? FFFF 00000001 00010002
ST1 empty -??? FFFF 00000043 004F007A
ST2 empty -??? FFFF 7590A3E7 FDBDC8F2
ST3 empty -??? FFFF 00000043 0050007B
ST4 empty 1.0000000000000000000
ST5 empty -9.2233720368547758080e+18
-----/
 
The arbitrary value 0x04040404 is stored in the EIP register where our
shellcode starts (just a software breakpoint 0xCC):
  
/-----
04040404    CC              INT3
04040405    CC              INT3
04040406    CC              INT3
04040407    CC              INT3
04040408    CC              INT3
04040409    CC              INT3
0404040A    CC              INT3
0404040B    CC              INT3
...
-----/
 
As a result, the normal execution flow can be altered in order to
execute arbitrary code.
 
 
8. *Report Timeline*
 
. 2013-12-20:
Core Security Technologies attempts to contact vendor. Publication date
is set for Jan 21st, 2014.
      
. 2014-01-06:
Core attempts to contact vendor.
       
. 2014-01-15:
Core asks for confirmation of the initial contact e-mail.
      
. 2014-01-15:
Vendor sends an e-mail with a single word: "Confirmed".
       
. 2014-01-16:
Core sends a technical description and asks for an estimated release
date. No reply received.
       
. 2014-01-21:
First release date missed.
     
. 2014-01-27:
Core attempts to contact vendor. No reply received.
       
. 2014-02-05:
After one month and a half trying to contact vendor the only reply from
them was the word "Confirmed" and the advisory CORE-2014-0001 is
published as 'User release'.

#  0day.today [2018-01-06]  #