lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110928145833.7cb8cddc.aluigi@autistici.org>
Date: Wed, 28 Sep 2011 14:58:33 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Vulnerabilities in EViews 7.2

#######################################################################

                             Luigi Auriemma

Application:  EViews
              http://www.eviews.com
Versions:     <= 7.0.0.1 (aka 7.2)
Platforms:    Windows
Bugs:         A] memory corruption
              B] heap overflow
Exploitation: file
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


EViews is a software for econometric and statistical analysis.

>From vendor's website:
"Estimation, forecasting, statistical analysis, graphics, simulation,
data management, all in a powerful, graphical object-oriented
interface."


#######################################################################

======
2) Bugs
======

--------------------
A] memory corruption
--------------------

The program uses a particular function for allocating memory for the
arrays used in the WF1 files.
In short if the reallocation fails it's possible to write a memory
pointer and a NULL in the expected last two positions of the
"supposedly" reallocated array so with possibilities of corrupting
memory zones almost arbitrarialy:

  00B1A2B0  /$ 56                PUSH ESI                       ; value + 0x32
  00B1A2B1  |. 57                PUSH EDI
  00B1A2B2  |. 8B7C24 0C         MOV EDI,DWORD PTR SS:[ESP+C]
  00B1A2B6  |. 8BF1              MOV ESI,ECX
  00B1A2B8  |. 56                PUSH ESI
  00B1A2B9  |. 8D04BD 00000000   LEA EAX,DWORD PTR DS:[EDI*4]   ; value * 4 (unexploitable)
  00B1A2C0  |. 50                PUSH EAX
  00B1A2C1  |. B9 38F8E600       MOV ECX,EViews7.00E6F838
  00B1A2C6  |. E8 4527F7FF       CALL EViews7.00A8CA10          ; allocation
  ...
  00A8BB41  |. 897C39 FC         MOV DWORD PTR DS:[ECX+EDI-4],EDI   ; write4
  00A8BB45  |. C70439 00000000   MOV DWORD PTR DS:[ECX+EDI],0       ; write4


----------------
B] heap overflow
----------------

Heap overflow/corruption (no additional analysis) during the handling
of the PRG files:

  00B90BF4  |. 8B1496         MOV EDX,DWORD PTR DS:[ESI+EDX*4]
  00B90BF7  |. EB 07          JMP SHORT EViews7.00B90C00    ; EDX is controlled
  00B90BF9  |> 397A 04        /CMP DWORD PTR DS:[EDX+4],EDI ; EDI is usually zero
  00B90BFC  |. 74 0E          |JE SHORT EViews7.00B90C0C
  00B90BFE  |. 8B12           |MOV EDX,DWORD PTR DS:[EDX]
  00B90C00  |> 85D2            TEST EDX,EDX
  00B90C02  |.^75 F5          \JNZ SHORT EViews7.00B90BF9
  00B90C04  |. 33C0           XOR EAX,EAX
  00B90C06  |> 5F             POP EDI
  00B90C07  |> 5E             POP ESI
  00B90C08  |. 5D             POP EBP
  00B90C09  |. C2 0400        RETN 4
  00B90C0C  |> 8B42 08        MOV EAX,DWORD PTR DS:[EDX+8]  ; get the new value
  00B90C0F  \.^EB F5          JMP SHORT EViews7.00B90C06
  ...
  00B295D8  |. E8 EF750600    CALL EViews7.00B90BCC         ; the above function
  00B295DD  |. 85C0           TEST EAX,EAX
  00B295DF  |. 74 14          JE SHORT EViews7.00B295F5
  00B295E1  |. 8378 4C 00     CMP DWORD PTR DS:[EAX+4C],0
  00B295E5  |. 74 0E          JE SHORT EViews7.00B295F5
  00B295E7  |. 8B48 4C        MOV ECX,DWORD PTR DS:[EAX+4C]
  00B295EA  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
  00B295EC  |. 6A 00          PUSH 0
  00B295EE  |. 56             PUSH ESI
  00B295EF  |. FF90 9C000000  CALL DWORD PTR DS:[EAX+9C]    ; code execution

The only "obstacle" to the exploitation could be EDI handled at address
00B90BF9 because sometimes it's zero and other times it's a different
value but my proof-of-concept and analysis is absolutely far from being
optimized so there are for sure ways to control it better and bypassing
the comparison.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/eviews_1.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ