lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20110929112651.5ae58175.aluigi@autistici.org>
Date: Thu, 29 Sep 2011 11:26:51 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Arbitrary memory corruption in NCSS 07.1.21

#######################################################################

                             Luigi Auriemma

Application:  NCSS (aka NCSS 2007)
              http://www.ncss.com/ncss.html
Versions:     <= 07.1.21
Platforms:    Windows
Bug:          array overflow with write2
Exploitation: file
Date:         28 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's homepage:
"NCSS has specialized in providing statistical analysis software to
researchers, businesses, and academic institutions."


#######################################################################

======
2) Bug
======


Through the S0 files it's possible to exploit various array overflow
vulnerabilities for writing the word 0xfffd in an arbitrary zone of the
memory.
The following is one of these bugs, from VCF132.dll:

  1D044E91  |. 0FB750 06       ||MOVZX EDX,WORD PTR DS:[EAX+6]  ; EDX controlled
  1D044E95  |. 8B0491          ||MOV EAX,DWORD PTR DS:[ECX+EDX*4]
  1D044E98  |. 8BCB            ||MOV ECX,EBX
  1D044E9A  |. 66:C740 04 FDFF ||MOV WORD PTR DS:[EAX+4],0FFFD  ; write2

For the other array overflows it's enough to search the 0xfffd constant
and all the operations like the above one.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ncss_1.s0

the 16bit value for EDX is located at offset 0x8bd.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ