[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5305023B.8030300@rcesecurity.com>
Date: Wed, 19 Feb 2014 20:12:59 +0100
From: Julien Ahrens <info@...security.com>
To: full-disclosure@...ts.grok.org.uk, moderators@...db.org,
bugtraq@...urityfocus.com
Subject: VideoCharge Studio v2.12.3.685 cc.dll CHTTPResponse::GetHttpResponse()
Buffer Overflow Remote Code Execution
RCE Security Advisory
http://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: VideoCharge Studio
Vendor URL: www.videocharge.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-02-08
Date published: 2014-02-19
CVSSv2 Score: 7,6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
VideoCharge Studio v2.12.3.685 (latest)
and other older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
latest version of VideoCharge Studio v2.12.3.685.
The application sends several HTTP GET requests to www.videocharge.com
in different situations like checking for available updates or during
the license activation process. The HTTP responses of the website are
parsed using the following function from cc.dll:
static int __cdecl CHTTPResponse::GetHttpResponse(char const *,char
const *,char *)
This function reads the contents of the response page using an
InternetReadFile() call with dwNumberOfBytesToRead set to 745 bytes.
Afterwards the application uses an insecure strcpy() call to further
process the received data:
1016D827 CALL cc.1020ACF0 ; strcpy()
Although 745 bytes are enough to trigger the buffer overflow, the
application additionally does not perform a validation of the
Content-Length value of the HTTP response and executes the
InternetReadFile() call a second time if the Content-Length value is
greater than 745 with the dwNumberOfBytesToRead argument set to
[Content-Length - 745] to make sure all bytes from the response are
read, and uses the same strcpy() call to further process the received
data, resulting in huge amounts of memory, that can be controlled by an
attacker. This leads to a stack-based buffer overflow with an
overwritten SEH chain, resulting in remote code execution.
This vulnerability is only exploitable in a MITM scenario, therefor an
attacker needs to spoof the DNS record of www.videocharge.com to
redirect the traffic. Successful exploits can allow remote attackers to
execute arbitrary code with the privileges of the user running the
application. Failed exploits will result in a denial-of-service condition.
5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX 00000000
ECX CCCCCCCC
EDX 7733B4AD ntdll.7733B4AD
EBX 00000000
ESP 00186F74
EBP 00186F94
ESI 00000000
EDI 00000000
EIP CCCCCCCC
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Stackview:
00186F74 7733B499 RETURN to ntdll.7733B499
00186F78 0018705C
00186F7C 0018781C
00186F80 001870AC
00186F84 00187030
00186F88 0018781C Pointer to next SEH record
00186F8C 7733B4AD SE handler
[...]
00187818 CCCCCCCC
0018781C CCCCCCCC Pointer to next SEH record
00187820 CCCCCCCC SE handler
00187824 CCCCCCCC
Vulnerable code part:
1016D7CA LEA EAX,DWORD PTR SS:[EBP-34] ;
lpdwNumberOfBytesRead
1016D7CD PUSH EAX ; /Arg4
1016D7CE MOV ECX,DWORD PTR SS:[EBP-30] ;
|dwNumberOfBytesToRead
1016D7D1 PUSH ECX ; |Arg3
1016D7D2 MOV EDX,DWORD PTR SS:[EBP-14] ; |lpBuffer
1016D7D5 PUSH EDX ; |Arg2
1016D7D6 MOV EAX,DWORD PTR SS:[EBP-1C] ; |hFile
1016D7D9 PUSH EAX ; |Arg1
1016D7DA CALL DWORD PTR DS:[<&WININET.InternetRea>; \InternetReadFile
1016D7E0 TEST EAX,EAX
1016D7E2 JNZ SHORT cc.1016D7FB
1016D7E4 MOV DWORD PTR SS:[EBP-44],2
1016D7EB PUSH cc.10281838 ; /Arg2 = 10281838
1016D7F0 LEA ECX,DWORD PTR SS:[EBP-44] ; |
1016D7F3 PUSH ECX ; |Arg1
1016D7F4 CALL cc.1020A824 ; \cc.1020A824
1016D7F9 JMP SHORT cc.1016D82F
1016D7FB CMP DWORD PTR SS:[EBP-34],0
1016D7FF JNZ SHORT cc.1016D816
1016D801 MOV DWORD PTR SS:[EBP-48],0
1016D808 PUSH cc.10281838 ; /Arg2 = 10281838
1016D80D LEA EDX,DWORD PTR SS:[EBP-48] ; |
1016D810 PUSH EDX ; |Arg1
1016D811 CALL cc.1020A824 ; \cc.1020A824
1016D816 MOV EAX,DWORD PTR SS:[EBP-14]
1016D819 ADD EAX,DWORD PTR SS:[EBP-34]
1016D81C MOV BYTE PTR DS:[EAX],0
1016D81F MOV ECX,DWORD PTR SS:[EBP-14]
1016D822 PUSH ECX
1016D823 MOV EDX,DWORD PTR SS:[EBP+10]
1016D826 PUSH EDX
1016D827 CALL cc.1020ACF0 ; strcpy()
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2014-02-19: Full Disclosure
8. REFERENCES
-------------
http://www.rcesecurity.com/2014/02/videocharge-studio-v2-12-3-685-gethttpresponse-remote-code-execution
Powered by blists - more mailing lists