[<prev] [next>] [day] [month] [year] [list]
Message-ID: <543DA14C.9020409@vulnerability-lab.com>
Date: Wed, 15 Oct 2014 00:18:52 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com
Subject: PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability
Document Title:
===============
PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=940
http://www.vulnerability-lab.com/get_content.php?id=1274
Release Date:
=============
2014-10-02
Vulnerability Laboratory ID (VL-ID):
====================================
940
Common Vulnerability Scoring System:
====================================
5.1
Product & Service Introduction:
===============================
Mit der neuen Software PayPal ExpressRechnung können Sie ganz bequem Dokumente wie zum Beispiel Rechnungen aus
Office-Anwendungen oder kaufmännischer Software um eine bequeme Bezahlfunktion erweitern.
Die PayPal-Funktionalität ermöglicht Ihren Kunden die direkte Zahlung aus dem PDF und jetzt auch aus der
papiergebundenen Rechnung. Der Express-Kauf-Button und ein QR-Code machen es möglich – Fehlerteufel durch lästiges
Abtippen der Bankverbindung gehören damit der Vergangenheit an. Und das Beste: Sie erhalten schnell Ihr Geld!*
Dadurch stellt PayPal ExpressRechnung eine Ergänzung Ihres bisherigen Zahlungsportfolios dar. Insbesondere
Zahlungen, die heute außerhalb des Online-Shops stattfinden (z.B. bei telefonischen Bestellungen), können so
zeitsparender und mit mehr Sicherheit abgewickelt werden. Es müssen keine sensiblen Bank- oder Kreditkartendaten
am Telefon übermittelt werden.
(Copy of the Homepage: https://www.paypal.com/webapps/mpp/paypal-express-rechnung )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local buffer overflow software vulnerability in the official PayPal PDFMailer v6.0.2900.5512 software.
Vulnerability Disclosure Timeline:
==================================
2014-10-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
PayPal Inc
Product: PayPals PDFMailer (gotomaxx) 6.0.2900.5512
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local buffer overflow software vulnerability is detected in the official Paypal Inc PDFMailer v6.0.2900.5512 software app.
The vulnerability typus allows local attacker to overflow the paypal pdfmailer software process to gain higher access privileges.
The local buffer overflow vulnerability is located in the drucker name (printer name) input field. The local attackers are able to
include large unicode strings to overflow the installation software core process. The attacker is also able to overwrite (overflow)
registers of the affected process to local execute unauthorized codes.
Exploitation of the vulnerability requires a restricted system user account with physical access and no user interaction.
Successful exploitation of the vulnerability results in system compromise by buffer overflow and a basic code execution.
Vulnerable Service(s):
[+] PayPal Inc - PDFMailer
Vulnerable Module(s):
[+] Installation - Core
Vulnerable Input(s):
[+] Drucker Name (Printer Name)
Proof of Concept (PoC):
=======================
The local buffer overflow vulnerability can be exploited by local attacker with a restricted system user account without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1. Download the Paypal PDF Mailer https://www.paypal.com/webapps/mpp/paypal-express-rechnung
2. Install the software and click to accept the license questions and pass the beautiful paypal girl :)
3. Now, the installation ask for a path and wants to configure the printer name with the installation process
4. We include to the vulnerable drucker name (printer name) input a unicode string (1024 bytes) and press the install (ok|continue) button
Note: Attach a debugger like windbg, ida, ollydbg or immunity to the process
5. The software is installing the components, libs and modules ...
Note: Now, the installation is at the end processing to load the drucker name (printer name) of the input field setup ago
8. The software crashs with a classic and unique BEX (Buffer Overflow) error exception
9. The attacker is able to overwrite registers of the software process to escalate with system privileges to execute local codes
10. Successful reproduce of the local vulnerability!
--- Debug Logs ---
ModLoad: 009f0000 00ac9000 SetupAssistant.exe
(1960.1480): Break instruction exception - code 80000003 (first chance)
eax=7efd7000 ebx=00000000 ecx=00000000 edx=774ff85a esi=00000000 edi=00000000
eip=41414141 esp=0049ff5c ebp=0049ff88 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
7747000c cc int 3
7747000d c3 ret
7747000e 90 nop
7747000f 90 nop
77470010 8b4c2404 mov ecx,dword ptr [esp+4]
77470014 f6410406 test byte ptr [ecx+4],6
77470018 7405 je ntdll!DbgBreakPoint+0x13 (7747001f)
7747001a e8811d0100 call ntdll!NtTestAlert (77481da0)
0:002> a
7747000c
Reference(s): (Video)
http://www.youtube.com/watch?v=IXhwfZV6x0M
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a limit char restriction of the drucker (printer) name input field in the paypal pdfmailer software.
Security Risk:
==============
The security risk of the local buffer overflow software vulnerability in the pdf mailer software is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@...nerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@...nerability-lab.com - research@...nerability-lab.com - admin@...lution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@...nerability-lab.com or research@...nerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@...nerability-lab.com
Powered by blists - more mailing lists