Message-ID: <5288F2C9.8020701@rcesecurity.com>
Date: Sun, 17 Nov 2013 17:46:01 +0100
From: Julien Ahrens <info@...security.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [CVE-2013-6356] Avira Secure Backup v1.0.0.1
 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability

>From a technical point of view, it's a vulnerability because you can
gain control of EIP.

The reason why a victim would probably import an arbitrary .reg file is
the same as why he would use a .wav file from an untrusted source, which
exploits a flaw in the installed .wav converter. If you can convince
(social-engineer) your victim, because of a lack of knowledge, this
scenario would work.

But I was thinking about another attack scenario: Imagine that you have
already access to the victim's computer - then you could use this flaw
to place a backdoor-shellcode (e.g. a reverse shell) into the registry,
which is executed every time the application starts - by default: on
startup. Since the application does not validate the values from the
registry (and does not remove them too), you've got some kind of
persistent code execution.

Regards.


On 17.11.2013 16:12, Jann Horn wrote:
> On Sat, Nov 16, 2013 at 03:23:07PM +0100, Julien Ahrens wrote:
>> A buffer overflow vulnerability has been identified in Avira Secure
>> Backup v1.0.0.1 Build 3616.
>> An attacker needs to force the victim to import an arbitrary .reg file
>> in order to exploit the vulnerability.
> Could you please elaborate on why this is a "vulnerability"? If I can convince
> someone to import random registry files, can't I just add some autorun entry
> or whatever?
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists