lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53136238.3040606@rcesecurity.com>
Date: Sun, 02 Mar 2014 17:54:16 +0100
From: Julien Ahrens <info@...security.com>
To: full-disclosure@...ts.grok.org.uk, OSVDB Mods <moderators@...db.org>, 
 bugtraq@...urityfocus.com
Subject: [CVE-2014-2206] GetGo Download Manager HTTP
 Response Header Buffer Overflow Remote Code Execution

RCE Security Advisory
http://www.rcesecurity.com
 
 
1. ADVISORY INFORMATION
-----------------------
Product:        GetGo Download Manager
Vendor URL:     www.getgosoft.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2014-02-20
Date published: 2014-03-02
CVSSv2 Score:   10,0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE:            CVE-2014-2206
 
 
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
 
 
3. VERSIONS AFFECTED
--------------------
GetGo Download Manager v4.9.0.1982 (latest)
GetGo Download Manager v4.8.2.1346
GetGo Download Manager v4.4.5.502
and other older versions may be affected too.
 
 
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
GetGo Download Manager.
 
When a website is requested for download, the application reads the HTTP
Response Header values of the target page and copies the retrieved
values to a temporary buffer, which is set to a fixed size of 4097
bytes, but this size is not used by the application to limit the input
to the buffer. Instead it fills the buffer byte by byte until the
terminating sequence "\r\n" is found. Therefore the application writes
outside the expected memory boundaries if the HTTP Response Header is
greater than 4097 bytes.
 
This leads to a stack-based buffer overflow with an overwritten SEH
chain or return points, resulting in remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.
 
 
5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX 00000000
ECX CCCCCCCC
EDX 76F2B4AD ntdll.76F2B4AD
EBX 00000000
ESP 0474BD5C
EBP 0474BD7C
ESI 00000000
EDI 00000000
EIP CCCCCCCC
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EF94000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
 
 
Stack:
ESP-8    > 00286D30
ESP-4    > FFFFFFFE
ESP ==>  > 76F2B499  RETURN to ntdll.76F2B499
ESP+4    > 0474BE44
ESP+8    > 0474D3A8
[...]
ESP+1648 > CCCCCCCC
ESP+164C > CCCCCCCC  Pointer to next SEH record
ESP+1650 > CCCCCCCC  SE handler
ESP+1654 > CCCCCCCC
 
 
6. VULNERABLE CODE PART
-----------------------
// GetGoDM.exe
004A4CE1  PUSH ECX                          ; /Arg3
004A4CE2  PUSH 1001                         ; |Arg2 = 00001001
004A4CE7  LEA EDX,DWORD PTR SS:[EBP-1024]   ; |
004A4CED  PUSH EDX                          ; |Arg1
004A4CEE  MOV ECX,DWORD PTR SS:[EBP-1064]   ; |
004A4CF4  CALL GetGoDM.004A3A70             ; \GetGoDM.004A3A70
 
 
004A3A70  PUSH EBP
004A3A71  MOV EBP,ESP
004A3A73  PUSH -1
004A3A75  PUSH GetGoDM.00644153
004A3A7A  MOV EAX,DWORD PTR FS:[0]
004A3A80  PUSH EAX
004A3A81  SUB ESP,1C
004A3A84  MOV EAX,DWORD PTR DS:[6E6FB8]
004A3A89  XOR EAX,EBP
004A3A8B  PUSH EAX
004A3A8C  LEA EAX,DWORD PTR SS:[EBP-C]
004A3A8F  MOV DWORD PTR FS:[0],EAX
004A3A95  MOV DWORD PTR SS:[EBP-28],ECX
004A3A98  MOV DWORD PTR SS:[EBP-14],0
004A3A9F  MOV EAX,DWORD PTR SS:[EBP+C]
004A3AA2  PUSH EAX
004A3AA3  PUSH 0
004A3AA5  MOV ECX,DWORD PTR SS:[EBP+8]
004A3AA8  PUSH ECX
004A3AA9  CALL GetGoDM.004EA0A0
004A3AAE  ADD ESP,0C
004A3AB1  MOV DWORD PTR SS:[EBP-18],1
004A3AB8  MOV DWORD PTR SS:[EBP-10],1
004A3ABF  MOV DWORD PTR SS:[EBP-20],0
004A3AC6  PUSH GetGoDM.0066D7F6             ; /Arg1 = 0066D7F6
004A3ACB  LEA ECX,DWORD PTR SS:[EBP-1C]     ; |
004A3ACE  CALL GetGoDM.004090A0             ; \GetGoDM.004090A0
004A3AD3  MOV DWORD PTR SS:[EBP-4],0
004A3ADA  /MOV EDX,1
004A3ADF  |TEST EDX,EDX
004A3AE1  |JE SHORT GetGoDM.004A3B5A
004A3AE3  |MOV EAX,DWORD PTR SS:[EBP+10]
004A3AE6  |PUSH EAX                         ; /Arg3
004A3AE7  |PUSH 1                           ; |Arg2 = 00000001
004A3AE9  |MOV ECX,DWORD PTR SS:[EBP-10]    ; |
004A3AEC  |MOV EDX,DWORD PTR SS:[EBP+8]     ; |
004A3AEF  |LEA EAX,DWORD PTR DS:[EDX+ECX-1] ; |
004A3AF3  |PUSH EAX                         ; |Arg1
004A3AF4  |MOV ECX,DWORD PTR SS:[EBP-28]    ; |
004A3AF7  |ADD ECX,0C                       ; |
004A3AFA  |CALL GetGoDM.0049DF80            ; \GetGoDM.0049DF80
004A3AFF  |MOV DWORD PTR SS:[EBP-18],EAX
004A3B02  |CMP DWORD PTR SS:[EBP-18],0
004A3B06  |JNZ SHORT GetGoDM.004A3B11
004A3B08  |MOV DWORD PTR SS:[EBP-14],0
004A3B0F  |JMP SHORT GetGoDM.004A3B5A
004A3B11  |MOV ECX,DWORD PTR SS:[EBP+8]
004A3B14  |ADD ECX,DWORD PTR SS:[EBP-10]
004A3B17  |MOV BYTE PTR DS:[ECX],0
004A3B1A  |MOV EDX,DWORD PTR SS:[EBP+8]
004A3B1D  |PUSH EDX                         ; /Arg1
004A3B1E  |LEA ECX,DWORD PTR SS:[EBP-1C]    ; |
004A3B21  |CALL GetGoDM.004497C0            ; \GetGoDM.004497C0
004A3B26  |PUSH 0                           ; /Arg2 = 00000000
004A3B28  |PUSH GetGoDM.0066D7F8            ; |Arg1 = 0066D7F8 ASCII ""
004A3B2D  |LEA ECX,DWORD PTR SS:[EBP-1C]    ; |
004A3B30  |CALL GetGoDM.00409560            ; \GetGoDM.00409560
004A3B35  |MOV DWORD PTR SS:[EBP-20],EAX
004A3B38  |CMP DWORD PTR SS:[EBP-20],-1
004A3B3C  |JE SHORT GetGoDM.004A3B4F
004A3B3E  |MOV EAX,DWORD PTR SS:[EBP+8]
004A3B41  |ADD EAX,DWORD PTR SS:[EBP-20]
004A3B44  |MOV BYTE PTR DS:[EAX],0
004A3B47  |MOV ECX,DWORD PTR SS:[EBP-20]
004A3B4A  |MOV DWORD PTR SS:[EBP-14],ECX
004A3B4D  |JMP SHORT GetGoDM.004A3B5A
004A3B4F  |MOV EDX,DWORD PTR SS:[EBP-10]
004A3B52  |ADD EDX,1
004A3B55  |MOV DWORD PTR SS:[EBP-10],EDX
004A3B58  \JMP SHORT GetGoDM.004A3ADA
004A3B5A  MOV EAX,DWORD PTR SS:[EBP-14]
004A3B5D  MOV DWORD PTR SS:[EBP-24],EAX
004A3B60  MOV DWORD PTR SS:[EBP-4],-1
004A3B67  LEA ECX,DWORD PTR SS:[EBP-1C]
004A3B6A  CALL GetGoDM.004091E0
004A3B6F  MOV EAX,DWORD PTR SS:[EBP-24]
004A3B72  MOV ECX,DWORD PTR SS:[EBP-C]
004A3B75  MOV DWORD PTR FS:[0],ECX
004A3B7C  POP ECX
004A3B7D  MOV ESP,EBP
004A3B7F  POP EBP
004A3B80  RETN 0C
 
 
7. SOLUTION
-----------
None
 
 
8. REPORT TIMELINE
------------------
2014-02-23: Discovery of the vulnerability
2014-02-23: Vendor Notification #1
2014-02-26: MITRE assigns CVE-2014-2206
2014-03-01: Project is dead
2014-03-02: Full Disclosure
 
 
9 . REFERENCES
--------------
http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-execution

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ