195 lines
No EOL
6.2 KiB
Text
195 lines
No EOL
6.2 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com/
|
|
|
|
Artweaver Buffer Overflow Vulnerability
|
|
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: Artweaver Buffer Overflow Vulnerability
|
|
Advisory ID: CORE-2013-0701
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/artweaver-buffer-overflow-vulnerability
|
|
Date published: 2013-07-22
|
|
Date of last update: 2013-07-22
|
|
Vendors contacted: Artweaver
|
|
Release mode: Coordinated release
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Buffer overflow [CWE-119]
|
|
Impact: Code execution
|
|
Remotely Exploitable: Yes
|
|
Locally Exploitable: No
|
|
CVE Name: CVE-2013-2576
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
Artweaver [1], [2] is prone to a security vulnerability when processing
|
|
AWD files. This vulnerability could be exploited by a remote attacker to
|
|
execute arbitrary code on the target machine by enticing Artweaver users
|
|
to open a specially crafted file.
|
|
|
|
|
|
4. *Vulnerable Packages*
|
|
|
|
. Artweaver v3.1.5.
|
|
. Older versions are probably affected too, but they were not checked.
|
|
|
|
|
|
5. *Non-Vulnerable Packages*
|
|
|
|
. Artweaver v3.1.6.
|
|
. Artweaver v4.0.
|
|
|
|
|
|
6. *Vendor Information, Solutions and Workarounds*
|
|
|
|
Vendor notifies that Artweaver v3.1.6 and v4.0 are available and fix the
|
|
reported vulnerability. Vendor encourages all Artweaver users to update
|
|
to the latest version:
|
|
|
|
1. http://www.artweaver.de/en/help/68
|
|
2. Artweaver Plus - http://www.artweaver.de/en/help/80
|
|
3. Artweaver Free - http://www.artweaver.de/en/help/81
|
|
|
|
|
|
7. *Credits*
|
|
|
|
This vulnerability was discovered and researched by Daniel Kazimirow
|
|
from Core Exploit Writers Team. The publication of this advisory was
|
|
coordinated by Fernando Miranda from Core Advisories Team.
|
|
|
|
|
|
8. *Technical Description / Proof of Concept Code*
|
|
|
|
Below is shown the result of opening the maliciously crafted file
|
|
'CORE-2013-0701-artweaver-poc-28ab190b137f3.AWD'[3], which means the
|
|
normal execution flow can be altered in order to execute arbitrary code.
|
|
|
|
/-----
|
|
004F3265 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
|
|
004F3268 8B40 28 MOV EAX,DWORD PTR DS:[EAX+28]
|
|
004F326B 8B10 MOV EDX,DWORD PTR DS:[EAX]
|
|
004F326D FF12 CALL DWORD PTR DS:[EDX] ;
|
|
<--- crash
|
|
|
|
DS:[45454545]=???
|
|
|
|
EAX 030F9C48 ASCII
|
|
"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
|
|
ECX 019983F0
|
|
EDX 45454545
|
|
EBX 019983F0
|
|
ESP 0012FB7C
|
|
EBP 0012FB90
|
|
ESI 00000000
|
|
EDI 00000013
|
|
EIP 004F326D Artweave.004F326D
|
|
C 0 ES 0023 32bit 0(FFFFFFFF)
|
|
P 1 CS 001B 32bit 0(FFFFFFFF)
|
|
A 0 SS 0023 32bit 0(FFFFFFFF)
|
|
Z 0 DS 0023 32bit 0(FFFFFFFF)
|
|
S 0 FS 003B 32bit 7FFDF000(FFF)
|
|
T 0 GS 0000 NULL
|
|
D 0
|
|
O 0 LastErr ERROR_SUCCESS (00000000)
|
|
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
|
|
ST0 empty -??? FFFF 00005FEE 0F0566FB
|
|
ST1 empty -??? FFFF 00000000 0F05070D
|
|
ST2 empty -??? FFFF 00000000 00060010
|
|
ST3 empty -??? FFFF 00000000 002C006F
|
|
ST4 empty -NAN FFFF 8F669BF5 EFE5EDFD
|
|
ST5 empty 6.0925232094539560960e+16
|
|
ST6 empty -7.8331661972355807100e+18
|
|
ST7 empty 5.8691123250627328000e+16
|
|
3 2 1 0 E S P U O Z D I
|
|
FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT)
|
|
FCW 1372 Prec NEAR,64 Mask 1 1 0 0 1 0
|
|
-----/
|
|
|
|
|
|
9. *Report Timeline*
|
|
. 2013-07-04:
|
|
Core Security Technologies notifies the Artweaver team of the
|
|
vulnerability.
|
|
|
|
. 2013-07-05:
|
|
Vendor asks for a report with technical information.
|
|
|
|
. 2013-07-05:
|
|
Technical details sent to Artweaver team. Core notifies that the
|
|
publication date is scheduled for the end of July.
|
|
|
|
. 2013-07-06:
|
|
Vendor reproduces the buffer overrun and notifies that they are looking
|
|
for the cause of the problem.
|
|
|
|
. 2013-07-10:
|
|
Vendor notifies that this vulnerability will be fixed with the next
|
|
Artweaver update v3.1.6, scheduled for July 20th.
|
|
|
|
. 2013-07-10:
|
|
Core re-schedules the advisory publication for Monday 22nd.
|
|
|
|
. 2013-07-20:
|
|
Vendor notifies patched versions were released and aditional information
|
|
for Artweaver users. [Sec. 6]
|
|
|
|
. 2013-07-22:
|
|
Advisory CORE-2013-0701 released.
|
|
|
|
|
|
10. *References*
|
|
|
|
[1] http://www.artweaver.de.
|
|
[2] http://www.b-e-soft.com/products#artweaver.
|
|
[3]
|
|
http://www.coresecurity.com/system/files/attachments/2013/07/CORE-2013-0701-artweaver-poc-28ab190b137f3.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/27047.zip
|
|
|
|
11. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is charged
|
|
with anticipating the future needs and requirements for information
|
|
security technologies. We conduct our research in several important
|
|
areas of computer security including system vulnerabilities, cyber
|
|
attack planning and simulation, source code auditing, and cryptography.
|
|
Our results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://corelabs.coresecurity.com.
|
|
|
|
|
|
12. *About Core Security Technologies*
|
|
|
|
Core Security Technologies enables organizations to get ahead of threats
|
|
with security test and measurement solutions that continuously identify
|
|
and demonstrate real-world exposures to their most critical assets. Our
|
|
customers can gain real visibility into their security standing, real
|
|
validation of their security controls, and real metrics to more
|
|
effectively secure their organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security
|
|
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
|
|
13. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2013 Core Security
|
|
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
|
|
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
|
|
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
|
|
14. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |