ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
211 lines
No EOL
6.8 KiB
Text
211 lines
No EOL
6.8 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com/
|
|
|
|
IcoFX Buffer Overflow Vulnerability
|
|
|
|
PoC: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/30208.zip
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: IcoFX Buffer Overflow Vulnerability
|
|
Advisory ID: CORE-2013-1107
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability
|
|
Date published: 2013-12-10
|
|
Date of last update: 2013-12-10
|
|
Vendors contacted: IcoFX Software
|
|
Release mode: User release
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Buffer overflow [CWE-119]
|
|
Impact: Code execution
|
|
Remotely Exploitable: No
|
|
Locally Exploitable: Yes
|
|
CVE Name: CVE-2013-4988
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
IcoFX [1] is prone to a (client side) security vulnerability when
|
|
processing .ICO files. This vulnerability could be exploited by a remote
|
|
attacker to execute arbitrary code on the target machine, by enticing
|
|
the user of IcoFX to open a specially crafted icon file.
|
|
|
|
|
|
4. *Vulnerable Packages*
|
|
|
|
. IcoFX v2.5.0.0 for Windows.
|
|
. Other versions are probably affected too, but they were not checked.
|
|
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
There was no official answer from vendor after several attempts to
|
|
report this vulnerability (see [Sec. 8]). As mitigation action, given
|
|
that this is a client-side vulnerability, avoid to open untrusted ICO
|
|
files. Contact vendor for further information.
|
|
|
|
|
|
6. *Credits*
|
|
|
|
This vulnerability was discovered and researched by Marcos Accossatto
|
|
from Core Exploit Writers Team. The publication of this advisory was
|
|
coordinated by Fernando Miranda from Core Advisories Team.
|
|
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
Below is shown the result of opening the maliciously crafted file
|
|
'CORE-2013-1107-icofx-poc.ico'[2] on Windows XP SP3 (EN).
|
|
|
|
The vulnerable function is located in 0x80D9F8. By loading the PoC, the
|
|
loop [0x80DA74, 0x80DA93] fills the buffer and overwrite the Exception
|
|
Handler:
|
|
|
|
/-----
|
|
0080DA74 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
|
|
0080DA77 03C0 ADD EAX,EAX
|
|
0080DA79 8D94C5 8CF9FFFF LEA EDX,DWORD PTR SS:[EBP+EAX*8-674]
|
|
0080DA80 B9 10000000 MOV ECX,10 ;
|
|
Will copy 16 bytes from file to buffer
|
|
0080DA85 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
|
|
0080DA88 8B18 MOV EBX,DWORD PTR DS:[EAX]
|
|
0080DA8A FF53 0C CALL DWORD PTR DS:[EBX+C]
|
|
0080DA8D FF45 E8 INC DWORD PTR SS:[EBP-18] ;
|
|
Index, will be overwritten with our value in the penultimate loop turn
|
|
0080DA90 FF4D DC DEC DWORD PTR SS:[EBP-24] ;
|
|
Counter, will be overwritten with our value in the penultimate loop turn
|
|
0080DA93 75 DF JNZ SHORT 0080DA74
|
|
0080DA95 0FBF45 F0 MOVSX EAX,WORD PTR SS:[EBP-10]
|
|
-----/
|
|
|
|
At the 'MOVSX' of 0x80DA95, the CPU registers are as follows:
|
|
|
|
|
|
/-----
|
|
EAX 00000010
|
|
ECX 7C80189C kernel32.7C80189C
|
|
EDX 00000010
|
|
EBX 004617F4 IcoFX2.004617F4
|
|
ESP 0012F380
|
|
EBP 0012FA08
|
|
ESI 005B2CBC IcoFX2.005B2CBC
|
|
EDI 02555C80
|
|
EIP 0080DA95 IcoFX2.0080DA95
|
|
C 1 ES 0023 32bit 0(FFFFFFFF)
|
|
P 1 CS 001B 32bit 0(FFFFFFFF)
|
|
A 0 SS 0023 32bit 0(FFFFFFFF)
|
|
Z 1 DS 0023 32bit 0(FFFFFFFF)
|
|
S 0 FS 003B 32bit 7FFDF000(FFF)
|
|
T 0 GS 0000 NULL
|
|
D 0
|
|
O 0 LastErr ERROR_SUCCESS (00000000)
|
|
EFL 00200247 (NO,B,E,BE,NS,PE,GE,LE)
|
|
ST0 empty -??? FFFF 00F300F3 00F300F3
|
|
ST1 empty -??? FFFF 00FE00FE 00FE00FE
|
|
ST2 empty -??? FFFF 00000009 00220065
|
|
ST3 empty -??? FFFF 0000000A 00240069
|
|
ST4 empty 1.2948274137727088000e+16
|
|
ST5 empty 2.5896178900861029000e+16
|
|
ST6 empty 3.2651492439228483000e+16
|
|
ST7 empty 3.1244147623526446000e+16
|
|
3 2 1 0 E S P U O Z D I
|
|
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
|
|
FCW 1272 Prec NEAR,53 Mask 1 1 0 0 1 0
|
|
-----/
|
|
|
|
And the stack Exception Handler is overwritten (shellcode starts in
|
|
0x12F3A4):
|
|
|
|
|
|
/-----
|
|
0012F380 0012FA10 Pointer to next SEH record
|
|
0012F384 42424242 SE handler
|
|
0012F388 41414141
|
|
0012F38C 41414141
|
|
0012F390 41414141
|
|
0012F394 000502A8
|
|
0012F398 7E4188A6 USER32.GetWindowLongW
|
|
0012F39C 00000000
|
|
0012F3A0 0012F3D8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...
|
|
0012F3A4 41414141
|
|
-----/
|
|
|
|
As a result, the normal execution flow can be altered in order to
|
|
execute arbitrary code.
|
|
|
|
|
|
8. *Report Timeline*
|
|
|
|
. 2013-11-11:
|
|
Core Security Technologies attempts to contact the IcoFX team; no reply
|
|
received. Publication date is set for Dec 3rd, 2013.
|
|
|
|
. 2013-11-14:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-11-26:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-12-03:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-12-03:
|
|
First release date missed.
|
|
|
|
. 2013-12-10:
|
|
Advisory CORE-2013-1107 published.
|
|
|
|
|
|
9. *References*
|
|
|
|
[1] http://icofx.ro/.
|
|
[2]
|
|
http://www.coresecurity.com/system/files/attachments/2013/12/CORE-2013-1107-icofx-poc.zip
|
|
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is charged
|
|
with anticipating the future needs and requirements for information
|
|
security technologies. We conduct our research in several important
|
|
areas of computer security including system vulnerabilities, cyber
|
|
attack planning and simulation, source code auditing, and cryptography.
|
|
Our results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://corelabs.coresecurity.com.
|
|
|
|
|
|
11. *About Core Security Technologies*
|
|
|
|
Core Security Technologies enables organizations to get ahead of threats
|
|
with security test and measurement solutions that continuously identify
|
|
and demonstrate real-world exposures to their most critical assets. Our
|
|
customers can gain real visibility into their security standing, real
|
|
validation of their security controls, and real metrics to more
|
|
effectively secure their organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security
|
|
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2013 Core Security
|
|
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
|
|
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
|
|
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |