211 lines
No EOL
6.6 KiB
Text
211 lines
No EOL
6.6 KiB
Text
Core Security - Corelabs Advisory
|
|
http://corelabs.coresecurity.com/
|
|
|
|
IcoFX Buffer Overflow Vulnerability
|
|
|
|
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30208.zip
|
|
|
|
1. *Advisory Information*
|
|
|
|
Title: IcoFX Buffer Overflow Vulnerability
|
|
Advisory ID: CORE-2013-1107
|
|
Advisory URL:
|
|
http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability
|
|
Date published: 2013-12-10
|
|
Date of last update: 2013-12-10
|
|
Vendors contacted: IcoFX Software
|
|
Release mode: User release
|
|
|
|
|
|
2. *Vulnerability Information*
|
|
|
|
Class: Buffer overflow [CWE-119]
|
|
Impact: Code execution
|
|
Remotely Exploitable: No
|
|
Locally Exploitable: Yes
|
|
CVE Name: CVE-2013-4988
|
|
|
|
|
|
3. *Vulnerability Description*
|
|
|
|
IcoFX [1] is prone to a (client side) security vulnerability when
|
|
processing .ICO files. This vulnerability could be exploited by a remote
|
|
attacker to execute arbitrary code on the target machine, by enticing
|
|
the user of IcoFX to open a specially crafted icon file.
|
|
|
|
|
|
4. *Vulnerable Packages*
|
|
|
|
. IcoFX v2.5.0.0 for Windows.
|
|
. Other versions are probably affected too, but they were not checked.
|
|
|
|
|
|
5. *Vendor Information, Solutions and Workarounds*
|
|
|
|
There was no official answer from vendor after several attempts to
|
|
report this vulnerability (see [Sec. 8]). As mitigation action, given
|
|
that this is a client-side vulnerability, avoid to open untrusted ICO
|
|
files. Contact vendor for further information.
|
|
|
|
|
|
6. *Credits*
|
|
|
|
This vulnerability was discovered and researched by Marcos Accossatto
|
|
from Core Exploit Writers Team. The publication of this advisory was
|
|
coordinated by Fernando Miranda from Core Advisories Team.
|
|
|
|
|
|
7. *Technical Description / Proof of Concept Code*
|
|
|
|
Below is shown the result of opening the maliciously crafted file
|
|
'CORE-2013-1107-icofx-poc.ico'[2] on Windows XP SP3 (EN).
|
|
|
|
The vulnerable function is located in 0x80D9F8. By loading the PoC, the
|
|
loop [0x80DA74, 0x80DA93] fills the buffer and overwrite the Exception
|
|
Handler:
|
|
|
|
/-----
|
|
0080DA74 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
|
|
0080DA77 03C0 ADD EAX,EAX
|
|
0080DA79 8D94C5 8CF9FFFF LEA EDX,DWORD PTR SS:[EBP+EAX*8-674]
|
|
0080DA80 B9 10000000 MOV ECX,10 ;
|
|
Will copy 16 bytes from file to buffer
|
|
0080DA85 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
|
|
0080DA88 8B18 MOV EBX,DWORD PTR DS:[EAX]
|
|
0080DA8A FF53 0C CALL DWORD PTR DS:[EBX+C]
|
|
0080DA8D FF45 E8 INC DWORD PTR SS:[EBP-18] ;
|
|
Index, will be overwritten with our value in the penultimate loop turn
|
|
0080DA90 FF4D DC DEC DWORD PTR SS:[EBP-24] ;
|
|
Counter, will be overwritten with our value in the penultimate loop turn
|
|
0080DA93 75 DF JNZ SHORT 0080DA74
|
|
0080DA95 0FBF45 F0 MOVSX EAX,WORD PTR SS:[EBP-10]
|
|
-----/
|
|
|
|
At the 'MOVSX' of 0x80DA95, the CPU registers are as follows:
|
|
|
|
|
|
/-----
|
|
EAX 00000010
|
|
ECX 7C80189C kernel32.7C80189C
|
|
EDX 00000010
|
|
EBX 004617F4 IcoFX2.004617F4
|
|
ESP 0012F380
|
|
EBP 0012FA08
|
|
ESI 005B2CBC IcoFX2.005B2CBC
|
|
EDI 02555C80
|
|
EIP 0080DA95 IcoFX2.0080DA95
|
|
C 1 ES 0023 32bit 0(FFFFFFFF)
|
|
P 1 CS 001B 32bit 0(FFFFFFFF)
|
|
A 0 SS 0023 32bit 0(FFFFFFFF)
|
|
Z 1 DS 0023 32bit 0(FFFFFFFF)
|
|
S 0 FS 003B 32bit 7FFDF000(FFF)
|
|
T 0 GS 0000 NULL
|
|
D 0
|
|
O 0 LastErr ERROR_SUCCESS (00000000)
|
|
EFL 00200247 (NO,B,E,BE,NS,PE,GE,LE)
|
|
ST0 empty -??? FFFF 00F300F3 00F300F3
|
|
ST1 empty -??? FFFF 00FE00FE 00FE00FE
|
|
ST2 empty -??? FFFF 00000009 00220065
|
|
ST3 empty -??? FFFF 0000000A 00240069
|
|
ST4 empty 1.2948274137727088000e+16
|
|
ST5 empty 2.5896178900861029000e+16
|
|
ST6 empty 3.2651492439228483000e+16
|
|
ST7 empty 3.1244147623526446000e+16
|
|
3 2 1 0 E S P U O Z D I
|
|
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
|
|
FCW 1272 Prec NEAR,53 Mask 1 1 0 0 1 0
|
|
-----/
|
|
|
|
And the stack Exception Handler is overwritten (shellcode starts in
|
|
0x12F3A4):
|
|
|
|
|
|
/-----
|
|
0012F380 0012FA10 Pointer to next SEH record
|
|
0012F384 42424242 SE handler
|
|
0012F388 41414141
|
|
0012F38C 41414141
|
|
0012F390 41414141
|
|
0012F394 000502A8
|
|
0012F398 7E4188A6 USER32.GetWindowLongW
|
|
0012F39C 00000000
|
|
0012F3A0 0012F3D8 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...
|
|
0012F3A4 41414141
|
|
-----/
|
|
|
|
As a result, the normal execution flow can be altered in order to
|
|
execute arbitrary code.
|
|
|
|
|
|
8. *Report Timeline*
|
|
|
|
. 2013-11-11:
|
|
Core Security Technologies attempts to contact the IcoFX team; no reply
|
|
received. Publication date is set for Dec 3rd, 2013.
|
|
|
|
. 2013-11-14:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-11-26:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-12-03:
|
|
Core attempts to contact vendor.
|
|
|
|
. 2013-12-03:
|
|
First release date missed.
|
|
|
|
. 2013-12-10:
|
|
Advisory CORE-2013-1107 published.
|
|
|
|
|
|
9. *References*
|
|
|
|
[1] http://icofx.ro/.
|
|
[2]
|
|
http://www.coresecurity.com/system/files/attachments/2013/12/CORE-2013-1107-icofx-poc.zip
|
|
|
|
|
|
10. *About CoreLabs*
|
|
|
|
CoreLabs, the research center of Core Security Technologies, is charged
|
|
with anticipating the future needs and requirements for information
|
|
security technologies. We conduct our research in several important
|
|
areas of computer security including system vulnerabilities, cyber
|
|
attack planning and simulation, source code auditing, and cryptography.
|
|
Our results include problem formalization, identification of
|
|
vulnerabilities, novel solutions and prototypes for new technologies.
|
|
CoreLabs regularly publishes security advisories, technical papers,
|
|
project information and shared software tools for public use at:
|
|
http://corelabs.coresecurity.com.
|
|
|
|
|
|
11. *About Core Security Technologies*
|
|
|
|
Core Security Technologies enables organizations to get ahead of threats
|
|
with security test and measurement solutions that continuously identify
|
|
and demonstrate real-world exposures to their most critical assets. Our
|
|
customers can gain real visibility into their security standing, real
|
|
validation of their security controls, and real metrics to more
|
|
effectively secure their organizations.
|
|
|
|
Core Security's software solutions build on over a decade of trusted
|
|
research and leading-edge threat expertise from the company's Security
|
|
Consulting Services, CoreLabs and Engineering groups. Core Security
|
|
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
|
|
http://www.coresecurity.com.
|
|
|
|
|
|
12. *Disclaimer*
|
|
|
|
The contents of this advisory are copyright (c) 2013 Core Security
|
|
Technologies and (c) 2013 CoreLabs, and are licensed under a Creative
|
|
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
|
|
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
|
|
|
|
|
|
13. *PGP/GPG Keys*
|
|
|
|
This advisory has been signed with the GPG key of Core Security
|
|
Technologies advisories team, which is available for download at
|
|
http://www.coresecurity.com/files/attachments/core_security_advisories.asc. |