Inshell Security. Responsible Disclosure. Security Awareness.

Index | Local (15) | Remote (3) | Web (6) | DoS (4) | Custom (15)

...serving a total of 43 Vulnerabilities
[IA30] Photodex ProShow Producer v5.0.3256 EncFileStream() Local Buffer Overflow Vulnerability

1. Advisory information
Vendor URL: www.photodex.com
Date found: 2012-06-06
Date published: 2012-07-02
Severity: (high-critical)
CVSSv2 Score: 6,9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVE: N/A
Bugtraq: N/A
Secunia: N/A
Others: N/A

2. Credits
This vulnerability was discovered and researched by Julien Ahrens (MrTuxracer) from Inshell Security.
The publication of this advisory was coordinated by Julien Ahrens.

3. Vulnerability Information
Systems affected: windows
Versions affected: v5.0.3256 (verified)
Category: Local Vulnerabilities
Impact: Local Buffer Overflow [CWE-120]
Auth.-Level: None

4. Vulnerability Description
A Local Buffer Overflow Vulnerability has been found on the Photodex ProShow Producer v5.0.3256.

When starting the application loads the contents of the "load" file from its application directory. The application does not validate the length of the string loaded from the "load" file before passing it to a buffer, which leads to a Stack-based Buffer Overflow.

An attacker needs to force the victim to place an arbitrary "load" file into the application directory.

5. Technical Details
Stack:
0012FFA4 41414141 AAAA
0012FFA8 41414141 AAAA
0012FFAC 41414141 AAAA
0012FFB0 41414141 AAAA Pointer to next SEH record
0012FFB4 42424242 BBBB SE handler
0012FFB8 43434343 CCCC
0012FFBC 43434343 CCCC
0012FFC0 43434343 CCCC

Registers:
EAX 00000000
ECX 42424242
EDX 7C9132BC ntdll.7C9132BC
EBX 00000000
ESP 0012D52C
EBP 0012D54C
ESI 00000000
EDI 00000000
EIP 42424242
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)

Vulnerable code:
7C9132A6 FFD1 CALL ECX
7C9132A8 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
7C9132AF 64:8F05 00000000 POP DWORD PTR FS:[0]
7C9132B6 8BE5 MOV ESP,EBP
7C9132B8 5D POP EBP
7C9132B9 C2 1400 RTN 14
7C9132BC 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
7C9132C0 F741 04 06000000 TEST DWORD PTR DS:[ECX+4],6
7C9132C7 B8 01000000 MOV EAX,1
7C9132CC 75 12 JNZ SHORT ntdll.7C9132E0

CALL-Stack:
0012d528 7c9132a8 0x42424242
0012d54c 7c91327a ntdll!ExecuteHandler2+0x26
0012d5fc 7c91e48a ntdll!ExecuteHandler+0x24
0012d5fc 1021f363 ntdll!KiUserExceptionDispatcher+0xe
0012d904 10021f08 if!EncFileStream+0x17a63
0012d908 0012d93c if!IFSaveDefaultEnv+0x2a28
0012d90c 0161cfc0 0x12d93c
0012d93c 41414141 0x161cfc0
0012d940 41414141 0x41414141
0012d944 41414141 0x41414141
0012d948 41414141 0x41414141

Debug:
ModLoad: 00400000 00439000 agdsps.ent
ModLoad: 7c910000 7c9c9000 ntdll.dll
ModLoad: 7c800000 7c908000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 7e360000 7e3f1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77ef0000 77f39000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77da0000 77e4a000 C:\WINDOWS\system32\ADVAPI3.dll
ModLoad: 77e50000 77ee3000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fc0000 77fd1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 71a30000 71a3a000 C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71a10000 71a27000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 77be0000 77c38000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 71a00000 71a08000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 77bd0000 77bd8000 C:\WINDOWS\system32\VERSION.dll
(d08.d04): Break instruction exception - code 80000003 (first chance)
eax=00241eb4 ebx=7ffd4000 ecx=00000003 edx=00000008 esi=00241f48 edi=00241eb4
eip=7c91120e esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c91120e cc int 3
0:000> g
ModLoad: 76330000 7634d000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 10000000 106f1000 C:\Programme\Photodex\ProShow Producer\if.dnt
ModLoad: 76350000 7639a000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 5d450000 5d4ea000 C:\WINDOWS\system32\COMCTL32.dll
ModLoad: 7e670000 7ee91000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f40000 77fb6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 76af0000 76b1e000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 71a80000 71a92000 C:\WINDOWS\system32\MPR.dll
ModLoad: 774b0000 775ee000 C:\WINDOWS\system32\ole32.dll
ModLoad: 408b0000 40996000 C:\WINDOWS\system32\WININET.dll
ModLoad: 00960000 00969000 C:\WINDOWS\system32\Normaliz.dll
ModLoad: 452e0000 45413000 C:\WINDOWS\system32\urlmon.dll
ModLoad: 770f0000 7717b000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 40f50000 4113b000 C:\WINDOWS\system32\iertutil.dll
ModLoad: 778f0000 779e4000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 74a60000 74a67000 C:\WINDOWS\system32\CFGMGR32.dll
ModLoad: 68d90000 68d99000 C:\WINDOWS\system32\HID.DLL
ModLoad: 773a0000 774a3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
ModLoad: 5de80000 5de88000 C:\WINDOWS\system32\rdpsnd.dll
ModLoad: 76300000 76310000 C:\WINDOWS\system32\WINSTA.dll
ModLoad: 597d0000 59825000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76bb0000 76bbb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 746a0000 746ec000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 75250000 7527e000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 02cc0000 044e9000 C:\Programme\Photodex\ProShow Producer\all.dnt
ModLoad: 75ec0000 75ee1000 C:\WINDOWS\system32\MSVFW32.dll
ModLoad: 73ac0000 73ad7000 C:\WINDOWS\system32\AVIFIL32.dll
ModLoad: 77bb0000 77bc5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 76620000 766d6000 C:\WINDOWS\system32\USERENV.dll
(d08.d04): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Programme\Photodex\ProShow Producer\if.dnt
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Programme\Photodex\ProShow Producer\if.dnt -
eax=0161f6a0 ebx=009e20d4 ecx=00000007 edx=00000000 esi=0161f684 edi=00130000
eip=1021f363 esp=0012d8fc ebp=0012d904 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
if!EncFileStream+0x17a63:
1021f363 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> g
(d08.d04): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=42424242 edx=7c9132bc esi=00000000 edi=00000000
eip=42424242 esp=0012d52c ebp=0012d54c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
42424242 ?? ???

6. Bug proof(s)

7. Proof-of-Concept (Code / Exploit)



8. Vendor Solution / Mitigation
N/A

9. Report Timeline
  • 2012-06-06: Initial notification sent to vendor
  • 2012-06-12: No response, second notification sent to vendor
  • 2012-06-20: No response, third notification sent to vendor
  • 2012-06-20: Vendor response, sent to appropriate departments
  • 2012-07-02: No further approach by vendor
  • 2012-07-02: Full Disclosure
Public References:
Every advisory (including its details) is copyrighted by Inshell.net
and is licensed under a Creative Commons Attribution Non-Commercial License.
All data and information provided on this site is for informational purposes only and is provided on an as-is basis.