[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Upek Protector Suite QL 2011 - VTP Buffer
From: "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date: 2011-09-26 3:18:04
Message-ID: 4E7FEEEC.3020603 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Upek Protector Suite QL 2011 - Buffer Overflow Vulnerability
Date:
=====
2011-09-26
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=259
VL-ID:
=====
259
Abstract:
=========
The Vulnerability Lab Research Team discovered a Buffer Overflow Vulnerability on the UPEK \
Protector Suite QL in combination with the eikon fingerprint scanner device.
Report-Timeline:
================
2011-04-03: Vendor Notification
2011-04-19: Vendor Notification
2011-**-**: Vendor Response/Feedback
2011-**-**: Vendor Fix/Patch
2011-09-24: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
Upek Protector Suite QL 2011
Upek Protector Suite QL 5.x
Exploitation-Technique:
=======================
Local
Severity:
=========
High
Details:
========
A Buffer Overflow vulnerability is detected on the UPEK Protector Suite QL v5.x & version 2011 \
in combination with the EikonTouch USB peripheral. The vulnerability allows an local attacker \
to crash the EikonTouch USB peripheral device driver/software via local buffer overflow. The \
bug is located on the profile import module of the software when processing special crafted \
(manipualted) .vtp profile files.
Vulnerable Module(s):
[+] .VTP FILE - USERNAME
Note: After the software crash the driver device of the fingerprinter crashs too. All control \
center functions are stable unavailable.
Analyse(s):
../FingerprintSensorVersion.txt
../Report.wer
../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer
../WERC0A1.tmp.appcompat.txt
../WERC1E9.tmp.WERInternalMetadata.xml
../WERC1FA.tmp.WERDataCollectionFailure.txt
../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../2011_1.png
../2011_2.png
../IMAG0267.jpg
../IMAG0268.jpg
../IMAG0270.jpg
../IMAG0272.jpg
../wrong.png
Video(s):
[+] http://www.vulnerability-lab.com/get_content.php?id=283
Proof of Concept:
=================
This vulnerability can be exploited by local attacker. For demonstration or reproduce ...
Review: *.vtp
PoC:
../poc.vtp
Analyse(s):
../FingerprintSensorVersion.txt
../Report.wer
../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer
../WERC0A1.tmp.appcompat.txt
../WERC1E9.tmp.WERInternalMetadata.xml
../WERC1FA.tmp.WERDataCollectionFailure.txt
../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e
Solution:
=========
Restrict the username to maximum to prevent against buffer overflows when processing large \
-username .vtp files.
Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high(-).
Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2011|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic