[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Upek Protector Suite QL 2011 - VTP Buffer
From:       "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date:       2011-09-26 3:18:04
Message-ID: 4E7FEEEC.3020603 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
Upek Protector Suite QL 2011 - Buffer Overflow Vulnerability


Date:
=====
2011-09-26


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=259


VL-ID:
=====
259


Abstract:
=========
The Vulnerability Lab Research Team discovered a Buffer Overflow Vulnerability on the UPEK  \
Protector Suite QL in combination with the eikon fingerprint scanner device.


Report-Timeline:
================
2011-04-03:	Vendor Notification
2011-04-19:	Vendor Notification
2011-**-**:	Vendor Response/Feedback
2011-**-**:	Vendor Fix/Patch
2011-09-24:	Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Upek Protector Suite QL 2011
Upek Protector Suite QL 5.x


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A Buffer Overflow vulnerability is detected on the UPEK Protector Suite QL v5.x & version 2011 \
in combination with  the EikonTouch USB peripheral. The vulnerability allows an local attacker \
to crash the EikonTouch USB peripheral device  driver/software via local buffer overflow. The \
bug is located on the profile import module of the software when processing  special crafted \
(manipualted) .vtp profile files.

Vulnerable Module(s): 
								[+] .VTP FILE - USERNAME


Note: After the software crash the driver device of the fingerprinter crashs too. All control \
center functions are stable unavailable.


Analyse(s):
			../FingerprintSensorVersion.txt
			../Report.wer
			../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer
			../WERC0A1.tmp.appcompat.txt
			../WERC1E9.tmp.WERInternalMetadata.xml
			../WERC1FA.tmp.WERDataCollectionFailure.txt
			../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e


Picture(s):
			../1.png
			../2.png
			../3.png
			../4.png
			../5.png
			../6.png
			../7.png
			../2011_1.png
			../2011_2.png
			../IMAG0267.jpg
			../IMAG0268.jpg
			../IMAG0270.jpg
			../IMAG0272.jpg
			../wrong.png


Video(s):
			[+] http://www.vulnerability-lab.com/get_content.php?id=283


Proof of Concept:
=================
This vulnerability can be exploited by local attacker. For demonstration or reproduce ...

Review:  *.vtp

PoC:

				../poc.vtp


Analyse(s):
				../FingerprintSensorVersion.txt
				../Report.wer
				../upeksvr.exe_b0585871d7999ad31630447670a0d1d084e7436_1331e935.wer
				../WERC0A1.tmp.appcompat.txt
				../WERC1E9.tmp.WERInternalMetadata.xml
				../WERC1FA.tmp.WERDataCollectionFailure.txt
				../AppCrash_ctlcntrv.exe_f93f6c2a8899fbd4ca04bd90d32dae3d4dbe7_13bce09e


Solution:
=========
Restrict the username to maximum to prevent against buffer overflows when processing large \
-username .vtp files.


Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high(-).


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of  other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2011|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]