Wiz

##############################################################################

                     - RealPentesting Advisory -

###############################################################################

  Title:                   User Mode Write Access Violation in Wiz 5.0.3
  Severity:                Medium
  History:                 16.Apr.2013 Vulnerability reported
  Authors:                 Josep Pi Rodriguez, Pedro Guillen Nuñez, Miguel Angel de Castro Simon
  Organization:            RealPentesting
  URL:                     http://www.realpentesting.blogspot.com
  Product:                   Wiz
  Version:                 5.0.3
  Vendor:                  Info-Zip
  Url Vendor:              http://www.info-zip.org/
  Platform:                Windows
  Type of vulnerability:   User Mode Write Access Violation
  Issue fixed in version:  (Not fixed)
  CVE Identifier: CVE-2013-5659

[ DESCRIPTION SOFTWARE ]

From vendor website:
Info-ZIP is a diverse, Internet-based workgroup of about 20 primary authors and over one hundred beta-testers,
formed in 1990 as a mailing list hosted by Keith Petersen on the original SimTel site at the White Sands Missile Range in New Mexico.

[ VULNERABILITY DETAILS ]

Wiz 5.03 suffers from a write access violation vulnerability.
The memory state after the crash using the output of exploitable module from windbg:

eax=00000041 ebx=00003dfc ecx=0012f790 edx=0226b000 esi=01ebd1f1 edi=0012f764
eip=0042aea7 esp=0012f4ec ebp=0012f4ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??
rF
fpcw=027F: rn 53 puozdi  fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000  fpip=0000:00000000  fpdp=0000:00000000
st0=-1.#SNAN0000000000000000e+0000 st1=-1.#SNAN0000000000000000e+0000
st2=-1.#SNAN0000000000000000e+0000 st3=-1.#SNAN0000000000000000e+0000
st4=-1.#SNAN0000000000000000e+0000 st5=-1.#SNAN0000000000000000e+0000
st6=-1.#SNAN0000000000000000e+0000 st7=-1.#SNAN0000000000000000e+0000
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??
rX
xmm0=1.05612e-038 9.09185e-039 1.04694e-038 1.10204e-038
xmm1=8.44895e-039 6.15302e-039 5.32661e-039 1.0653e-038
xmm2=1.06531e-038 9.27554e-039 1.07449e-038 1.01938e-038
xmm3=9.2755e-039 2.93888e-039 1.0102e-038 2.9389e-039
xmm4=1.04694e-038 1.05612e-038 1.01021e-038 1.06531e-038
xmm5=1.04694e-038 1.05612e-038 8.449e-039 1.06531e-038
xmm6=7.98982e-039 1.01939e-038 1.04694e-038 1.06531e-038
xmm7=1.09301e-043 1.10203e-038 4.40818e-039 8.26534e-039
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??

!exchain
0012ffb0: image00400000+2daec (0042daec)
0012ffe0: kernel32!ValidateLocale+2b0 (7c839ad8)
Invalid exception stack at ffffffff
!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x226b000
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x00020e6f
MINOR_HASH:0x24590159
STACK_DEPTH:15
STACK_FRAME:image00400000+0x2aea7
STACK_FRAME:image00400000+0x2af22
STACK_FRAME:image00400000+0x275c2
STACK_FRAME:image00400000+0x5a8a
STACK_FRAME:image00400000+0x5c7f
STACK_FRAME:image00400000+0xfed3
STACK_FRAME:image00400000+0x1b7be
STACK_FRAME:image00400000+0x17876
STACK_FRAME:image00400000+0x10f68
STACK_FRAME:image00400000+0x105a9
STACK_FRAME:image00400000+0xfdd2
STACK_FRAME:image00400000+0xfe72
STACK_FRAME:image00400000+0xce1f
STACK_FRAME:image00400000+0xe21e
STACK_FRAME:kernel32!RegisterWaitForInputIdle+0x49
INSTRUCTION_ADDRESS:0x000000000042aea7
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at image00400000+0x000000000002aea7 (Hash=0x00020e6f.0x24590159)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.!msec.exploitable -m


[ VENDOR COMMUNICATION ]

16/04/2013 : vendor contacted
16/04/2013:  vendor ask about details
20/04/2013: No response from vendor.
29/04/2013: PUBLIC DISCLOSURE

No hay comentarios:

Publicar un comentario