what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Security Guard CMS QT 4.7.3 Buffer Overflow

Security Guard CMS QT 4.7.3 Buffer Overflow
Posted Oct 3, 2013
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

Security Guard CMS QT version 4.7.3 suffers from a local stack buffer overflow vulnerability.

tags | advisory, overflow, local
SHA-256 | e337b29c9abe7f018791eace7e3978986e243436724a2227c3ca3ec164dcbae3

Security Guard CMS QT 4.7.3 Buffer Overflow

Change Mirror Download
Title:
======
Security Guard CMS QT 4.7.3 - Local Stack Buffer Overflow Vulnerability


Date:
=====
2013-09-24


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1085


VL-ID:
=====
1085


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Secure Guard provides access to multiple DVRs and IP cameras for remote viewing, playback and other miscellaneous
functions in order to assist surveillance personnel. Users can view and control multiple DVRs and IP cameras from
anywhere, all at the same time. Secure Guard is a powerful software thats allows the user to manage and monitor
multiple DVRs and IP Cameras. The interface to the DVRs from the CMS is simple and easy to use, making it easier
for the user to only have to learn one network interface.

(Copy of the Vendor Homepage: http://www.specotech.com/secure-guard.html )



Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local Stack Buffer Overflow Vulnerability in the Security Guard CMS QT v4.7.3 Framework.


Report-Timeline:
================
2013-09-24: Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Speco Technologies
Product: Security Guard CMS - Framework 4.7.3


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A local stack buffer overflow vulnerability is detected in the official Security Guard CMS QT v4.7.3 Framework.
The stack buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts
data values in memory addresses adjacent to the allocated buffer.

The vulnerability is located in the `Activating System Lock` module of the software when processing to load
the input of the`Enter Password` value. Local attackers can include 1024 byte (size) uni-code strings to the
`Enter Password` input field as result the software crashs (stack buffer overflow) with the possibility to
overwrite all the registers (ebx,eip ...).

The software does not wait since the password has been saved and directly executes the input when the local
attacker is processing to include the uni-code string. regular the software should only use a temp address
without performing to include/check the input without a save.

The stack buffer overflow software vulnerability can be exploited by local low privileged system user accounts
without user interaction. Successful exploitation of the stack buffer overflow vulnerability results in overruns
of the buffer(s) boundary, data corruption, local escalate of local user privileges with system compromise,
software process manipulation/compromise and overwrites adjacent memory.

Vulnerable Module(s):
[+] Activating System Lock

Vulnerable Input(s):
[+] Enter Password


Proof of Concept:
=================
The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user
account and without user interaction. For demonstration or reproduce ...

1. Login to the application with the standard account `admin/manager` role :*
2. Switch to the activating system lock module inside of the software main menu
Note: When the software is processing to load the module it asks for a master preshare for the lock and unlock mode
3. Include manual a 1024byte long uni-code string to the input and split the uni-code in the middle to overwrite the eip register
Note: The application will not wait for the save of the input. In the same secound the input will be done the save/add button need to be clicked.
4. The software crashs and windows drops the following error signatures and message ...
Note: By including a non splitted uni-code message as string the bug only crash the application with a stack buffer overflow.
To overwrite the eip a distinction is required.


--- PoC Crash Signature Reproduce ---
Problemereignisname: APPCRASH
Anwendungsname: SecureGuard.exe
Anwendungsversion: 0.0.0.0
Anwendungszeitstempel: 519f87e9
Fehlermodulname: StackHash_abcc
Fehlermodulversion: 0.0.0.0
Fehlermodulzeitstempel: 00000000
Ausnahmecode: c00000fd
Ausnahmeoffset: 77891234
Betriebsystemversion: 6.1.7601.2.1.0.768.3
Gebietsschema-ID: 1031
Zusatzinformation 1: abcc
Zusatzinformation 2: abcc8f7853b48d9807d6d51eb1fa5df9
Zusatzinformation 3: abcc
Zusatzinformation 4: abcc8f7853b48d9807d6d51eb1fa5df9

5. Result is a local Stack Buffer Overflow ... Successful reproduced!



--- PoC Debug Logs ---
FAULTING_IP:
+6e69
41414141 ?? ???
41414141 ?? ???

EXCEPTION_RECORD: 00288cf0 -- (.exr 0x288cf0)
ExceptionAddress: 00000000
ExceptionCode: 0001003f
ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD: 000001d0
PROCESS_NAME: SecureGuard.exe
FAULTING_MODULE: 77250000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP: 519f87e9
MODULE_NAME: SecureGuard

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141

FOLLOWUP_IP:
SecureGuard+6e69
00406e69 89742408 mov dword ptr [esp+8],esi

FAILED_INSTRUCTION_ADDRESS:
+643b952f025dda48
41414141 ?? ???
41414141 ?? ???

CONTEXT: 0028a798 -- (.cxr 0x28a798)
Unable to get program counter
eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=41414141 esp=41414141 ebp=41414141 iopl=0 nv up di pl zr na po nc
cs=0142 ss=0010 ds=0142 es=0142 fs=0142 gs=0142 efl=41414141
0142:0142 ?? ???
Resetting default scope

BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID
LAST_CONTROL_TRANSFER: from 00000000 to 41414141
UNALIGNED_STACK_POINTER: 41414141

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00288794 77a7b499 00288880 0028a798 002888d0 0x142
002887b8 77a7b46b 00288880 0028a798 002888d0 ntdll!LdrRemoveLoadAsDataTable+0xd50
00288868 77a30133 00288880 002888d0 00288880 ntdll!LdrRemoveLoadAsDataTable+0xd22
00288bd8 77a7b46b 00288ca0 0028a798 00288cf0 ntdll!KiUserExceptionDispatcher+0xf
00288c88 77a30133 00288ca0 00288cf0 00288ca0 ntdll!LdrRemoveLoadAsDataTable+0xd22
00288ff8 77a7b46b 002890c0 0028a798 00289110 ntdll!KiUserExceptionDispatcher+0xf
002890a8 77a30133 002890c0 00289110 002890c0 ntdll!LdrRemoveLoadAsDataTable+0xd22
00289418 00406e69 002895f8 00289448 0c282e98 ntdll!KiUserExceptionDispatcher+0xf
00289598 00000000 41414141 41414141 41414141 SecureGuard+0x6e69


STACK_COMMAND: .cxr 00289448 ; kb ; ~0s ; kb
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: SecureGuard+6e69
FOLLOWUP_NAME: MachineOwner
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_c0000005_C:_Program_Files_(x86)_SpecoTechnologies_SecureGuard_SecureGuard.exe!Unknown

Followup: MachineOwner
---------
0:000> u
00000103 ?? ???
0:000> a
41414141


tcViewWidget::slot_screen_mode(7)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA"
Socket Error (0): 2
"Connect to site: benjamin337"
Socket Error (0): 2
ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll
ModLoad: 70410000 70416000 C:\Windows\SysWOW64\IconCodecService.dll
ModLoad: 63fe0000 64218000 C:\Windows\SysWOW64\wpdshext.dll
ModLoad: 746b0000 74840000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
ModLoad: 0dbb0000 0dbef000 C:\Windows\SysWOW64\audiodev.dll
ModLoad: 649f0000 64c57000 C:\Windows\SysWOW64\WMVCore.DLL
ModLoad: 0dbf0000 0dc2d000 C:\Windows\SysWOW64\WMASF.DLL
QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar)
ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll
QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 5 unknown for QMenuBar)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA"
Socket Error (0): 2
"Connect to site: benjamin337"
Socket Error (0): 2
QAccessibleWidget::rect: This implementation does not support subelements! (ID 2 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 3 unknown for QMenuBar)
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00289460 ebx=00289448 ecx=0000145f edx=00289454 esi=0c2919f8 edi=00290000
eip=00406c79 esp=002893f8 ebp=00289418 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
SecureGuard+0x6c79:
00406c79 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288fd8 ebp=00288ff8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288bb8 ebp=00288bd8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=41414141 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288798 ebp=002887b8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???


Solution:
=========
Set a secure input (1023 byte size) restricted when processing to setup the password for the security guard cms lock mode.


Risk:
=====
The security risk of the local stack buffer overflow software vulnerability is estimated as high(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close