Security Guard CMS QT version 4.7.3 suffers from a local stack buffer overflow vulnerability.
e337b29c9abe7f018791eace7e3978986e243436724a2227c3ca3ec164dcbae3
Title:
======
Security Guard CMS QT 4.7.3 - Local Stack Buffer Overflow Vulnerability
Date:
=====
2013-09-24
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1085
VL-ID:
=====
1085
Common Vulnerability Scoring System:
====================================
6.1
Introduction:
=============
Secure Guard provides access to multiple DVRs and IP cameras for remote viewing, playback and other miscellaneous
functions in order to assist surveillance personnel. Users can view and control multiple DVRs and IP cameras from
anywhere, all at the same time. Secure Guard is a powerful software thats allows the user to manage and monitor
multiple DVRs and IP Cameras. The interface to the DVRs from the CMS is simple and easy to use, making it easier
for the user to only have to learn one network interface.
(Copy of the Vendor Homepage: http://www.specotech.com/secure-guard.html )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local Stack Buffer Overflow Vulnerability in the Security Guard CMS QT v4.7.3 Framework.
Report-Timeline:
================
2013-09-24: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
Speco Technologies
Product: Security Guard CMS - Framework 4.7.3
Exploitation-Technique:
=======================
Local
Severity:
=========
High
Details:
========
A local stack buffer overflow vulnerability is detected in the official Security Guard CMS QT v4.7.3 Framework.
The stack buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts
data values in memory addresses adjacent to the allocated buffer.
The vulnerability is located in the `Activating System Lock` module of the software when processing to load
the input of the`Enter Password` value. Local attackers can include 1024 byte (size) uni-code strings to the
`Enter Password` input field as result the software crashs (stack buffer overflow) with the possibility to
overwrite all the registers (ebx,eip ...).
The software does not wait since the password has been saved and directly executes the input when the local
attacker is processing to include the uni-code string. regular the software should only use a temp address
without performing to include/check the input without a save.
The stack buffer overflow software vulnerability can be exploited by local low privileged system user accounts
without user interaction. Successful exploitation of the stack buffer overflow vulnerability results in overruns
of the buffer(s) boundary, data corruption, local escalate of local user privileges with system compromise,
software process manipulation/compromise and overwrites adjacent memory.
Vulnerable Module(s):
[+] Activating System Lock
Vulnerable Input(s):
[+] Enter Password
Proof of Concept:
=================
The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user
account and without user interaction. For demonstration or reproduce ...
1. Login to the application with the standard account `admin/manager` role :*
2. Switch to the activating system lock module inside of the software main menu
Note: When the software is processing to load the module it asks for a master preshare for the lock and unlock mode
3. Include manual a 1024byte long uni-code string to the input and split the uni-code in the middle to overwrite the eip register
Note: The application will not wait for the save of the input. In the same secound the input will be done the save/add button need to be clicked.
4. The software crashs and windows drops the following error signatures and message ...
Note: By including a non splitted uni-code message as string the bug only crash the application with a stack buffer overflow.
To overwrite the eip a distinction is required.
--- PoC Crash Signature Reproduce ---
Problemereignisname: APPCRASH
Anwendungsname: SecureGuard.exe
Anwendungsversion: 0.0.0.0
Anwendungszeitstempel: 519f87e9
Fehlermodulname: StackHash_abcc
Fehlermodulversion: 0.0.0.0
Fehlermodulzeitstempel: 00000000
Ausnahmecode: c00000fd
Ausnahmeoffset: 77891234
Betriebsystemversion: 6.1.7601.2.1.0.768.3
Gebietsschema-ID: 1031
Zusatzinformation 1: abcc
Zusatzinformation 2: abcc8f7853b48d9807d6d51eb1fa5df9
Zusatzinformation 3: abcc
Zusatzinformation 4: abcc8f7853b48d9807d6d51eb1fa5df9
5. Result is a local Stack Buffer Overflow ... Successful reproduced!
--- PoC Debug Logs ---
FAULTING_IP:
+6e69
41414141 ?? ???
41414141 ?? ???
EXCEPTION_RECORD: 00288cf0 -- (.exr 0x288cf0)
ExceptionAddress: 00000000
ExceptionCode: 0001003f
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 000001d0
PROCESS_NAME: SecureGuard.exe
FAULTING_MODULE: 77250000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP: 519f87e9
MODULE_NAME: SecureGuard
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
SecureGuard+6e69
00406e69 89742408 mov dword ptr [esp+8],esi
FAILED_INSTRUCTION_ADDRESS:
+643b952f025dda48
41414141 ?? ???
41414141 ?? ???
CONTEXT: 0028a798 -- (.cxr 0x28a798)
Unable to get program counter
eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=41414141 esp=41414141 ebp=41414141 iopl=0 nv up di pl zr na po nc
cs=0142 ss=0010 ds=0142 es=0142 fs=0142 gs=0142 efl=41414141
0142:0142 ?? ???
Resetting default scope
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID
LAST_CONTROL_TRANSFER: from 00000000 to 41414141
UNALIGNED_STACK_POINTER: 41414141
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00288794 77a7b499 00288880 0028a798 002888d0 0x142
002887b8 77a7b46b 00288880 0028a798 002888d0 ntdll!LdrRemoveLoadAsDataTable+0xd50
00288868 77a30133 00288880 002888d0 00288880 ntdll!LdrRemoveLoadAsDataTable+0xd22
00288bd8 77a7b46b 00288ca0 0028a798 00288cf0 ntdll!KiUserExceptionDispatcher+0xf
00288c88 77a30133 00288ca0 00288cf0 00288ca0 ntdll!LdrRemoveLoadAsDataTable+0xd22
00288ff8 77a7b46b 002890c0 0028a798 00289110 ntdll!KiUserExceptionDispatcher+0xf
002890a8 77a30133 002890c0 00289110 002890c0 ntdll!LdrRemoveLoadAsDataTable+0xd22
00289418 00406e69 002895f8 00289448 0c282e98 ntdll!KiUserExceptionDispatcher+0xf
00289598 00000000 41414141 41414141 41414141 SecureGuard+0x6e69
STACK_COMMAND: .cxr 00289448 ; kb ; ~0s ; kb
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: SecureGuard+6e69
FOLLOWUP_NAME: MachineOwner
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_c0000005_C:_Program_Files_(x86)_SpecoTechnologies_SecureGuard_SecureGuard.exe!Unknown
Followup: MachineOwner
---------
0:000> u
00000103 ?? ???
0:000> a
41414141
tcViewWidget::slot_screen_mode(7)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA"
Socket Error (0): 2
"Connect to site: benjamin337"
Socket Error (0): 2
ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll
ModLoad: 70410000 70416000 C:\Windows\SysWOW64\IconCodecService.dll
ModLoad: 63fe0000 64218000 C:\Windows\SysWOW64\wpdshext.dll
ModLoad: 746b0000 74840000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
ModLoad: 0dbb0000 0dbef000 C:\Windows\SysWOW64\audiodev.dll
ModLoad: 649f0000 64c57000 C:\Windows\SysWOW64\WMVCore.DLL
ModLoad: 0dbf0000 0dc2d000 C:\Windows\SysWOW64\WMASF.DLL
QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar)
ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll
QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 5 unknown for QMenuBar)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA"
Socket Error (0): 2
"Connect to site: benjamin337"
Socket Error (0): 2
QAccessibleWidget::rect: This implementation does not support subelements! (ID 2 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 3 unknown for QMenuBar)
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00289460 ebx=00289448 ecx=0000145f edx=00289454 esi=0c2919f8 edi=00290000
eip=00406c79 esp=002893f8 ebp=00289418 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
SecureGuard+0x6c79:
00406c79 f3a4 rep movs byte ptr es:[edi],byte ptr [esi]
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288fd8 ebp=00288ff8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288bb8 ebp=00288bd8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=41414141 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288798 ebp=002887b8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
41414141 ?? ???
Solution:
=========
Set a secure input (1023 byte size) restricted when processing to setup the password for the security guard cms lock mode.
Risk:
=====
The security risk of the local stack buffer overflow software vulnerability is estimated as high(-).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com