exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VideoCharge Studio 2.12.3.685 Stack Buffer Overflow

VideoCharge Studio 2.12.3.685 Stack Buffer Overflow
Posted Feb 20, 2014
Authored by Julien Ahrens | Site rcesecurity.com

VideoCharge Studio version 2.12.3.685 suffers from a stack buffer overflow vulnerability.

tags | exploit, overflow
SHA-256 | 73fd64057ffa4960396c8186ba3b099299420ab0955d8d2a7ad8d4308d44e0eb

VideoCharge Studio 2.12.3.685 Stack Buffer Overflow

Change Mirror Download
RCE Security Advisory
http://www.rcesecurity.com


1. ADVISORY INFORMATION
-----------------------
Product: VideoCharge Studio
Vendor URL: www.videocharge.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-02-08
Date published: 2014-02-19
CVSSv2 Score: 7,6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVE: -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
--------------------
VideoCharge Studio v2.12.3.685 (latest)
and other older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
latest version of VideoCharge Studio v2.12.3.685.

The application sends several HTTP GET requests to www.videocharge.com
in different situations like checking for available updates or during
the license activation process. The HTTP responses of the website are
parsed using the following function from cc.dll:

static int __cdecl CHTTPResponse::GetHttpResponse(char const *,char
const *,char *)

This function reads the contents of the response page using an
InternetReadFile() call with dwNumberOfBytesToRead set to 745 bytes.
Afterwards the application uses an insecure strcpy() call to further
process the received data:

1016D827 CALL cc.1020ACF0 ; strcpy()

Although 745 bytes are enough to trigger the buffer overflow, the
application additionally does not perform a validation of the
Content-Length value of the HTTP response and executes the
InternetReadFile() call a second time if the Content-Length value is
greater than 745 with the dwNumberOfBytesToRead argument set to
[Content-Length - 745] to make sure all bytes from the response are
read, and uses the same strcpy() call to further process the received
data, resulting in huge amounts of memory, that can be controlled by an
attacker. This leads to a stack-based buffer overflow with an
overwritten SEH chain, resulting in remote code execution.

This vulnerability is only exploitable in a MITM scenario, therefor an
attacker needs to spoof the DNS record of www.videocharge.com to
redirect the traffic. Successful exploits can allow remote attackers to
execute arbitrary code with the privileges of the user running the
application. Failed exploits will result in a denial-of-service condition.


5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX 00000000
ECX CCCCCCCC
EDX 7733B4AD ntdll.7733B4AD
EBX 00000000
ESP 00186F74
EBP 00186F94
ESI 00000000
EDI 00000000
EIP CCCCCCCC
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1


Stackview:
00186F74 7733B499 RETURN to ntdll.7733B499
00186F78 0018705C
00186F7C 0018781C
00186F80 001870AC
00186F84 00187030
00186F88 0018781C Pointer to next SEH record
00186F8C 7733B4AD SE handler
[...]
00187818 CCCCCCCC
0018781C CCCCCCCC Pointer to next SEH record
00187820 CCCCCCCC SE handler
00187824 CCCCCCCC


Vulnerable code part:
1016D7CA LEA EAX,DWORD PTR SS:[EBP-34] ;
lpdwNumberOfBytesRead
1016D7CD PUSH EAX ; /Arg4
1016D7CE MOV ECX,DWORD PTR SS:[EBP-30] ;
|dwNumberOfBytesToRead
1016D7D1 PUSH ECX ; |Arg3
1016D7D2 MOV EDX,DWORD PTR SS:[EBP-14] ; |lpBuffer
1016D7D5 PUSH EDX ; |Arg2
1016D7D6 MOV EAX,DWORD PTR SS:[EBP-1C] ; |hFile
1016D7D9 PUSH EAX ; |Arg1
1016D7DA CALL DWORD PTR DS:[<&WININET.InternetRea>; \InternetReadFile
1016D7E0 TEST EAX,EAX
1016D7E2 JNZ SHORT cc.1016D7FB
1016D7E4 MOV DWORD PTR SS:[EBP-44],2
1016D7EB PUSH cc.10281838 ; /Arg2 = 10281838
1016D7F0 LEA ECX,DWORD PTR SS:[EBP-44] ; |
1016D7F3 PUSH ECX ; |Arg1
1016D7F4 CALL cc.1020A824 ; \cc.1020A824
1016D7F9 JMP SHORT cc.1016D82F
1016D7FB CMP DWORD PTR SS:[EBP-34],0
1016D7FF JNZ SHORT cc.1016D816
1016D801 MOV DWORD PTR SS:[EBP-48],0
1016D808 PUSH cc.10281838 ; /Arg2 = 10281838
1016D80D LEA EDX,DWORD PTR SS:[EBP-48] ; |
1016D810 PUSH EDX ; |Arg1
1016D811 CALL cc.1020A824 ; \cc.1020A824
1016D816 MOV EAX,DWORD PTR SS:[EBP-14]
1016D819 ADD EAX,DWORD PTR SS:[EBP-34]
1016D81C MOV BYTE PTR DS:[EAX],0
1016D81F MOV ECX,DWORD PTR SS:[EBP-14]
1016D822 PUSH ECX
1016D823 MOV EDX,DWORD PTR SS:[EBP+10]
1016D826 PUSH EDX
1016D827 CALL cc.1020ACF0 ; strcpy()


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2014-02-19: Full Disclosure


8. REFERENCES
-------------
http://www.rcesecurity.com/2014/02/videocharge-studio-v2-12-3-685-gethttpresponse-remote-code-execution


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close