RCE Security Advisory
http://www.rcesecurity.com
 
 
1. ADVISORY INFORMATION
-----------------------
Product:        VideoCharge Studio
Vendor URL:     www.videocharge.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2014-02-08
Date published: 2014-02-19
CVSSv2 Score:   7,6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
CVE:            -
 
 
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
 
 
3. VERSIONS AFFECTED
--------------------
VideoCharge Studio v2.12.3.685 (latest)
and other older versions may be affected too.
 
 
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
latest version of VideoCharge Studio v2.12.3.685.
 
The application sends several HTTP GET requests to www.videocharge.com
in different situations like checking for available updates or during
the license activation process. The HTTP responses of the website are
parsed using the following function from cc.dll:
 
static int __cdecl CHTTPResponse::GetHttpResponse(char const *,char
const *,char *)
 
This function reads the contents of the response page using an
InternetReadFile() call with dwNumberOfBytesToRead set to 745 bytes.
Afterwards the application uses an insecure strcpy() call to further
process the received data:
 
1016D827   CALL cc.1020ACF0   ;  strcpy()
 
Although 745 bytes are enough to trigger the buffer overflow, the
application additionally does not perform a validation of the
Content-Length value of the HTTP response and executes the
InternetReadFile() call a second time if the Content-Length value is
greater than 745 with the dwNumberOfBytesToRead argument set to
[Content-Length - 745] to make sure all bytes from the response are
read, and uses the same strcpy() call to further process the received
data, resulting in huge amounts of memory, that can be controlled by an
attacker. This leads to a stack-based buffer overflow with an
overwritten SEH chain, resulting in remote code execution.
 
This vulnerability is only exploitable in a MITM scenario, therefor an
attacker needs to spoof the DNS record of www.videocharge.com to
redirect the traffic. Successful exploits can allow remote attackers to
execute arbitrary code with the privileges of the user running the
application. Failed exploits will result in a denial-of-service condition.
 
 
5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX 00000000
ECX CCCCCCCC
EDX 7733B4AD ntdll.7733B4AD
EBX 00000000
ESP 00186F74
EBP 00186F94
ESI 00000000
EDI 00000000
EIP CCCCCCCC
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 4020  Cond 1 0 0 0  Err 0 0 1 0 0 0 0 0  (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
 
 
Stackview:
00186F74   7733B499  RETURN to ntdll.7733B499
00186F78   0018705C
00186F7C   0018781C
00186F80   001870AC
00186F84   00187030
00186F88   0018781C  Pointer to next SEH record
00186F8C   7733B4AD  SE handler
[...]
00187818   CCCCCCCC
0018781C   CCCCCCCC  Pointer to next SEH record
00187820   CCCCCCCC  SE handler
00187824   CCCCCCCC
 
 
Vulnerable code part:
1016D7CA   LEA EAX,DWORD PTR SS:[EBP-34]            ; 
lpdwNumberOfBytesRead
1016D7CD   PUSH EAX                                 ; /Arg4
1016D7CE   MOV ECX,DWORD PTR SS:[EBP-30]            ;
|dwNumberOfBytesToRead
1016D7D1   PUSH ECX                                 ; |Arg3
1016D7D2   MOV EDX,DWORD PTR SS:[EBP-14]            ; |lpBuffer
1016D7D5   PUSH EDX                                 ; |Arg2
1016D7D6   MOV EAX,DWORD PTR SS:[EBP-1C]            ; |hFile
1016D7D9   PUSH EAX                                 ; |Arg1
1016D7DA   CALL DWORD PTR DS:[<&WININET.InternetRea>; \InternetReadFile
1016D7E0   TEST EAX,EAX
1016D7E2   JNZ SHORT cc.1016D7FB
1016D7E4   MOV DWORD PTR SS:[EBP-44],2
1016D7EB   PUSH cc.10281838                         ; /Arg2 = 10281838
1016D7F0   LEA ECX,DWORD PTR SS:[EBP-44]            ; |
1016D7F3   PUSH ECX                                 ; |Arg1
1016D7F4   CALL cc.1020A824                         ; \cc.1020A824
1016D7F9   JMP SHORT cc.1016D82F
1016D7FB   CMP DWORD PTR SS:[EBP-34],0
1016D7FF   JNZ SHORT cc.1016D816
1016D801   MOV DWORD PTR SS:[EBP-48],0
1016D808   PUSH cc.10281838                         ; /Arg2 = 10281838
1016D80D   LEA EDX,DWORD PTR SS:[EBP-48]            ; |
1016D810   PUSH EDX                                 ; |Arg1
1016D811   CALL cc.1020A824                         ; \cc.1020A824
1016D816   MOV EAX,DWORD PTR SS:[EBP-14]
1016D819   ADD EAX,DWORD PTR SS:[EBP-34]
1016D81C   MOV BYTE PTR DS:[EAX],0
1016D81F   MOV ECX,DWORD PTR SS:[EBP-14]
1016D822   PUSH ECX
1016D823   MOV EDX,DWORD PTR SS:[EBP+10]
1016D826   PUSH EDX
1016D827   CALL cc.1020ACF0                         ;  strcpy()
 
 
6. SOLUTION
-----------
None
 
 
7. REPORT TIMELINE
------------------
2014-02-19: Full Disclosure
 
 
8. REFERENCES
-------------
http://www.rcesecurity.com/2014/02/videocharge-studio-v2-12-3-685-gethttpresponse-remote-code-execution