Title: ====== Security Guard CMS QT 4.7.3 - Local Stack Buffer Overflow Vulnerability Date: ===== 2013-09-24 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1085 VL-ID: ===== 1085 Common Vulnerability Scoring System: ==================================== 6.1 Introduction: ============= Secure Guard provides access to multiple DVRs and IP cameras for remote viewing, playback and other miscellaneous functions in order to assist surveillance personnel. Users can view and control multiple DVRs and IP cameras from anywhere, all at the same time. Secure Guard is a powerful software thats allows the user to manage and monitor multiple DVRs and IP Cameras. The interface to the DVRs from the CMS is simple and easy to use, making it easier for the user to only have to learn one network interface. (Copy of the Vendor Homepage: http://www.specotech.com/secure-guard.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local Stack Buffer Overflow Vulnerability in the Security Guard CMS QT v4.7.3 Framework. Report-Timeline: ================ 2013-09-24: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Speco Technologies Product: Security Guard CMS - Framework 4.7.3 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A local stack buffer overflow vulnerability is detected in the official Security Guard CMS QT v4.7.3 Framework. The stack buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. The vulnerability is located in the `Activating System Lock` module of the software when processing to load the input of the`Enter Password` value. Local attackers can include 1024 byte (size) uni-code strings to the `Enter Password` input field as result the software crashs (stack buffer overflow) with the possibility to overwrite all the registers (ebx,eip ...). The software does not wait since the password has been saved and directly executes the input when the local attacker is processing to include the uni-code string. regular the software should only use a temp address without performing to include/check the input without a save. The stack buffer overflow software vulnerability can be exploited by local low privileged system user accounts without user interaction. Successful exploitation of the stack buffer overflow vulnerability results in overruns of the buffer(s) boundary, data corruption, local escalate of local user privileges with system compromise, software process manipulation/compromise and overwrites adjacent memory. Vulnerable Module(s): [+] Activating System Lock Vulnerable Input(s): [+] Enter Password Proof of Concept: ================= The local stack buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and without user interaction. For demonstration or reproduce ... 1. Login to the application with the standard account `admin/manager` role :* 2. Switch to the activating system lock module inside of the software main menu Note: When the software is processing to load the module it asks for a master preshare for the lock and unlock mode 3. Include manual a 1024byte long uni-code string to the input and split the uni-code in the middle to overwrite the eip register Note: The application will not wait for the save of the input. In the same secound the input will be done the save/add button need to be clicked. 4. The software crashs and windows drops the following error signatures and message ... Note: By including a non splitted uni-code message as string the bug only crash the application with a stack buffer overflow. To overwrite the eip a distinction is required. --- PoC Crash Signature Reproduce --- Problemereignisname: APPCRASH Anwendungsname: SecureGuard.exe Anwendungsversion: 0.0.0.0 Anwendungszeitstempel: 519f87e9 Fehlermodulname: StackHash_abcc Fehlermodulversion: 0.0.0.0 Fehlermodulzeitstempel: 00000000 Ausnahmecode: c00000fd Ausnahmeoffset: 77891234 Betriebsystemversion: 6.1.7601.2.1.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: abcc Zusatzinformation 2: abcc8f7853b48d9807d6d51eb1fa5df9 Zusatzinformation 3: abcc Zusatzinformation 4: abcc8f7853b48d9807d6d51eb1fa5df9 5. Result is a local Stack Buffer Overflow ... Successful reproduced! --- PoC Debug Logs --- FAULTING_IP: +6e69 41414141 ?? ??? 41414141 ?? ??? EXCEPTION_RECORD: 00288cf0 -- (.exr 0x288cf0) ExceptionAddress: 00000000 ExceptionCode: 0001003f ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 000001d0 PROCESS_NAME: SecureGuard.exe FAULTING_MODULE: 77250000 kernel32 DEBUG_FLR_IMAGE_TIMESTAMP: 519f87e9 MODULE_NAME: SecureGuard ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 41414141 WRITE_ADDRESS: 41414141 FOLLOWUP_IP: SecureGuard+6e69 00406e69 89742408 mov dword ptr [esp+8],esi FAILED_INSTRUCTION_ADDRESS: +643b952f025dda48 41414141 ?? ??? 41414141 ?? ??? CONTEXT: 0028a798 -- (.cxr 0x28a798) Unable to get program counter eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=41414141 esp=41414141 ebp=41414141 iopl=0 nv up di pl zr na po nc cs=0142 ss=0010 ds=0142 es=0142 fs=0142 gs=0142 efl=41414141 0142:0142 ?? ??? Resetting default scope BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_INVALID DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID LAST_CONTROL_TRANSFER: from 00000000 to 41414141 UNALIGNED_STACK_POINTER: 41414141 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 00288794 77a7b499 00288880 0028a798 002888d0 0x142 002887b8 77a7b46b 00288880 0028a798 002888d0 ntdll!LdrRemoveLoadAsDataTable+0xd50 00288868 77a30133 00288880 002888d0 00288880 ntdll!LdrRemoveLoadAsDataTable+0xd22 00288bd8 77a7b46b 00288ca0 0028a798 00288cf0 ntdll!KiUserExceptionDispatcher+0xf 00288c88 77a30133 00288ca0 00288cf0 00288ca0 ntdll!LdrRemoveLoadAsDataTable+0xd22 00288ff8 77a7b46b 002890c0 0028a798 00289110 ntdll!KiUserExceptionDispatcher+0xf 002890a8 77a30133 002890c0 00289110 002890c0 ntdll!LdrRemoveLoadAsDataTable+0xd22 00289418 00406e69 002895f8 00289448 0c282e98 ntdll!KiUserExceptionDispatcher+0xf 00289598 00000000 41414141 41414141 41414141 SecureGuard+0x6e69 STACK_COMMAND: .cxr 00289448 ; kb ; ~0s ; kb SYMBOL_STACK_INDEX: 8 SYMBOL_NAME: SecureGuard+6e69 FOLLOWUP_NAME: MachineOwner BUCKET_ID: WRONG_SYMBOLS IMAGE_NAME: C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_INVALID_c0000005_C:_Program_Files_(x86)_SpecoTechnologies_SecureGuard_SecureGuard.exe!Unknown Followup: MachineOwner --------- 0:000> u 00000103 ?? ??? 0:000> a 41414141 tcViewWidget::slot_screen_mode(7) "Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA" Socket Error (0): 2 "Connect to site: benjamin337" Socket Error (0): 2 ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll ModLoad: 70410000 70416000 C:\Windows\SysWOW64\IconCodecService.dll ModLoad: 63fe0000 64218000 C:\Windows\SysWOW64\wpdshext.dll ModLoad: 746b0000 74840000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ModLoad: 0dbb0000 0dbef000 C:\Windows\SysWOW64\audiodev.dll ModLoad: 649f0000 64c57000 C:\Windows\SysWOW64\WMVCore.DLL ModLoad: 0dbf0000 0dc2d000 C:\Windows\SysWOW64\WMASF.DLL QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar) ModLoad: 6ea10000 6eaa4000 C:\Windows\SysWOW64\MsftEdit.dll QAccessibleWidget::rect: This implementation does not support subelements! (ID 6 unknown for QMenuBar) QAccessibleWidget::rect: This implementation does not support subelements! (ID 5 unknown for QMenuBar) "Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA" Socket Error (0): 2 "Connect to site: benjamin337" Socket Error (0): 2 QAccessibleWidget::rect: This implementation does not support subelements! (ID 2 unknown for QMenuBar) QAccessibleWidget::rect: This implementation does not support subelements! (ID 3 unknown for QMenuBar) (fcc.1d0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00289460 ebx=00289448 ecx=0000145f edx=00289454 esi=0c2919f8 edi=00290000 eip=00406c79 esp=002893f8 ebp=00289418 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe SecureGuard+0x6c79: 00406c79 f3a4 rep movs byte ptr es:[edi],byte ptr [esi] 0:000> g (fcc.1d0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000 eip=41414141 esp=00288fd8 ebp=00288ff8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 41414141 ?? ??? 0:000> g (fcc.1d0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000 eip=41414141 esp=00288bb8 ebp=00288bd8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 41414141 ?? ??? 0:000> g (fcc.1d0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=41414141 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000 eip=41414141 esp=00288798 ebp=002887b8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 41414141 ?? ??? Solution: ========= Set a secure input (1023 byte size) restricted when processing to setup the password for the security guard cms lock mode. Risk: ===== The security risk of the local stack buffer overflow software vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com