PIRS2007 local buffer overflow vulnerability

Credit: Edi Strosar
Risk: High
Local: No
Remote: Yes
CWE: CWE-119

CVSS Base Score: 4.9/10
Impact Subscore: 6.9/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

TeamIntell discovered local buffer overflow vulnerability in PIRS2007 (data collection of companies and active business subjects in Slovenia). Please see the attached security advisory for details. Vendor has released a patch that solves this issue. Download link: http://www.pirs.si/slo/index.php?dep_id=29&help_id=60 Edi Strosar (TeamIntell) -------------- next part -------------- A non-text attachment was scrubbed... Name: TISA2007-03-Public.pdf Type: application/pdf Size: 26353 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070713/b88ea11b/attachment.pdf //------------------- pdf ------------------ Security Advisory TISA2007-03-Public PIRS 2007 local buffer overflow vulnerability Release date: 13.7.2007 Severity: Less critical Impact: Buffer overflow Status: Official patch available Software: PIRS 2007 (CD version) Tested on: Microsoft Windows Professional XP SP2 Vendor: http://www.pirs.si Disclosed by: Edi Strosar (TeamIntell) Summary: Poslovni informator Republike Slovenije (PIRS) 2007 is vulnerable to local buffer overflow. It might be possible to execute arbitrary code in a context of currently logged on user. Direct remote code execution is not possible. Analysis: PIRS is a data collection of companies and other active business subjects in Slovenia. The main application pirs32.exe contains buffer overflow that may allow code execution. Input validation is not performed on search parameter lenght which leads to overflow condition. Entering =>528 ASCII characters in any input/search field within PIRS GUI will cause application to silenty crash. Proof of concept: The following string 512*A + 4*B + 8*A + 4*C will overwrite ECX and EIP registers. EIP is the pointer to location where the next instruction will be executed. Note: because pirs32.exe silently crashes the PoC must be reproduced inside debugger. Solution: Vendor has released a patch that limits the maximum search string lenght to 255 characters. Download link: http://www.pirs.si/slo/index.php?dep_id=29&help_id=60 Timeline: 24.06.2007 – vulnerability discovered 25.06.2007 – vendor informed 13.07.2007 – patch released 13.07.2007 – public disclosure Contact: Maldin d.o.o. Tr?a?ka cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info@teamintell.com Disclaimer: The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. //----------------------

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top