Microchip MPLAB IDE Buffer Overflow Vulnerability

2009-05-12 / 2009-05-13
Credit: Bkis
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Microchip MPLAB IDE Buffer Overflow Vulnerability 1. General Information MPLAB IDE is a famous Integrated Development Environment (IDE) of Microchip (www.microchip.com) that provides a single integrated environment to develop applications for Microchip microcontrollers and digital signal controllers. In March 2009, Bkis has just detected a vulnerability in this software. This vulnerability arises from the way MPLAB IDE processes IDE Project files with extension of .mcp. It could lead to a critical buffer overflow error that allows hackers to execute malicious code on users? systems. We have submitted to vendor. Details : http://security.bkis.vn/?p=654 Bkis Advisory : Bkis-08-2009. Initial vendor notification : 15/03/2009 Release Date : 11/05/2009 Update Date : 11/05/2009 Discovered by : Le Duc Anh, Bkis. Attack Type : Buffer Overflow. Security Rating : High. Impact : Code Execution. Affected Software : Microchip MPLAB IDE 8.30 (Prior versions may also be affected). PoC : http://security.bkis.vn/wp-content/uploads/2009/05/mplap_ide_poc.zip 2. Technical Description MCP files are used to store essential information about a MPLAB IDE Project (in plain text). The software has not handled the file format well enough resulting in a critical security issue. Many fields in this file format might create buffer overflow error when set with an overly long value such as: [FILE_INFO], [CAT_FILTERS] ?. In order to exploit, a hacker might create a specially crafted .mcp file and trick users into using it. If successful, hackers can perform local attack, inject viruses, steal sensitive information and even take control of the victim?s system. 3. Solution The vendor hasn?t fixed this vulnerability yet. Therefore, Bkis recommends that users be cautious with MPLAB IDE Project source from untrustworthy sources until the vendor release the patch. Bkis (http://security.bkis.vn)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top