Connection of the HackTalk team recently found a buffer overflow in the Picasa software by Google. Below is the write up. Pentest Information: ==================== Connection has discovered a Buffer Overflow in Picasa 3.5 created by Google. An attacker is able to overflow the EAX register by creating a text slide with a large block of text. Details ======= Tested on OS: Windows XP & Windows Vista Tested with Software: Debugger & Picasa 3.5 Vulnerable Products: Picasa Affected Versions: 3.5 Vulnerability Type: Buffer Overflow Security-Risk: Low Vendor-URL: http://picasa.google.com Preview-URL: Vendor-Status: Uninformed Patch/Fix-Status: Fixed version not released Advisory-Status: Published | 29.09.2009 Advisory-URL: Report-URL: Introduction: ============= Picasa is free photo editing software from Google that makes your pictures look great. Sharing your best photos with friends and family is as easy as pressing a button! ss. (from the vendors homepage: http://picasa.google.com) More Details: ============= Due to the lack of input validation, an attacker is able to overwrite the ECX register and crash the program. Proof of Concept: ================= Open up Picasa and go to the movie creator. Add a new text slide and input 45440 characters. This will cause the program to crash. The following the the register dump from OllyDBG. EAX 04875910 ASCII ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ECX 0000007D EDX 00000000 EBX 049364D0 ASCII ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ESP 00129C1C EBP 00129C24 ESI 04939B50 ASCII ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EDI 04878F90 ASCII ?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA? EIP 0098C13E Picasa3.0098C13E C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) ST0 empty 23.500000000000000000 ST1 empty 19.000000000000000000 ST2 empty 19.000000000000000000 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 1.0000000000000000000 ST6 empty 0.0 ST7 empty 0.0 3 2 1 0 E S P U O Z D I FST 0020 Cond 0 0 0 0 Err 0 0 1 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Security Risk: ============== An attacker may crash Picasa by inputting a large block of text into a slide in the slideshow maker function of Picasa. The security risk is estimated as low. Author: ======= The Author & Writer is a part of the HackTalk team. Connection