Wiz 5.0.3 User Mode Write Access Violation

2013.09.03
Risk: High
Local: Yes
Remote: No
CWE: CWE-787


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

############################################################################## - RealPentesting Advisory - ############################################################################### Title: User Mode Write Access Violation in Wiz 5.0.3 Severity: Medium History: 16.Apr.2013 Vulnerability reported Authors: Josep Pi Rodriguez, Pedro Guillen Nu?ez, Miguel Angel de Castro Simon Organization: RealPentesting URL: http://www.realpentesting.blogspot.com Product: Wiz Version: 5.0.3 Vendor: Info-Zip Url Vendor: http://www.info-zip.org/ Platform: Windows Type of vulnerability: User Mode Write Access Violation Issue fixed in version: (Not fixed) CVE Identifier: CVE-2013-5659 [ DESCRIPTION SOFTWARE ] From vendor website: Info-ZIP is a diverse, Internet-based workgroup of about 20 primary authors and over one hundred beta-testers, formed in 1990 as a mailing list hosted by Keith Petersen on the original SimTel site at the White Sands Missile Range in New Mexico. [ VULNERABILITY DETAILS ] Wiz 5.03 suffers from a write access violation vulnerability. The memory state after the crash using the output of exploitable module from windbg: eax=00000041 ebx=00003dfc ecx=0012f790 edx=0226b000 esi=01ebd1f1 edi=0012f764 eip=0042aea7 esp=0012f4ec ebp=0012f4ec iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x2aea7: 0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=?? rF fpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFF fopcode=0000 fpip=0000:00000000 fpdp=0000:00000000 st0=-1.#SNAN0000000000000000e+0000 st1=-1.#SNAN0000000000000000e+0000 st2=-1.#SNAN0000000000000000e+0000 st3=-1.#SNAN0000000000000000e+0000 st4=-1.#SNAN0000000000000000e+0000 st5=-1.#SNAN0000000000000000e+0000 st6=-1.#SNAN0000000000000000e+0000 st7=-1.#SNAN0000000000000000e+0000 image00400000+0x2aea7: 0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=?? rX xmm0=1.05612e-038 9.09185e-039 1.04694e-038 1.10204e-038 xmm1=8.44895e-039 6.15302e-039 5.32661e-039 1.0653e-038 xmm2=1.06531e-038 9.27554e-039 1.07449e-038 1.01938e-038 xmm3=9.2755e-039 2.93888e-039 1.0102e-038 2.9389e-039 xmm4=1.04694e-038 1.05612e-038 1.01021e-038 1.06531e-038 xmm5=1.04694e-038 1.05612e-038 8.449e-039 1.06531e-038 xmm6=7.98982e-039 1.01939e-038 1.04694e-038 1.06531e-038 xmm7=1.09301e-043 1.10203e-038 4.40818e-039 8.26534e-039 image00400000+0x2aea7: 0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=?? !exchain 0012ffb0: image00400000+2daec (0042daec) 0012ffe0: kernel32!ValidateLocale+2b0 (7c839ad8) Invalid exception stack at ffffffff !exploitable -m IDENTITY:HostMachine\HostUser PROCESSOR:X86 CLASS:USER QUALIFIER:USER_PROCESS EVENT:DEBUG_EVENT_EXCEPTION EXCEPTION_FAULTING_ADDRESS:0x226b000 EXCEPTION_CODE:0xC0000005 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION EXCEPTION_SUBTYPE:WRITE MAJOR_HASH:0x00020e6f MINOR_HASH:0x24590159 STACK_DEPTH:15 STACK_FRAME:image00400000+0x2aea7 STACK_FRAME:image00400000+0x2af22 STACK_FRAME:image00400000+0x275c2 STACK_FRAME:image00400000+0x5a8a STACK_FRAME:image00400000+0x5c7f STACK_FRAME:image00400000+0xfed3 STACK_FRAME:image00400000+0x1b7be STACK_FRAME:image00400000+0x17876 STACK_FRAME:image00400000+0x10f68 STACK_FRAME:image00400000+0x105a9 STACK_FRAME:image00400000+0xfdd2 STACK_FRAME:image00400000+0xfe72 STACK_FRAME:image00400000+0xce1f STACK_FRAME:image00400000+0xe21e STACK_FRAME:kernel32!RegisterWaitForInputIdle+0x49 INSTRUCTION_ADDRESS:0x000000000042aea7 INVOKING_STACK_FRAME:0 DESCRIPTION:User Mode Write AV SHORT_DESCRIPTION:WriteAV CLASSIFICATION:EXPLOITABLE BUG_TITLE:Exploitable - User Mode Write AV starting at image00400000+0x000000000002aea7 (Hash=0x00020e6f.0x24590159) EXPLANATION:User mode write access violations that are not near NULL are exploitable.!msec.exploitable -m [ VENDOR COMMUNICATION ] 16/04/2013 : vendor contacted 16/04/2013: vendor ask about details 20/04/2013: No response from vendor. 29/04/2013: PUBLIC DISCLOSURE

References:

http://www.realpentesting.blogspot.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top