##############################################################################
- RealPentesting Advisory -
###############################################################################
Title: User Mode Write Access Violation in Wiz 5.0.3
Severity: Medium
History: 16.Apr.2013 Vulnerability reported
Authors: Josep Pi Rodriguez, Pedro Guillen Nu?ez, Miguel Angel de Castro Simon
Organization: RealPentesting
URL: http://www.realpentesting.blogspot.com
Product: Wiz
Version: 5.0.3
Vendor: Info-Zip
Url Vendor: http://www.info-zip.org/
Platform: Windows
Type of vulnerability: User Mode Write Access Violation
Issue fixed in version: (Not fixed)
CVE Identifier: CVE-2013-5659
[ DESCRIPTION SOFTWARE ]
From vendor website:
Info-ZIP is a diverse, Internet-based workgroup of about 20 primary authors and over one hundred beta-testers,
formed in 1990 as a mailing list hosted by Keith Petersen on the original SimTel site at the White Sands Missile Range in New Mexico.
[ VULNERABILITY DETAILS ]
Wiz 5.03 suffers from a write access violation vulnerability.
The memory state after the crash using the output of exploitable module from windbg:
eax=00000041 ebx=00003dfc ecx=0012f790 edx=0226b000 esi=01ebd1f1 edi=0012f764
eip=0042aea7 esp=0012f4ec ebp=0012f4ec iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x2aea7:
0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=??
rF
fpcw=027F: rn 53 puozdi fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000 fpip=0000:00000000 fpdp=0000:00000000
st0=-1.#SNAN0000000000000000e+0000 st1=-1.#SNAN0000000000000000e+0000
st2=-1.#SNAN0000000000000000e+0000 st3=-1.#SNAN0000000000000000e+0000
st4=-1.#SNAN0000000000000000e+0000 st5=-1.#SNAN0000000000000000e+0000
st6=-1.#SNAN0000000000000000e+0000 st7=-1.#SNAN0000000000000000e+0000
image00400000+0x2aea7:
0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=??
rX
xmm0=1.05612e-038 9.09185e-039 1.04694e-038 1.10204e-038
xmm1=8.44895e-039 6.15302e-039 5.32661e-039 1.0653e-038
xmm2=1.06531e-038 9.27554e-039 1.07449e-038 1.01938e-038
xmm3=9.2755e-039 2.93888e-039 1.0102e-038 2.9389e-039
xmm4=1.04694e-038 1.05612e-038 1.01021e-038 1.06531e-038
xmm5=1.04694e-038 1.05612e-038 8.449e-039 1.06531e-038
xmm6=7.98982e-039 1.01939e-038 1.04694e-038 1.06531e-038
xmm7=1.09301e-043 1.10203e-038 4.40818e-039 8.26534e-039
image00400000+0x2aea7:
0042aea7 8802 mov byte ptr [edx],al ds:0023:0226b000=??
!exchain
0012ffb0: image00400000+2daec (0042daec)
0012ffe0: kernel32!ValidateLocale+2b0 (7c839ad8)
Invalid exception stack at ffffffff
!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x226b000
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x00020e6f
MINOR_HASH:0x24590159
STACK_DEPTH:15
STACK_FRAME:image00400000+0x2aea7
STACK_FRAME:image00400000+0x2af22
STACK_FRAME:image00400000+0x275c2
STACK_FRAME:image00400000+0x5a8a
STACK_FRAME:image00400000+0x5c7f
STACK_FRAME:image00400000+0xfed3
STACK_FRAME:image00400000+0x1b7be
STACK_FRAME:image00400000+0x17876
STACK_FRAME:image00400000+0x10f68
STACK_FRAME:image00400000+0x105a9
STACK_FRAME:image00400000+0xfdd2
STACK_FRAME:image00400000+0xfe72
STACK_FRAME:image00400000+0xce1f
STACK_FRAME:image00400000+0xe21e
STACK_FRAME:kernel32!RegisterWaitForInputIdle+0x49
INSTRUCTION_ADDRESS:0x000000000042aea7
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at image00400000+0x000000000002aea7 (Hash=0x00020e6f.0x24590159)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.!msec.exploitable -m
[ VENDOR COMMUNICATION ]
16/04/2013 : vendor contacted
16/04/2013: vendor ask about details
20/04/2013: No response from vendor.
29/04/2013: PUBLIC DISCLOSURE