VideoCharge Studio Stack Buffer Overflow

Credit: Julien Ahrens
Risk: High
Local: Yes
Remote: No

RCE Security Advisory 1. ADVISORY INFORMATION ----------------------- Product: VideoCharge Studio Vendor URL: Type: Stack-based Buffer Overflow [CWE-121] Date found: 2014-02-08 Date published: 2014-02-19 CVSSv2 Score: 7,6 (AV:N/AC:H/Au:N/C:C/I:C/A:C) CVE: - 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED -------------------- VideoCharge Studio v2.12.3.685 (latest) and other older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A stack-based buffer overflow vulnerability has been identified in the latest version of VideoCharge Studio v2.12.3.685. The application sends several HTTP GET requests to in different situations like checking for available updates or during the license activation process. The HTTP responses of the website are parsed using the following function from cc.dll: static int __cdecl CHTTPResponse::GetHttpResponse(char const *,char const *,char *) This function reads the contents of the response page using an InternetReadFile() call with dwNumberOfBytesToRead set to 745 bytes. Afterwards the application uses an insecure strcpy() call to further process the received data: 1016D827 CALL cc.1020ACF0 ; strcpy() Although 745 bytes are enough to trigger the buffer overflow, the application additionally does not perform a validation of the Content-Length value of the HTTP response and executes the InternetReadFile() call a second time if the Content-Length value is greater than 745 with the dwNumberOfBytesToRead argument set to [Content-Length - 745] to make sure all bytes from the response are read, and uses the same strcpy() call to further process the received data, resulting in huge amounts of memory, that can be controlled by an attacker. This leads to a stack-based buffer overflow with an overwritten SEH chain, resulting in remote code execution. This vulnerability is only exploitable in a MITM scenario, therefor an attacker needs to spoof the DNS record of to redirect the traffic. Successful exploits can allow remote attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. 5. PROOF-OF-CONCEPT (DEBUG) --------------------------- Registers: EAX 00000000 ECX CCCCCCCC EDX 7733B4AD ntdll.7733B4AD EBX 00000000 ESP 00186F74 EBP 00186F94 ESI 00000000 EDI 00000000 EIP CCCCCCCC C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 1 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Stackview: 00186F74 7733B499 RETURN to ntdll.7733B499 00186F78 0018705C 00186F7C 0018781C 00186F80 001870AC 00186F84 00187030 00186F88 0018781C Pointer to next SEH record 00186F8C 7733B4AD SE handler [...] 00187818 CCCCCCCC 0018781C CCCCCCCC Pointer to next SEH record 00187820 CCCCCCCC SE handler 00187824 CCCCCCCC Vulnerable code part: 1016D7CA LEA EAX,DWORD PTR SS:[EBP-34] ; lpdwNumberOfBytesRead 1016D7CD PUSH EAX ; /Arg4 1016D7CE MOV ECX,DWORD PTR SS:[EBP-30] ; |dwNumberOfBytesToRead 1016D7D1 PUSH ECX ; |Arg3 1016D7D2 MOV EDX,DWORD PTR SS:[EBP-14] ; |lpBuffer 1016D7D5 PUSH EDX ; |Arg2 1016D7D6 MOV EAX,DWORD PTR SS:[EBP-1C] ; |hFile 1016D7D9 PUSH EAX ; |Arg1 1016D7DA CALL DWORD PTR DS:[<&WININET.InternetRea>; \InternetReadFile 1016D7E0 TEST EAX,EAX 1016D7E2 JNZ SHORT cc.1016D7FB 1016D7E4 MOV DWORD PTR SS:[EBP-44],2 1016D7EB PUSH cc.10281838 ; /Arg2 = 10281838 1016D7F0 LEA ECX,DWORD PTR SS:[EBP-44] ; | 1016D7F3 PUSH ECX ; |Arg1 1016D7F4 CALL cc.1020A824 ; \cc.1020A824 1016D7F9 JMP SHORT cc.1016D82F 1016D7FB CMP DWORD PTR SS:[EBP-34],0 1016D7FF JNZ SHORT cc.1016D816 1016D801 MOV DWORD PTR SS:[EBP-48],0 1016D808 PUSH cc.10281838 ; /Arg2 = 10281838 1016D80D LEA EDX,DWORD PTR SS:[EBP-48] ; | 1016D810 PUSH EDX ; |Arg1 1016D811 CALL cc.1020A824 ; \cc.1020A824 1016D816 MOV EAX,DWORD PTR SS:[EBP-14] 1016D819 ADD EAX,DWORD PTR SS:[EBP-34] 1016D81C MOV BYTE PTR DS:[EAX],0 1016D81F MOV ECX,DWORD PTR SS:[EBP-14] 1016D822 PUSH ECX 1016D823 MOV EDX,DWORD PTR SS:[EBP+10] 1016D826 PUSH EDX 1016D827 CALL cc.1020ACF0 ; strcpy() 6. SOLUTION ----------- None 7. REPORT TIMELINE ------------------ 2014-02-19: Full Disclosure 8. REFERENCES -------------


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022,


Back to Top