RCE Security Advisory
http://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: GetGo Download Manager
Vendor URL: www.getgosoft.com
Type: Stack-based Buffer Overflow [CWE-121]
Date found: 2014-02-20
Date published: 2014-03-02
CVSSv2 Score: 10,0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE: CVE-2014-2206
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
GetGo Download Manager v4.9.0.1982 (latest)
GetGo Download Manager v4.8.2.1346
GetGo Download Manager v4.4.5.502
and other older versions may be affected too.
4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in the
GetGo Download Manager.
When a website is requested for download, the application reads the HTTP
Response Header values of the target page and copies the retrieved
values to a temporary buffer, which is set to a fixed size of 4097
bytes, but this size is not used by the application to limit the input
to the buffer. Instead it fills the buffer byte by byte until the
terminating sequence "\r\n" is found. Therefore the application writes
outside the expected memory boundaries if the HTTP Response Header is
greater than 4097 bytes.
This leads to a stack-based buffer overflow with an overwritten SEH
chain or return points, resulting in remote code execution. Successful
exploits can allow remote attackers to execute arbitrary code with the
privileges of the user running the application. Failed exploits will
result in a denial-of-service condition.
5. PROOF-OF-CONCEPT (DEBUG)
---------------------------
Registers:
EAX 00000000
ECX CCCCCCCC
EDX 76F2B4AD ntdll.76F2B4AD
EBX 00000000
ESP 0474BD5C
EBP 0474BD7C
ESI 00000000
EDI 00000000
EIP CCCCCCCC
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EF94000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
Stack:
ESP-8 > 00286D30
ESP-4 > FFFFFFFE
ESP ==> > 76F2B499 RETURN to ntdll.76F2B499
ESP+4 > 0474BE44
ESP+8 > 0474D3A8
[...]
ESP+1648 > CCCCCCCC
ESP+164C > CCCCCCCC Pointer to next SEH record
ESP+1650 > CCCCCCCC SE handler
ESP+1654 > CCCCCCCC
6. VULNERABLE CODE PART
-----------------------
// GetGoDM.exe
004A4CE1 PUSH ECX ; /Arg3
004A4CE2 PUSH 1001 ; |Arg2 = 00001001
004A4CE7 LEA EDX,DWORD PTR SS:[EBP-1024] ; |
004A4CED PUSH EDX ; |Arg1
004A4CEE MOV ECX,DWORD PTR SS:[EBP-1064] ; |
004A4CF4 CALL GetGoDM.004A3A70 ; \GetGoDM.004A3A70
004A3A70 PUSH EBP
004A3A71 MOV EBP,ESP
004A3A73 PUSH -1
004A3A75 PUSH GetGoDM.00644153
004A3A7A MOV EAX,DWORD PTR FS:[0]
004A3A80 PUSH EAX
004A3A81 SUB ESP,1C
004A3A84 MOV EAX,DWORD PTR DS:[6E6FB8]
004A3A89 XOR EAX,EBP
004A3A8B PUSH EAX
004A3A8C LEA EAX,DWORD PTR SS:[EBP-C]
004A3A8F MOV DWORD PTR FS:[0],EAX
004A3A95 MOV DWORD PTR SS:[EBP-28],ECX
004A3A98 MOV DWORD PTR SS:[EBP-14],0
004A3A9F MOV EAX,DWORD PTR SS:[EBP+C]
004A3AA2 PUSH EAX
004A3AA3 PUSH 0
004A3AA5 MOV ECX,DWORD PTR SS:[EBP+8]
004A3AA8 PUSH ECX
004A3AA9 CALL GetGoDM.004EA0A0
004A3AAE ADD ESP,0C
004A3AB1 MOV DWORD PTR SS:[EBP-18],1
004A3AB8 MOV DWORD PTR SS:[EBP-10],1
004A3ABF MOV DWORD PTR SS:[EBP-20],0
004A3AC6 PUSH GetGoDM.0066D7F6 ; /Arg1 = 0066D7F6
004A3ACB LEA ECX,DWORD PTR SS:[EBP-1C] ; |
004A3ACE CALL GetGoDM.004090A0 ; \GetGoDM.004090A0
004A3AD3 MOV DWORD PTR SS:[EBP-4],0
004A3ADA /MOV EDX,1
004A3ADF |TEST EDX,EDX
004A3AE1 |JE SHORT GetGoDM.004A3B5A
004A3AE3 |MOV EAX,DWORD PTR SS:[EBP+10]
004A3AE6 |PUSH EAX ; /Arg3
004A3AE7 |PUSH 1 ; |Arg2 = 00000001
004A3AE9 |MOV ECX,DWORD PTR SS:[EBP-10] ; |
004A3AEC |MOV EDX,DWORD PTR SS:[EBP+8] ; |
004A3AEF |LEA EAX,DWORD PTR DS:[EDX+ECX-1] ; |
004A3AF3 |PUSH EAX ; |Arg1
004A3AF4 |MOV ECX,DWORD PTR SS:[EBP-28] ; |
004A3AF7 |ADD ECX,0C ; |
004A3AFA |CALL GetGoDM.0049DF80 ; \GetGoDM.0049DF80
004A3AFF |MOV DWORD PTR SS:[EBP-18],EAX
004A3B02 |CMP DWORD PTR SS:[EBP-18],0
004A3B06 |JNZ SHORT GetGoDM.004A3B11
004A3B08 |MOV DWORD PTR SS:[EBP-14],0
004A3B0F |JMP SHORT GetGoDM.004A3B5A
004A3B11 |MOV ECX,DWORD PTR SS:[EBP+8]
004A3B14 |ADD ECX,DWORD PTR SS:[EBP-10]
004A3B17 |MOV BYTE PTR DS:[ECX],0
004A3B1A |MOV EDX,DWORD PTR SS:[EBP+8]
004A3B1D |PUSH EDX ; /Arg1
004A3B1E |LEA ECX,DWORD PTR SS:[EBP-1C] ; |
004A3B21 |CALL GetGoDM.004497C0 ; \GetGoDM.004497C0
004A3B26 |PUSH 0 ; /Arg2 = 00000000
004A3B28 |PUSH GetGoDM.0066D7F8 ; |Arg1 = 0066D7F8 ASCII ""
004A3B2D |LEA ECX,DWORD PTR SS:[EBP-1C] ; |
004A3B30 |CALL GetGoDM.00409560 ; \GetGoDM.00409560
004A3B35 |MOV DWORD PTR SS:[EBP-20],EAX
004A3B38 |CMP DWORD PTR SS:[EBP-20],-1
004A3B3C |JE SHORT GetGoDM.004A3B4F
004A3B3E |MOV EAX,DWORD PTR SS:[EBP+8]
004A3B41 |ADD EAX,DWORD PTR SS:[EBP-20]
004A3B44 |MOV BYTE PTR DS:[EAX],0
004A3B47 |MOV ECX,DWORD PTR SS:[EBP-20]
004A3B4A |MOV DWORD PTR SS:[EBP-14],ECX
004A3B4D |JMP SHORT GetGoDM.004A3B5A
004A3B4F |MOV EDX,DWORD PTR SS:[EBP-10]
004A3B52 |ADD EDX,1
004A3B55 |MOV DWORD PTR SS:[EBP-10],EDX
004A3B58 \JMP SHORT GetGoDM.004A3ADA
004A3B5A MOV EAX,DWORD PTR SS:[EBP-14]
004A3B5D MOV DWORD PTR SS:[EBP-24],EAX
004A3B60 MOV DWORD PTR SS:[EBP-4],-1
004A3B67 LEA ECX,DWORD PTR SS:[EBP-1C]
004A3B6A CALL GetGoDM.004091E0
004A3B6F MOV EAX,DWORD PTR SS:[EBP-24]
004A3B72 MOV ECX,DWORD PTR SS:[EBP-C]
004A3B75 MOV DWORD PTR FS:[0],ECX
004A3B7C POP ECX
004A3B7D MOV ESP,EBP
004A3B7F POP EBP
004A3B80 RETN 0C
7. SOLUTION
-----------
None
8. REPORT TIMELINE
------------------
2014-02-23: Discovery of the vulnerability
2014-02-23: Vendor Notification #1
2014-02-26: MITRE assigns CVE-2014-2206
2014-03-01: Project is dead
2014-03-02: Full Disclosure
9 . REFERENCES
--------------
http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-execution
