GetGo Download Manager 4.x Stack Buffer Overflow

2014.03.04
Credit: RCE
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

RCE Security Advisory http://www.rcesecurity.com 1. ADVISORY INFORMATION ----------------------- Product: GetGo Download Manager Vendor URL: www.getgosoft.com Type: Stack-based Buffer Overflow [CWE-121] Date found: 2014-02-20 Date published: 2014-03-02 CVSSv2 Score: 10,0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE: CVE-2014-2206 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED -------------------- GetGo Download Manager v4.9.0.1982 (latest) GetGo Download Manager v4.8.2.1346 GetGo Download Manager v4.4.5.502 and other older versions may be affected too. 4. VULNERABILITY DESCRIPTION ---------------------------- A stack-based buffer overflow vulnerability has been identified in the GetGo Download Manager. When a website is requested for download, the application reads the HTTP Response Header values of the target page and copies the retrieved values to a temporary buffer, which is set to a fixed size of 4097 bytes, but this size is not used by the application to limit the input to the buffer. Instead it fills the buffer byte by byte until the terminating sequence "\r\n" is found. Therefore the application writes outside the expected memory boundaries if the HTTP Response Header is greater than 4097 bytes. This leads to a stack-based buffer overflow with an overwritten SEH chain or return points, resulting in remote code execution. Successful exploits can allow remote attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. 5. PROOF-OF-CONCEPT (DEBUG) --------------------------- Registers: EAX 00000000 ECX CCCCCCCC EDX 76F2B4AD ntdll.76F2B4AD EBX 00000000 ESP 0474BD5C EBP 0474BD7C ESI 00000000 EDI 00000000 EIP CCCCCCCC C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 1 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EF94000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Stack: ESP-8 > 00286D30 ESP-4 > FFFFFFFE ESP ==> > 76F2B499 RETURN to ntdll.76F2B499 ESP+4 > 0474BE44 ESP+8 > 0474D3A8 [...] ESP+1648 > CCCCCCCC ESP+164C > CCCCCCCC Pointer to next SEH record ESP+1650 > CCCCCCCC SE handler ESP+1654 > CCCCCCCC 6. VULNERABLE CODE PART ----------------------- // GetGoDM.exe 004A4CE1 PUSH ECX ; /Arg3 004A4CE2 PUSH 1001 ; |Arg2 = 00001001 004A4CE7 LEA EDX,DWORD PTR SS:[EBP-1024] ; | 004A4CED PUSH EDX ; |Arg1 004A4CEE MOV ECX,DWORD PTR SS:[EBP-1064] ; | 004A4CF4 CALL GetGoDM.004A3A70 ; \GetGoDM.004A3A70 004A3A70 PUSH EBP 004A3A71 MOV EBP,ESP 004A3A73 PUSH -1 004A3A75 PUSH GetGoDM.00644153 004A3A7A MOV EAX,DWORD PTR FS:[0] 004A3A80 PUSH EAX 004A3A81 SUB ESP,1C 004A3A84 MOV EAX,DWORD PTR DS:[6E6FB8] 004A3A89 XOR EAX,EBP 004A3A8B PUSH EAX 004A3A8C LEA EAX,DWORD PTR SS:[EBP-C] 004A3A8F MOV DWORD PTR FS:[0],EAX 004A3A95 MOV DWORD PTR SS:[EBP-28],ECX 004A3A98 MOV DWORD PTR SS:[EBP-14],0 004A3A9F MOV EAX,DWORD PTR SS:[EBP+C] 004A3AA2 PUSH EAX 004A3AA3 PUSH 0 004A3AA5 MOV ECX,DWORD PTR SS:[EBP+8] 004A3AA8 PUSH ECX 004A3AA9 CALL GetGoDM.004EA0A0 004A3AAE ADD ESP,0C 004A3AB1 MOV DWORD PTR SS:[EBP-18],1 004A3AB8 MOV DWORD PTR SS:[EBP-10],1 004A3ABF MOV DWORD PTR SS:[EBP-20],0 004A3AC6 PUSH GetGoDM.0066D7F6 ; /Arg1 = 0066D7F6 004A3ACB LEA ECX,DWORD PTR SS:[EBP-1C] ; | 004A3ACE CALL GetGoDM.004090A0 ; \GetGoDM.004090A0 004A3AD3 MOV DWORD PTR SS:[EBP-4],0 004A3ADA /MOV EDX,1 004A3ADF |TEST EDX,EDX 004A3AE1 |JE SHORT GetGoDM.004A3B5A 004A3AE3 |MOV EAX,DWORD PTR SS:[EBP+10] 004A3AE6 |PUSH EAX ; /Arg3 004A3AE7 |PUSH 1 ; |Arg2 = 00000001 004A3AE9 |MOV ECX,DWORD PTR SS:[EBP-10] ; | 004A3AEC |MOV EDX,DWORD PTR SS:[EBP+8] ; | 004A3AEF |LEA EAX,DWORD PTR DS:[EDX+ECX-1] ; | 004A3AF3 |PUSH EAX ; |Arg1 004A3AF4 |MOV ECX,DWORD PTR SS:[EBP-28] ; | 004A3AF7 |ADD ECX,0C ; | 004A3AFA |CALL GetGoDM.0049DF80 ; \GetGoDM.0049DF80 004A3AFF |MOV DWORD PTR SS:[EBP-18],EAX 004A3B02 |CMP DWORD PTR SS:[EBP-18],0 004A3B06 |JNZ SHORT GetGoDM.004A3B11 004A3B08 |MOV DWORD PTR SS:[EBP-14],0 004A3B0F |JMP SHORT GetGoDM.004A3B5A 004A3B11 |MOV ECX,DWORD PTR SS:[EBP+8] 004A3B14 |ADD ECX,DWORD PTR SS:[EBP-10] 004A3B17 |MOV BYTE PTR DS:[ECX],0 004A3B1A |MOV EDX,DWORD PTR SS:[EBP+8] 004A3B1D |PUSH EDX ; /Arg1 004A3B1E |LEA ECX,DWORD PTR SS:[EBP-1C] ; | 004A3B21 |CALL GetGoDM.004497C0 ; \GetGoDM.004497C0 004A3B26 |PUSH 0 ; /Arg2 = 00000000 004A3B28 |PUSH GetGoDM.0066D7F8 ; |Arg1 = 0066D7F8 ASCII "" 004A3B2D |LEA ECX,DWORD PTR SS:[EBP-1C] ; | 004A3B30 |CALL GetGoDM.00409560 ; \GetGoDM.00409560 004A3B35 |MOV DWORD PTR SS:[EBP-20],EAX 004A3B38 |CMP DWORD PTR SS:[EBP-20],-1 004A3B3C |JE SHORT GetGoDM.004A3B4F 004A3B3E |MOV EAX,DWORD PTR SS:[EBP+8] 004A3B41 |ADD EAX,DWORD PTR SS:[EBP-20] 004A3B44 |MOV BYTE PTR DS:[EAX],0 004A3B47 |MOV ECX,DWORD PTR SS:[EBP-20] 004A3B4A |MOV DWORD PTR SS:[EBP-14],ECX 004A3B4D |JMP SHORT GetGoDM.004A3B5A 004A3B4F |MOV EDX,DWORD PTR SS:[EBP-10] 004A3B52 |ADD EDX,1 004A3B55 |MOV DWORD PTR SS:[EBP-10],EDX 004A3B58 \JMP SHORT GetGoDM.004A3ADA 004A3B5A MOV EAX,DWORD PTR SS:[EBP-14] 004A3B5D MOV DWORD PTR SS:[EBP-24],EAX 004A3B60 MOV DWORD PTR SS:[EBP-4],-1 004A3B67 LEA ECX,DWORD PTR SS:[EBP-1C] 004A3B6A CALL GetGoDM.004091E0 004A3B6F MOV EAX,DWORD PTR SS:[EBP-24] 004A3B72 MOV ECX,DWORD PTR SS:[EBP-C] 004A3B75 MOV DWORD PTR FS:[0],ECX 004A3B7C POP ECX 004A3B7D MOV ESP,EBP 004A3B7F POP EBP 004A3B80 RETN 0C 7. SOLUTION ----------- None 8. REPORT TIMELINE ------------------ 2014-02-23: Discovery of the vulnerability 2014-02-23: Vendor Notification #1 2014-02-26: MITRE assigns CVE-2014-2206 2014-03-01: Project is dead 2014-03-02: Full Disclosure 9 . REFERENCES -------------- http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-execution

References:

http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-execution


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top