4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
7.3 High
AI Score
Confidence
High
0.093 Low
EPSS
Percentile
94.7%
**Title:**Schneider Vampset Stack and Heap Buffer Overflow
**Advisory ID:**CORE-2015-0007
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/schneider-vampset-stack-and-heap-buffer-overflow>
**Date published:**2015-03-30
**Date of last update:**2015-03-27
**Vendors contacted:**Schneider
**Release mode:**Coordinated release
**Class:**Heap-based Buffer Overflow [CWE-122], Stack-based Buffer Overflow [CWE-121]
**Impact:**Code execution
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
CVE Name:CVE-2014-8390, CVE-2014-8390
User-friendly and free of charge VAMPSET software [1] has been designed for setting parameters and configuring relays, and is suitable for the entire VAMP range of protection relays, VAMP 321 arc flash protection unit and measuring and monitoring units. This indispensable setting and configuration tool allows relay parameters, configurations and recorded data to be exchanged between a computer and a VAMP relay using various communication cables.
VAMPSET handles relay settings as documents, vef-files. Settings of one physical device are considered one document. Documents can be read from the relay and transferred between similar relays. Documents can also be saved to the computer hard drive, and later loaded back to the relay using VAMPSET.
VAMPSET is vulnerable to a Stack-based and Heap-based buffer overflow attack, which can be exploited by attackers to execute arbitrary code, by providing a malicious CFG or DAT file with specific parameters.
Given that this is a client-side vulnerability, affected users should avoid opening untrusted .cfg
or .dat
files. Core Security also recommends to those affected the use third party software such as Sentinel [3] or EMET [2] that could help prevent the exploitation of affected systems to some extent.
The vendor published the following advisory [5] that includes mitigation instructions and a reference to the updated software.
This vulnerability was discovered and researched by Ricardo Narvaja from Core Security Exploit Writing Team. The publication of this advisory was coordinated by JoaquΓn RodrΓguez Varela from Core Security Advisories Team.
[CVE-2014-8390] This vulnerability is caused by a controlled heap buffer overflow when opening specially crafted Comtrade [4] format files.
The problem lays in the following facts. First the software allocs
a fixed size in here:
.text:00494125 push 1A68h ; size_t .text:0049412A call sub_4CC928
Then it goes to a malloc
with 1A68h
size:
.text:004CC92E loc_4CC92E: ; size_t .text:004CC92E push edi .text:004CC92F call _mallloc
And finally here:
004B3483 |> \83C6 0F ADD ESI,0F 004B3486 |. 83E6 F0 AND ESI,FFFFFFF0 004B3489 |. 56 PUSH ESI ; /HeapSize = 1A70 (6768.) 004B348A |. 6A 00 PUSH 0 ; |Flags = 0 004B348C |. FF35 2C605700 PUSH DWORD PTR DS:[57602C] ; |hHeap = 003C0000 004B3492 |. FF15 70224F00 CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>>; \HeapAlloc
After applying the AND 0f
and FFFFFFF0
the size is 0x1a70
:
0012EF50 003C0000 |hHeap = 003C0000 0012EF54 00000000 |Flags = 0 0012EF58 00001A70 \HeapSize = 1A70 (6768.)
Then it writes in this section without checking the size of what is written. In the PoC it ends up crashing after overflowing the heap section:
00497C03 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D> 00497C05 |. 8BC8 |MOV ECX,EAX 00497C07 |. 83E1 03 |AND ECX,3 00497C0A |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:> 00D65F60 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65F70 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65F80 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65F90 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FA0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FB0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FC0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FD0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FE0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 00D65FF0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC EAX 00003BC6 ECX 0000082D EDX 00003BC5 EBX 00D64468 ESP 0012ED30 EBP 00EF8290 ASCII "ASCII CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC ESI 00EF9DA0 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC EDI 00D66000 EIP 00497C03 Vampset.00497C03
Nevertheless, this is a controllable heap overflow, therefore if a smaller amount of characters is used it can provoke code execution.
[CVE-2014-8390] This vulnerability is caused by a controlled stack buffer overflow when opening specially crafted Comtrade [4] format files.
When VAMPSET opens the malformed files the following occurs. It sends a message to LB_GETTEXT
with the length of the string:
0013F6FC 0048E070 /CALL to SendMessageW from Vampset.0048E06E 0013F700 00840B22 |hWnd = 840B22 0013F704 00000189 |Message = LB_GETTEXT 0013F708 00000000 |Index = 0 0013F70C 0013F760 \Buffer = 0013F760
The length of that string is bigger than the destination buffer and therefore overwrites the return address that is located after the buffer:
$ ==> >49 00 4C 00 31 00 4D 00 35 00 4D 00 35 00 4D 00 I.L.1.M.5.M.5.M. $+10 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+20 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+30 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+40 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+50 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+60 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+70 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+80 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M. $+90 >35 00 4D 00 35 00 4D 00 35 00 4D 00 CC CC CC CC 5.M.5.M.5.M.ΓΓΓΓ $+A0 >CC CC CC CC CC CC 38 00 35 00 38 00 31 00 61 00 ΓΓΓΓΓΓ8.5.8.1.a. $+B0 >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. $+C0 >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a. $+D0 >61 00 00 00 a... 0048E0BE > \5F POP EDI 0048E0BF . 5E POP ESI 0048E0C0 . 5D POP EBP 0048E0C1 . 5B POP EBX 0048E0C2 . 81C4 C0000000 ADD ESP,0C0 0048E0C8 . C3 RETN
From there it jumps to execution, in this case is deviated to 0x4d0035
:
0013F7E0 004D0035 Vampset.004D0035 0013F7E4 004D0035 Vampset.004D0035 0013F7E8 004D0035 Vampset.004D0035 0013F7EC 004D0035 Vampset.004D0035 0013F7F0 004D0035 Vampset.004D0035 0013F7F4 004D0035 Vampset.004D0035 0013F7F8 004D0035 Vampset.004D0035 004D0035 |. FFD5 CALL EBP ; \ClientToScreen
After this it executes our code in the stack:
0013F7EC 35 004D0035 XOR EAX,35004D00 0013F7F1 004D 00 ADD BYTE PTR SS:[EBP],CL 0013F7F4 35 004D0035 XOR EAX,35004D00 0013F7F9 004D 00 ADD BYTE PTR SS:[EBP],CL 0013F7FC CC INT3 0013F7FD CC INT3 0013F7FE CC INT3 0013F7FF CC INT3 0013F800 CC INT3 0013F801 CC INT3 0013F802 CC INT3 0013F803 CC INT3 0013F804 CC INT3 0013F805 CC INT3 0013F806 3800 CMP BYTE PTR DS:[EAX],AL 0013F808 35 00380031 XOR EAX,31003800 0013F80D 0061 00 ADD BYTE PTR DS:[ECX],AH 0013F810 61 POPAD
[1] <http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/>.
[2] <http://support.microsoft.com/kb/2458544>.
[3] <https://github.com/CoreSecurity/sentinel>.
[4] <http://en.wikipedia.org/wiki/Comtrade>.
[5] http://download.schneider-electric.com/files?p_File_Id=768378039&p_File_Name=SEVD-2015-084-01-VAMPSET-Software.pdf.
CoreLabs, the research center of Core Security, A Fortra Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at <https://www.coresecurity.com/core-labs>.
Core Security, a Fortra Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected].
The contents of this advisory are copyright Β© 2015 Core Security and Β© 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security advisories team.