Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EViews 7.0.0.1 (aka 7.2) - Multiple Vulnerabilities

🗓️ 21 Sep 2011 00:00:00Reported by Luigi AuriemmaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 37 Views

EViews 7.0.0.1 (7.2) - Multiple Vulnerabilities in Windows application for econometric and statistical analysi

Code
#######################################################################

                             Luigi Auriemma

Application:  EViews
              http://www.eviews.com
Versions:     <= 7.0.0.1 (aka 7.2)
Platforms:    Windows
Bugs:         A] memory corruption
              B] heap overflow
Exploitation: remote
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


EViews is a software for econometric and statistical analysis.

From vendor's website:
"Estimation, forecasting, statistical analysis, graphics, simulation,
data management, all in a powerful, graphical object-oriented
interface."


#######################################################################

======
2) Bugs
======

--------------------
A] memory corruption
--------------------

The program uses a particular function for allocating memory for the
arrays used in the WF1 files.
In short if the reallocation fails it's possible to write a memory
pointer and a NULL in the expected last two positions of the
"supposedly" reallocated array so with possibilities of corrupting
memory zones almost arbitrarialy:

  00B1A2B0  /$ 56                PUSH ESI                       ; value + 0x32
  00B1A2B1  |. 57                PUSH EDI
  00B1A2B2  |. 8B7C24 0C         MOV EDI,DWORD PTR SS:[ESP+C]
  00B1A2B6  |. 8BF1              MOV ESI,ECX
  00B1A2B8  |. 56                PUSH ESI
  00B1A2B9  |. 8D04BD 00000000   LEA EAX,DWORD PTR DS:[EDI*4]   ; value * 4 (unexploitable)
  00B1A2C0  |. 50                PUSH EAX
  00B1A2C1  |. B9 38F8E600       MOV ECX,EViews7.00E6F838
  00B1A2C6  |. E8 4527F7FF       CALL EViews7.00A8CA10          ; allocation
  ...
  00A8BB41  |. 897C39 FC         MOV DWORD PTR DS:[ECX+EDI-4],EDI   ; write4
  00A8BB45  |. C70439 00000000   MOV DWORD PTR DS:[ECX+EDI],0       ; write4


----------------
B] heap overflow
----------------

Heap overflow/corruption (no additional analysis) during the handling
of the PRG files:

  00B90BF4  |. 8B1496         MOV EDX,DWORD PTR DS:[ESI+EDX*4]
  00B90BF7  |. EB 07          JMP SHORT EViews7.00B90C00    ; EDX is controlled
  00B90BF9  |> 397A 04        /CMP DWORD PTR DS:[EDX+4],EDI ; EDI is usually zero
  00B90BFC  |. 74 0E          |JE SHORT EViews7.00B90C0C
  00B90BFE  |. 8B12           |MOV EDX,DWORD PTR DS:[EDX]
  00B90C00  |> 85D2            TEST EDX,EDX
  00B90C02  |.^75 F5          \JNZ SHORT EViews7.00B90BF9
  00B90C04  |. 33C0           XOR EAX,EAX
  00B90C06  |> 5F             POP EDI
  00B90C07  |> 5E             POP ESI
  00B90C08  |. 5D             POP EBP
  00B90C09  |. C2 0400        RETN 4
  00B90C0C  |> 8B42 08        MOV EAX,DWORD PTR DS:[EDX+8]  ; get the new value
  00B90C0F  \.^EB F5          JMP SHORT EViews7.00B90C06
  ...
  00B295D8  |. E8 EF750600    CALL EViews7.00B90BCC         ; the above function
  00B295DD  |. 85C0           TEST EAX,EAX
  00B295DF  |. 74 14          JE SHORT EViews7.00B295F5
  00B295E1  |. 8378 4C 00     CMP DWORD PTR DS:[EAX+4C],0
  00B295E5  |. 74 0E          JE SHORT EViews7.00B295F5
  00B295E7  |. 8B48 4C        MOV ECX,DWORD PTR DS:[EAX+4C]
  00B295EA  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
  00B295EC  |. 6A 00          PUSH 0
  00B295EE  |. 56             PUSH ESI
  00B295EF  |. FF90 9C000000  CALL DWORD PTR DS:[EAX+9C]    ; code execution

The only "obstacle" to the exploitation could be EDI handled at address
00B54CE5 because sometimes it's zero and other times it isn't but my
proof-of-concept and analysis is absolutely far from being optimized so
I there are for sure ways to control it better and bypassing the
comparison.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/eviews_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17878.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Sep 2011 00:00Current
7.4High risk
Vulners AI Score7.4
eviewsvulnerabilitieswindowsmemory corruptionheap overflowremote exploitationluigi auriemmaprg filesdata managementstatistical analysis.
37