VideoCharge Studio 2.12.3.685 Stack Buffer Overflow

2014-02-20T00:00:00
ID PACKETSTORM:125312
Type packetstorm
Reporter Julien Ahrens
Modified 2014-02-20T00:00:00

Description

                                        
                                            `RCE Security Advisory  
http://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
-----------------------  
Product: VideoCharge Studio  
Vendor URL: www.videocharge.com  
Type: Stack-based Buffer Overflow [CWE-121]  
Date found: 2014-02-08  
Date published: 2014-02-19  
CVSSv2 Score: 7,6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)  
CVE: -  
  
  
2. CREDITS  
----------  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
--------------------  
VideoCharge Studio v2.12.3.685 (latest)  
and other older versions may be affected too.  
  
  
4. VULNERABILITY DESCRIPTION  
----------------------------  
A stack-based buffer overflow vulnerability has been identified in the  
latest version of VideoCharge Studio v2.12.3.685.  
  
The application sends several HTTP GET requests to www.videocharge.com  
in different situations like checking for available updates or during  
the license activation process. The HTTP responses of the website are  
parsed using the following function from cc.dll:  
  
static int __cdecl CHTTPResponse::GetHttpResponse(char const *,char  
const *,char *)  
  
This function reads the contents of the response page using an  
InternetReadFile() call with dwNumberOfBytesToRead set to 745 bytes.  
Afterwards the application uses an insecure strcpy() call to further  
process the received data:  
  
1016D827 CALL cc.1020ACF0 ; strcpy()  
  
Although 745 bytes are enough to trigger the buffer overflow, the  
application additionally does not perform a validation of the  
Content-Length value of the HTTP response and executes the  
InternetReadFile() call a second time if the Content-Length value is  
greater than 745 with the dwNumberOfBytesToRead argument set to  
[Content-Length - 745] to make sure all bytes from the response are  
read, and uses the same strcpy() call to further process the received  
data, resulting in huge amounts of memory, that can be controlled by an  
attacker. This leads to a stack-based buffer overflow with an  
overwritten SEH chain, resulting in remote code execution.  
  
This vulnerability is only exploitable in a MITM scenario, therefor an  
attacker needs to spoof the DNS record of www.videocharge.com to  
redirect the traffic. Successful exploits can allow remote attackers to  
execute arbitrary code with the privileges of the user running the  
application. Failed exploits will result in a denial-of-service condition.  
  
  
5. PROOF-OF-CONCEPT (DEBUG)  
---------------------------  
Registers:  
EAX 00000000  
ECX CCCCCCCC  
EDX 7733B4AD ntdll.7733B4AD  
EBX 00000000  
ESP 00186F74  
EBP 00186F94  
ESI 00000000  
EDI 00000000  
EIP CCCCCCCC  
C 0 ES 002B 32bit 0(FFFFFFFF)  
P 1 CS 0023 32bit 0(FFFFFFFF)  
A 0 SS 002B 32bit 0(FFFFFFFF)  
Z 1 DS 002B 32bit 0(FFFFFFFF)  
S 0 FS 0053 32bit 7EFDD000(FFF)  
T 0 GS 002B 32bit 0(FFFFFFFF)  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)  
ST0 empty g  
ST1 empty g  
ST2 empty g  
ST3 empty g  
ST4 empty g  
ST5 empty g  
ST6 empty g  
ST7 empty g  
3 2 1 0 E S P U O Z D I  
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
  
Stackview:  
00186F74 7733B499 RETURN to ntdll.7733B499  
00186F78 0018705C  
00186F7C 0018781C  
00186F80 001870AC  
00186F84 00187030  
00186F88 0018781C Pointer to next SEH record  
00186F8C 7733B4AD SE handler  
[...]  
00187818 CCCCCCCC  
0018781C CCCCCCCC Pointer to next SEH record  
00187820 CCCCCCCC SE handler  
00187824 CCCCCCCC  
  
  
Vulnerable code part:  
1016D7CA LEA EAX,DWORD PTR SS:[EBP-34] ;   
lpdwNumberOfBytesRead  
1016D7CD PUSH EAX ; /Arg4  
1016D7CE MOV ECX,DWORD PTR SS:[EBP-30] ;  
|dwNumberOfBytesToRead  
1016D7D1 PUSH ECX ; |Arg3  
1016D7D2 MOV EDX,DWORD PTR SS:[EBP-14] ; |lpBuffer  
1016D7D5 PUSH EDX ; |Arg2  
1016D7D6 MOV EAX,DWORD PTR SS:[EBP-1C] ; |hFile  
1016D7D9 PUSH EAX ; |Arg1  
1016D7DA CALL DWORD PTR DS:[<&WININET.InternetRea>; \InternetReadFile  
1016D7E0 TEST EAX,EAX  
1016D7E2 JNZ SHORT cc.1016D7FB  
1016D7E4 MOV DWORD PTR SS:[EBP-44],2  
1016D7EB PUSH cc.10281838 ; /Arg2 = 10281838  
1016D7F0 LEA ECX,DWORD PTR SS:[EBP-44] ; |  
1016D7F3 PUSH ECX ; |Arg1  
1016D7F4 CALL cc.1020A824 ; \cc.1020A824  
1016D7F9 JMP SHORT cc.1016D82F  
1016D7FB CMP DWORD PTR SS:[EBP-34],0  
1016D7FF JNZ SHORT cc.1016D816  
1016D801 MOV DWORD PTR SS:[EBP-48],0  
1016D808 PUSH cc.10281838 ; /Arg2 = 10281838  
1016D80D LEA EDX,DWORD PTR SS:[EBP-48] ; |  
1016D810 PUSH EDX ; |Arg1  
1016D811 CALL cc.1020A824 ; \cc.1020A824  
1016D816 MOV EAX,DWORD PTR SS:[EBP-14]  
1016D819 ADD EAX,DWORD PTR SS:[EBP-34]  
1016D81C MOV BYTE PTR DS:[EAX],0  
1016D81F MOV ECX,DWORD PTR SS:[EBP-14]  
1016D822 PUSH ECX  
1016D823 MOV EDX,DWORD PTR SS:[EBP+10]  
1016D826 PUSH EDX  
1016D827 CALL cc.1020ACF0 ; strcpy()  
  
  
6. SOLUTION  
-----------  
None  
  
  
7. REPORT TIMELINE  
------------------  
2014-02-19: Full Disclosure  
  
  
8. REFERENCES  
-------------  
http://www.rcesecurity.com/2014/02/videocharge-studio-v2-12-3-685-gethttpresponse-remote-code-execution  
  
  
`