PayPal Inc PDF Mailer Buffer Overflow

2014-10-15T00:00:00
ID PACKETSTORM:128687
Type packetstorm
Reporter Benjamin Kunz Mejri
Modified 2014-10-15T00:00:00

Description

                                        
                                            `Document Title:  
===============  
PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=940  
http://www.vulnerability-lab.com/get_content.php?id=1274  
  
  
Release Date:  
=============  
2014-10-02  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
940  
  
  
Common Vulnerability Scoring System:  
====================================  
5.1  
  
  
Product & Service Introduction:  
===============================  
Mit der neuen Software PayPal ExpressRechnung können Sie ganz bequem Dokumente wie zum Beispiel Rechnungen aus   
Office-Anwendungen oder kaufmännischer Software um eine bequeme Bezahlfunktion erweitern.  
  
Die PayPal-Funktionalität ermöglicht Ihren Kunden die direkte Zahlung aus dem PDF und jetzt auch aus der   
papiergebundenen Rechnung. Der Express-Kauf-Button und ein QR-Code machen es möglich – Fehlerteufel durch lästiges   
Abtippen der Bankverbindung gehören damit der Vergangenheit an. Und das Beste: Sie erhalten schnell Ihr Geld!*  
  
Dadurch stellt PayPal ExpressRechnung eine Ergänzung Ihres bisherigen Zahlungsportfolios dar. Insbesondere   
Zahlungen, die heute außerhalb des Online-Shops stattfinden (z.B. bei telefonischen Bestellungen), können so   
zeitsparender und mit mehr Sicherheit abgewickelt werden. Es müssen keine sensiblen Bank- oder Kreditkartendaten   
am Telefon übermittelt werden.  
  
(Copy of the Homepage: https://www.paypal.com/webapps/mpp/paypal-express-rechnung )  
  
  
Abstract Advisory Information:  
==============================  
The Vulnerability Laboratory Research Team discovered a local buffer overflow software vulnerability in the official PayPal PDFMailer v6.0.2900.5512 software.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2014-10-02: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
PayPal Inc  
Product: PayPals PDFMailer (gotomaxx) 6.0.2900.5512  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
Medium  
  
  
Technical Details & Description:  
================================  
A local buffer overflow software vulnerability is detected in the official Paypal Inc PDFMailer v6.0.2900.5512 software app.  
The vulnerability typus allows local attacker to overflow the paypal pdfmailer software process to gain higher access privileges.  
  
The local buffer overflow vulnerability is located in the drucker name (printer name) input field. The local attackers are able to   
include large unicode strings to overflow the installation software core process. The attacker is also able to overwrite (overflow)   
registers of the affected process to local execute unauthorized codes.  
  
Exploitation of the vulnerability requires a restricted system user account with physical access and no user interaction.  
Successful exploitation of the vulnerability results in system compromise by buffer overflow and a basic code execution.  
  
  
Vulnerable Service(s):  
[+] PayPal Inc - PDFMailer  
  
Vulnerable Module(s):  
[+] Installation - Core  
  
Vulnerable Input(s):  
[+] Drucker Name (Printer Name)  
  
  
Proof of Concept (PoC):  
=======================  
The local buffer overflow vulnerability can be exploited by local attacker with a restricted system user account without user interaction.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
1. Download the Paypal PDF Mailer https://www.paypal.com/webapps/mpp/paypal-express-rechnung  
2. Install the software and click to accept the license questions and pass the beautiful paypal girl :)  
3. Now, the installation ask for a path and wants to configure the printer name with the installation process  
4. We include to the vulnerable drucker name (printer name) input a unicode string (1024 bytes) and press the install (ok|continue) button  
Note: Attach a debugger like windbg, ida, ollydbg or immunity to the process  
5. The software is installing the components, libs and modules ...  
Note: Now, the installation is at the end processing to load the drucker name (printer name) of the input field setup ago  
8. The software crashs with a classic and unique BEX (Buffer Overflow) error exception  
9. The attacker is able to overwrite registers of the software process to escalate with system privileges to execute local codes  
10. Successful reproduce of the local vulnerability!  
  
  
--- Debug Logs ---  
ModLoad: 009f0000 00ac9000 SetupAssistant.exe  
(1960.1480): Break instruction exception - code 80000003 (first chance)  
eax=7efd7000 ebx=00000000 ecx=00000000 edx=774ff85a esi=00000000 edi=00000000  
eip=41414141 esp=0049ff5c ebp=0049ff88 iopl=0 nv up ei pl zr na pe nc  
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246  
  
7747000c cc int 3  
7747000d c3 ret  
7747000e 90 nop  
7747000f 90 nop  
77470010 8b4c2404 mov ecx,dword ptr [esp+4]  
77470014 f6410406 test byte ptr [ecx+4],6  
77470018 7405 je ntdll!DbgBreakPoint+0x13 (7747001f)  
7747001a e8811d0100 call ntdll!NtTestAlert (77481da0)  
0:002> a  
7747000c   
  
Reference(s): (Video)  
http://www.youtube.com/watch?v=IXhwfZV6x0M  
  
  
Picture(s):  
../1.png  
../2.png  
../3.png  
../4.png  
../5.png  
../6.png  
../7.png  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be patched by a limit char restriction of the drucker (printer) name input field in the paypal pdfmailer software.  
  
  
  
Security Risk:  
==============  
The security risk of the local buffer overflow software vulnerability in the pdf mailer software is estimated as high.  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) [www.vulnerability-lab.com]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either   
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers   
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even   
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation   
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break   
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com  
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com  
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/  
  
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to   
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website   
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact   
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.  
  
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]  
  
  
  
--   
VULNERABILITY LABORATORY RESEARCH TEAM  
DOMAIN: www.vulnerability-lab.com  
CONTACT: research@vulnerability-lab.com  
  
`