PowerIso Parsing Code Execution Vulnerability(CVE-2017-2817)

2017-09-18T00:00:00
ID SSV:96512
Type seebug
Reporter Root
Modified 2017-09-18T00:00:00

Description

Summary

An stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability.

Tested Versions

Power Software PowerISO 6.8 (6, 8, 0, 0)

Product URLs

http://poweriso.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

This vulnerability can be triggered by providing specially crafted ISO file and opening it with the PowerISO software. The vulnerable code is presented below: .text:0002588F NM_entry: ; CODE XREF: sub_25810+75j .text:0002588F push 2 ; MaxCount .text:00025891 push 65D354h ; NM? .text:00025896 push esi ; Str1 .text:00025897 call _strncmp .text:0002589C add esp, 0Ch .text:0002589F test eax, eax .text:000258A1 jnz short loc_2591B .text:000258A3 mov al, [esi+2] .text:000258A6 lea ecx, [esi+5] .text:000258A9 sub eax, 5 .text:000258AC lea edx, [esp+124h+Dest] .text:000258B0 push eax ; Count .text:000258B1 push ecx ; Source .text:000258B2 push edx ; Dest .text:000258B3 call _strncpy The strncmp function is used to validate whether the currently processed entry is in fact an "NM" entry. After this condition is met the strncpy function is executed (0x000258B3) with the dest parameter located on the stack space. The source parameter is taken straight from the malformed .ISO file and the count parameter is calculated from a byte stored in the malformed ISO file. By forcing the byte at [esi+2] (0x000258A3) to be less than 5, an attacker can cause the count value to become negative leading to buffer overflow like presented below: ``` (hook on strncpy when opening malformed .iso file) strncpy DEST=0x0019ecfc SRC=0x026f21aa COUNT=0xfffffffe

DEST (stack buffer):
0019ecfc  4c e8 3e 77 7f 07 00 00-00 00 00 00 5c 01 2b 01  L.>w........\.+.
0019ed0c  01 00 00 00 dd 14 00 00-48 00 a3 05 01 00 00 00  ........H.......
0019ed1c  00 00 00 00 00 00 00 00-60 32 f2 02 60 32 f2 02  ........`2..`2..
0019ed2c  02 00 00 00 68 32 f2 02-68 32 f2 02 fe ff ff ff  ....h2..h2......
0019ed3c  7f 07 00 00 28 00 00 00-f4 8d 08 71 e8 82 ff ff  ....(......q....
0019ed4c  40 00 a3 05 00 00 00 00-04 31 00 00 f4 8d 08 71  @........1.....q
0019ed5c  48 00 a3 05 7f 07 00 00-60 e9 f2 02 ff 07 00 00  H.......`.......
0019ed6c  dd 14 00 00 e0 ee 19 00-b0 67 3f 77 7a 06 d2 44  .........g?wz..D

SOURCE (controlled by attacker):
026f21aa  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
026f21ba  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
026f21ca  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
026f21da  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
...

```

Crash Information

``` 0:000:x86> !analyze -v *********** * * Exception Analysis * * ***********

FAULTING_IP: 
image00000000_00400000+12f699
0052f699 8907            mov     dword ptr [edi],eax

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000052f699 (image00000000_00400000+0x000000000012f699)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 00000000001a0000
Attempt to write to address 00000000001a0000

CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=fffffffc ecx=3ffffb3f edx=00004141 esi=027721b0 edi=0019fffe
eip=0052f699 esp=0019ecbc ebp=0019ee30 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
image00000000_00400000+0x12f699:
0052f699 8907            mov     dword ptr [edi],eax  ds:002b:0019fffe=63410000

FAULTING_THREAD:  0000000000001ca0

PROCESS_NAME:  image00000000`00400000

ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

EXCEPTION_PARAMETER1:  0000000000000001

EXCEPTION_PARAMETER2:  00000000001a0000

WRITE_ADDRESS:  00000000001a0000

FOLLOWUP_IP: 
image00000000_00400000+12f699
0052f699 8907            mov     dword ptr [edi],eax

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  image00000000`00400000

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 000000000052f699

STACK_TEXT:  
0019ee30 00000000 00000000 00000000 00000000 image00000000_00400000+0x12f699


STACK_COMMAND:  .cxr 0x0 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00000000+12f699

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: image00000000_00400000

IMAGE_NAME:  PowerISO.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58932d2b

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_image00000000+12f699

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_poweriso.exe!unknown

FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}

Followup: MachineOwner
---------

```

Timeline

  • 2017-04-14 - Vendor Disclosure
  • 2017-05-05 - Public Release

CREDIT

  • Discovered by Piotr Bania of Cisco Talos.