Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EasyBoot v6.6.0.800 - Stack Buffer Overflow Vulnerability

🗓️ 07 Mar 2019 00:00:00Reported by Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-LabType 
vulnerlab
 vulnerlab🔗 www.vulnerability-lab.com👁 37 Views

EasyBoot v6.6.0.800 - Stack Buffer Overflo

Code
Document Title:
===============
EasyBoot v6.6.0.800 - Stack Buffer Overflow Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2176


Release Date:
=============
2019-03-07


Vulnerability Laboratory ID (VL-ID):
====================================
2176


Common Vulnerability Scoring System:
====================================
6


Vulnerability Class:
====================
Buffer Overflow


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
EasyBoot lets you design MultiBoot CDs and DVDs. The program automatically produces the required boot image files 
and creates an ISO file that you can burn with your burning program as an image.  EasyBoot is an integrated tool 
to create MultiBoot, Menu driven CDs & DVDs with native language. It has the ability to automatically produce boot 
image files, and generate the ISO file as well. Using your CD/DVD Recording software such as Nero or Roxio to 
Record the ISO, you get a bootable CD/DVD that completely belongs to you. 

(Copy of the Homepage: http://www.ezbsystems.com/easyboot/ & http://www.ezbsystems.com/easyboot/download.htm )


Abstract Advisory Information:
==============================
A local stack buffer overflow vulnerability has been discovered in the official EasyBoot v6.6.0.800 windows software.


Vulnerability Disclosure Timeline:
==================================
2019-03-07: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
EZB Systems Inc
Product: EasyBoot - Boot Medium Software 6.6.0.800


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Authentication Type:
====================
Restricted Authentication (Guest Privileges)


User Interaction:
=================
No User Interaction


Disclosure Type:
================
Full Disclosure


Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official EasyBoot v6.6.0.800 windows software.
The local software vulnerability allows to overwrite active registers to compromise the affected local software process.

The easyboot software has a function under tools that allows you to execute a local floppy disk image with write access. The function 
itself has two options that allow you to create your own image or use an existing image. The image filename has no secure string 
length restriction during the write process. This allows an attacker to override the active registers by wrong handled large unicode 
strings to control the next return address so that the process can be compromised. The security issue is a classic unicode stack 
buffer overflow vulnerability and affects only the diskette write process of the function. 

The security risk of the software vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
The bof vulnerability can be exploited by local attackers without user interaction and with local restricted or low user privileges.
Successful exploitation of the stack buffer overflow vulnerability results in system and process compromise by an overwrite of the 
active registers via return adress.

Vulnerable Module(s):
[+] File - Tools

Vulnerable Function(s):
[+] Create floppy disk from image
[+] Create new floppy disk image


Proof of Concept (PoC):
=======================
The local stack buffer overflow can be exploited by local attackers with local restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce ...
1. Install the newst easyboot software or as image
2. Install Windbg of microsoft and attach it next to the start to the local software process
3. Open the file tab and switch to the tools button by a simple click
4. Choose one of both floopy disk functions
5. Include your large unicode payload (1024 bytes) to overwrite the active registers (eip)
6. The software crashs and the active registers will be overwritten like the eip, ebx and co
7. Move to the debugger, preview the stack text and analysis. Then include a new return adress
8. Successful reproduce of the local stack buffer overflow vulnerability! 


--- WinDBG Session Logs (Overwrite Return Adress) ---
(1a9c.1450): Access violation - code c0000005 (first chance)
*** EasyBoot.exe
EasyBoot!UfrmconfigFinalize+0x66266:
004fa16a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000:x86> g
(1a9c.1450): Access violation - code c0000005 (first chance)
41414141 ??              ???

FAULTING_IP: 
unknown!noop+0
41414141 ??              ???

EXCEPTION_RECORD:  0000000000182680 -- (.exr 0x182680)
ExceptionAddress: 0000000000000000
   ExceptionCode: 0001007f
  ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT:  000000000019ead8 -- (.cxr 0x19ead8;r)
eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=41414141 esp=41414141 ebp=41414141 iopl=0         nv up di pl zr na po cy
cs=4141  ss=4143  ds=4141  es=4141  fs=4141  gs=4141 efl=41414141
4141:41414141
Last set context:
eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=41414141 esp=41414141 ebp=41414141 iopl=0         nv up di pl zr na po cy
cs=4141  ss=4143  ds=4141  es=4141  fs=4141  gs=4141 efl=41414141
4141:41414141

FAULTING_THREAD:  0000000000001450
DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
PROCESS_NAME:  EasyBoot.exe
FAULTING_MODULE: 0000000076460000 KERNEL32

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgefuehrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgefuehrt werden.

EXCEPTION_PARAMETER1:  0000000000000008
EXCEPTION_PARAMETER2:  0000000041414141
WRITE_ADDRESS:  0000000041414141 

FOLLOWUP_IP: 
unknown!noop+0
41414141 ??              ???

FAILED_INSTRUCTION_ADDRESS: 
unknown!noop+0
41414141 ??              ???

APP:  easyboot.exe
ANALYSIS_VERSION: 6.3.9600.17336 
(debuggers(dbg).150226-1500) amd64fre

IP_ON_HEAP:  0000000041414141
IP_IN_FREE_BLOCK: 41414141
LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000041414141

IP_ON_STACK: 
unknown!noop+0
41414141 ??              ???

STACK_TEXT:  41414141 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  unknown!noop+41414141
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  unknown
STACK_COMMAND:  .cxr 0x19ead8 ; kb

000000000019e0e4: 77510000!RtlInterlockedCompareExchange64+200 (000000007758eb10)
000000000019ead8: 0000000041414141
Invalid exception stack at 0000000041414141
0:000:x86> g
(1a9c.1450): Access violation - code c0000005
41414141 ??              ???


--- System Event Logs (APPCRASH & BEX) ---
EventType=APPCRASH
Sig[0].Name=Anwendungsname
Sig[0].Value=EasyBoot.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=6.6.0.800
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=00000000
Sig[3].Name=Fehlermodulname
Sig[3].Value=StackHash_abcc
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=00000000
Sig[6].Name=Ausnahmecode
Sig[6].Value=c00000fd
Sig[7].Name=Ausnahmeoffset
-
Sig[0].Name=Anwendungsname
Sig[0].Value=EasyBoot.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=6.6.0.800
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=00000000
Sig[3].Name=Fehlermodulname
Sig[3].Value=EasyBoot.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=6.6.0.800
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=00000000
Sig[6].Name=Ausnahmeoffset
Sig[6].Value=000fa16a
Sig[7].Name=Ausnahmecode
Sig[7].Value=c0000409
Sig[8].Name=Ausnahmedaten
Sig[8].Value=00000015


Solution - Fix & Patch:
=======================
The stack overflow vulnerability can be patched by a restriction of the floppy disk image name for create or add.
Allocate and restrict the memory for the process and function to prevent the local stack overflow vulnerability.


Security Risk:
==============
The security risk of the local stack buffer overflow vulnerability in the easyboot software is estimated as high.


Credits & Authors:
==================
Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab 
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do 
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. 
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com		www.vuln-lab.com				www.vulnerability-db.com
Services:   magazine.vulnerability-lab.com	paste.vulnerability-db.com 			infosec.vulnerability-db.com
Social:	    twitter.com/vuln_lab		facebook.com/VulnerabilityLab 			youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	vulnerability-lab.com/rss/rss_upcoming.php 	vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	vulnerability-lab.com/register.php  vulnerability-lab.com/list-of-bug-bounty-programs.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or 
edit our material contact (admin@ or research@) to get a ask permission.

				    Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Mar 2019 00:00Current
0.2Low risk
Vulners AI Score0.2
vulnerabilityeasybootbuffer overflowwindows softwarelocalexploitationboot medium softwarestack overflowunicode stringsrestricted authenticationfull disclosurefile tools.
37