Vulners
Lucene search
XTB Trade Brokers v4.x - Critical Pointer Vulnerability
🗓️ 28 Jul 2011 00:00:00Reported by Vulnerability Research LaboratoryType 
vulnerlab🔗 www.vulnerability-lab.com👁 9 Views
Document Title:
===============
XTB Trade Brokers v4.x - Critical Pointer Vulnerability
Release Date:
=============
2011-07-28
Vulnerability Laboratory ID (VL-ID):
====================================
41
Product & Service Introduction:
===============================
XTB4 is one of the most famous online trading software for company s & private customers.
XTB Trader v4 is secure, 24/7h available & have a very good management.
(Copy of the Vendor Homepage: http://www.xtb.de/)
Abstract Advisory Information:
==============================
Vulnerability-Lab team discovered a critical pointer vulnerability on XTB Trader Software.
Vulnerability Disclosure Timeline:
==================================
2011-07-29: Public or Non-Public Disclosure
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A critical pointer vulnerability is detected on xtb_v4.x. A local attacker can crash all running modules & the main software.
An attackers can use the vulnerability to crash/block the important service via a critical/invalid pointer corruption.
--- Exception Logs ---
There has been a critical error
Time : 2009.11.13 21:54
Program : MetaEditor
Version : 4.00 (build: 222, 16 Feb 2009)
OS : Windows Vista Professional 6.0 Service Pack 2 (Build 6002)
Processors : 2 x X86 (level 6)
Memory : 2086596/894952 kb
Exception : C0000005
Address : 0034716D
Access Type : read
Access Addr : 0034716D
Registers : EAX=00000000 CS=001b EIP=0034716D EFLGS=00010206
: EBX=00000111 SS=0023 ESP=0012F210 EBP=0012F218
: ECX=0012EDB0 DS=0023 ESI=00000001 FS=003b
: EDX=00317F37 ES=0023 EDI=00000000 GS=0000
Stack Trace : 6C4340DD 6C42C1AB 6C4118CE 6C411161
: 6C40E01E 6C40FB55 6C40FC89 6C4B903A
: 766FFD72 766FFE4A 766F9D6A 766F9F8D
: 77D35DAE 76700B36 7516B4B2 7516B514
Modules :
1 : 00400000 000ED000 c:\\\\\\\\program files\\\\\\\\xtb-trader 4\\\\\\\\metaeditor.exe
2 : 6A5A0000 005AD000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mshtml.dll
3 : 6C3E0000 0011B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mfc42.dll
4 : 6C950000 00060000 c:\\\\\\\\program files\\\\\\\\common files\\\\\\\\microsoft shared\\\\\\\\ink\\\\\\\\tiptsf.dll
5 : 6CE00000 00065000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\odbc32.dll
6 : 6E2B0000 00223000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\networkexplorer.dll
7 : 6F240000 00A93000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ieframe.dll
8 : 6FF10000 00030000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mlang.dll
9 : 70080000 0004A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntshrui.dll
10 : 70630000 0003C000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msshsq.dll
11 : 70810000 00146000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\browseui.dll
12 : 70960000 00108000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shdocvw.dll
13 : 70A80000 00053000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\actxprxy.dll
14 : 71250000 0001F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ehstorshell.dll
15 : 71320000 000F4000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\windowscodecs.dll
16 : 71480000 0000B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cscapi.dll
17 : 71D30000 00038000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\odbcint.dll
18 : 73FF0000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\midimap.dll
19 : 741F0000 00014000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msacm32.dll
20 : 74210000 00066000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\audioeng.dll
21 : 74280000 00021000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\audioses.dll
22 : 744C0000 0002F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wdmaud.drv
23 : 74510000 00009000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msacm32.drv
24 : 74610000 00004000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ksuser.dll
25 : 747C0000 00029000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msls31.dll
26 : 747F0000 00016000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\thumbcache.dll
27 : 74940000 0000B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msimtf.dll
28 : 749A0000 000BB000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\propsys.dll
29 : 74C30000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\avrt.dll
30 : 74C80000 00028000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mmdevapi.dll
31 : 74CD0000 0003D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\oleacc.dll
32 : 74D10000 00032000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\winmm.dll
33 : 750D0000 0019E000 c:\\\\\\\\windows\\\\\\\\winsxs\\\\\\\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\\\\\\\\comctl32.dll
34 : 753A0000 00030000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\duser.dll
35 : 753D0000 0003F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\uxtheme.dll
36 : 754D0000 0002D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wintrust.dll
37 : 75590000 00005000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msimg32.dll
38 : 756A0000 00021000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntmarta.dll
39 : 75720000 0003B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\rsaenh.dll
40 : 75A10000 00008000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\version.dll
41 : 75C60000 0003A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\slc.dll
42 : 75CA0000 000F2000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\crypt32.dll
43 : 75E10000 00012000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msasn1.dll
44 : 75E30000 00011000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\samlib.dll
45 : 75F20000 00076000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\netapi32.dll
46 : 76150000 0005F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\sxs.dll
47 : 761B0000 0002C000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\apphelp.dll
48 : 76210000 00014000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\secur32.dll
49 : 76230000 0001E000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\userenv.dll
50 : 76370000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\psapi.dll
51 : 76380000 000C6000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\advapi32.dll
52 : 76450000 0008D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\oleaut32.dll
53 : 764E0000 00029000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\imagehlp.dll
54 : 76510000 0002D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ws2_32.dll
55 : 76540000 00132000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\urlmon.dll
56 : 76680000 00059000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shlwapi.dll
57 : 766E0000 0009D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\user32.dll
58 : 76780000 000C8000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msctf.dll
59 : 76850000 000C3000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\rpcrt4.dll
60 : 76920000 0018A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\setupapi.dll
61 : 76AB0000 0004B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\gdi32.dll
62 : 76B00000 00073000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\comdlg32.dll
63 : 76B80000 0001E000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\imm32.dll
64 : 76BA0000 00084000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\clbcatq.dll
65 : 76C30000 001E8000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\iertutil.dll
66 : 76E20000 000DC000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\kernel32.dll
67 : 76F00000 00B10000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shell32.dll
68 : 77A10000 00145000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ole32.dll
69 : 77B60000 0007D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\usp10.dll
70 : 77BE0000 000E6000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wininet.dll
71 : 77CD0000 00127000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntdll.dll
72 : 77E00000 00003000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\normaliz.dll
73 : 77E10000 00006000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\nsi.dll
74 : 77E20000 00049000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wldap32.dll
75 : 77E70000 000AA000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msvcrt.dll
76 : 77F20000 00009000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\lpk.dll
Call stack :
00434F00:0067 [00434F67] ?CreateFileA@CNewFolderDlg (metaeditor.exe)
Screens:
../crash.png
../analyze.png
Proof of Concept (PoC):
=======================
The critical pointer vulnerability/bug can be exploited or reporduced by local attackers. For demonstration or reproduce ...
1. Install & startup the XTB Broker Software
2. Start the MetaEditor out of the top bar
3. Click with the right button on the right window on the white front
4. Create File/Datei & include as name a zero string (jump back)as zer0 field + save
5. Program services crashs critical + directly after execution/implementation (not handled exceptions)
Information: To analyse the bug catch all over MetaEditor.exe in same Program Folder via debugger
--- Debug Logs ---
FAULTING_IP:
+5c
0034716d ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0034716d
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0034716d
Attempt to read from address 0034716d
FAULTING_THREAD: 0000091c
PROCESS_NAME: image00400000
FAULTING_MODULE: 77cd0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: ec000
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx.
Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx.
Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0034716d
READ_ADDRESS: 0034716d
FOLLOWUP_IP:
+5c
0034716d ?? ???
FAILED_INSTRUCTION_ADDRESS:
+5c
0034716d ?? ???
IP_ON_HEAP: 0034716d
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 34716d
STACK_ADDR_RAW_STACK_SYMBOL: 12f528
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ;
Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[ffffffff]
LAST_CONTROL_TRANSFER: from 00000000 to 0034716d
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS_STACKIMMUNE
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_STACKIMMUNE
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE
STACK_TEXT:
00000000 image00400000+0x0
SYMBOL_NAME: image00400000
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image00400000
IMAGE_NAME: C:\Program Files\XTB-Trader 4\MetaEditor.exe
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE_c0000005_C:_Program_Files_XTB-Trader_4_MetaEditor.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS_STACKIMMUNE_BAD_IP_image00400000
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_0_2_22/___ec000/unknown/0_0_0_0/bbbbbbb4/c0000005/0034716d.htm?Retriage=1
Followup: MachineOwner
Security Risk:
==============
The security risk of the pointer vulnerability is estimated as high.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jul 2011 00:00Current
7.4High risk
Vulners AI Score7.4