Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnerlabVulnerability Research Laboratory - N/A AnonymousVULNERLAB:106
HistoryAug 06, 2011 - 12:00 a.m.

iGuard V2.81 Player - Critical Pointer Vulnerability

2011-08-0600:00:00
Vulnerability Research Laboratory - N/A Anonymous
www.vulnerability-lab.com
24
JSON
Document Title:
===============
iGuard V2.81 Player - Critical Pointer Vulnerability



Release Date:
=============
2011-08-06


Vulnerability Laboratory ID (VL-ID):
====================================
106


Product & Service Introduction:
===============================
Die Fähigkeit, Ihren Kunden maßgeschneiderte Lösungen bereitstellen zu können stellt sowohl für Sie als auch für Ihre 
Kunden einen nicht unerheblichen Mehrwert dar. Dies gepaart mit günstigen Grundkosten, geringsten Servicekosten durch 
hohe Stabilität und Verfügbarkeit machen iGuard® so attraktiv. Seine Konzeption als offene Kit-Lösung macht iGuard gerade 
in seiner neuesten Version außergewöhnlich modular. Konfigurationen von der Ein-Kamera-Überwachung per Notebook und IP 
Kamera bis hin zu dezentralen Multi-Server Lösungen sind kostengünstig realisierbar!

(Copy of the Vendor Homepage: http://www.iguard.de/index.php?u_=)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered a critical Pointer vulnerability on on the iGuard Surveillance Software Player.


Vulnerability Disclosure Timeline:
==================================
2011-08-07:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local pointer vulnerability is detected on the iGuard Player V2.81 software.
Local attackers can include/insert a JPG File with a specific size to crash the player & the viewer software stable. 
A invalid pointer write is crashing the client software & results in a critical + unhandled software exception.

Vulnerable Module(s): 
			                            [+] JPG Convert (SIZE)


--- Exception Logs ---
(d88.c44): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0ae95628 ebx=00388684 ecx=000002c0 edx=00000000 esi=003891c4 edi=003875a0
eip=004744a1 esp=0018af64 ebp=00000003 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x744a1:
004744a1 0f6e08          movd    mm1,dword ptr [eax]  ds:002b:0ae95628=????????


References:
			../Pictures/1.png
			../Pictures/2.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers & privileged user accounts. For demonstration or reproduce ...


../ge-sizer.jpg   (white)


Type: 		   JPG
SIZE: 		   3270x2340
Hor Auflösung: 	   762 dpi
Ver Auflösung:     762 dpi
Bittiefe:          24
Auflösungseinheit: 3
Farbdarstellung:   Nicht kalibriert
Erstellt mit:      Adobe Photoshop CS Wi




--- Debug Logs ---

FAULTING_IP: 
image00400000+744a1
004744a1 0f6e08          movd    mm1,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 004744a1 (image00400000+0x000744a1)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0ae95628
Attempt to read from address 0ae95628

FAULTING_THREAD:  00000c44
--
DEBUG_FLR_IMAGE_TIMESTAMP:  4a4315f3

MODULE_NAME: image00400000

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  0ae95628

READ_ADDRESS:  0ae95628 

FOLLOWUP_IP: 
image00400000+744a1
004744a1 0f6e08          movd    mm1,dword ptr [eax]

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 00459cf2 to 004744a1

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0018af70 00459cf2 0ae95628 000002c0 00000003 image00400000+0x744a1
0018afc4 0043f541 023d0020 40000060 0018b1d0 image00400000+0x59cf2
0018afe0 00455ada 098b0020 023d0020 00002658 image00400000+0x3f541
0018b03c 775074fc 775074cb c0001cbf 0018b178 image00400000+0x55ada
0018b074 72722a9f 00000001 727603a8 72722ad4 USER32!GetSystemMetrics+0x95
0018b080 72722ad4 00000000 00000000 00000cc5 UxTheme!Ordinal43+0xda
0018b0f0 72729165 098b0020 023d0020 01ff82c0 UxTheme!Ordinal43+0x10f
0018b158 77509b79 00000008 00000001 003891c0 UxTheme!GetThemeTextExtent+0x767
0018b1c0 004589ef 03000000 0018b114 0018b6a8 USER32!PostThreadMessageW+0xd0b
0018b6a0 00450dde 00000924 00450dde 003873e0 image00400000+0x589ef
0018b708 00411557 003873e0 003874e0 000002c0 image00400000+0x50dde
0018b734 004364fc 00385ab8 00000001 0018cab8 image00400000+0x11557
00000000 00000000 00000000 00000000 00000000 image00400000+0x364fc


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  image00400000+744a1

FOLLOWUP_NAME:  MachineOwner

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  WRONG_SYMBOLS

IMAGE_NAME:  C:\Windows\IgdPlay.exe

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_C:_Windows_IgdPlay.exe!Unknown



--- Error Logs ---

Version=1
EventType=APPCRASH
EventTime=129213639543642416
ReportType=2
Consent=1
UploadTime=129213639546342571
ReportIdentifier=1ac52f96-7b12-11df-acc3-ae273d9a95c4
IntegratorReportIdentifier=1ac52f95-7b12-11df-acc3-ae273d9a95c4
WOW64=1
Response.BucketId=1921967623
Response.BucketTable=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=IgdPlay.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=2.81.0.1
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4a4315f3
Sig[3].Name=Fehlermodulname
Sig[3].Value=IgdPlay.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=2.81.0.1
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4a4315f3
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=000744a1
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7600.2.0.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=84de
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=84de4ddbde4d001d772b9f727d72513e
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=635a
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=635a9842e8048817d962f3f94cc1ac2f
UI[2]=C:\Windows\IgdPlay.exe
UI[3]=iGuard Player funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
...
State[0].Key=Transport.DoneStage1
State[0].Value=1
State[1].Key=DataRequest
State[1].Value=Bucket=1921967623/nBucketTable=1/nResponse=1/n
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=iGuard Player
AppPath=C:\Windows\IgdPlay.exe
...
State[0].Key=Transport.DoneStage1
State[0].Value=1
File[0].CabName=WERInternalMetadata.xml
File[0].Path=WER8634.tmp.WERInternalMetadata.xml
File[0].Flags=65538
File[0].Type=5
File[0].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER8634.tmp.WERInternalMetadata.xml
File[1].CabName=AppCompat.txt
File[1].Path=WER12E9.tmp.appcompat.txt
File[1].Flags=65538
File[1].Type=5
File[1].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER12E9.tmp.appcompat.txt
File[2].CabName=memory.hdmp
File[2].Path=WER1329.tmp.hdmp
File[2].Flags=2097152
File[2].Type=3
File[2].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER1329.tmp.hdmp
File[3].CabName=minidump.mdmp
File[3].Path=WER14FE.tmp.mdmp
File[3].Flags=2162690
File[3].Type=2
File[3].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER14FE.tmp.mdmp
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=iGuard Player
AppPath=C:\Windows\IgdPlay.exe


Security Risk:
==============
The security risk of the local vulnerability is estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory - N/A Anonymous


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory
JSON