GCI Trader MetaTrader v4.2.x - Null Pointer Vulnerability

2011-08-08T00:00:00
ID VULNERLAB:111
Type vulnerlab
Reporter Vulnerability Research Laboratory
Modified 2011-08-08T00:00:00

Description

                                        
                                            Document Title:
===============
GCI Trader MetaTrader v4.2.x - Null Pointer Vulnerability



Release Date:
=============
2011-08-08


Vulnerability Laboratory ID (VL-ID):
====================================
111


Product & Service Introduction:
===============================
Marktführende Software im Bereich online Trading von der Firma GCI Financial.

(Copy of the Vendor Homepage: http://www.gcitrading.com/german/software-download.htm)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered a critical Null Pointer vulnerability on the famous GCI MetaTrader Software v4.x for Brokers. 


Vulnerability Disclosure Timeline:
==================================
2011-08-06:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A null pointer vulnerability is detected on GCI Financial Trader Software v4.2.0. A null pointer read/write allows an local 
attacker to crash the software via access violation. The successful exploitation of the bug can lead to an memory address read/write. 
The vulnerability is located in the replace function of the both editors.


Vulnerable Module(s): 
						[+] Indikator Editor / Strategie Editor   => Replace Funktion


--- Exception Log ---
(1124.1380): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090
eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
*** ERROR: Module load completed but symbols could not be loaded for C:\\\\Users\\Rem0ve\\AppData\\Roaming\\\\GCI \\APP#E59DADAA\\fx_client.exe
fx_client+0x555a:
0040555a 8b0a            mov     ecx,dword ptr [edx]  ds:002b:00000000=????????
0:000> !exchain
0018e090: fx_client+558f (0040558f)
0018e578: fx_client+5180 (00405180)
0018eb6c: fx_client+5180 (00405180)
0018f13c: fx_client+5180 (00405180)
0018ff78: fx_client+5680 (00405680)
--
0:000> gn
(1124.1380): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090
eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fx_client+0x555a:
0040555a 8b0a            mov     ecx,dword ptr [edx]  ds:002b:00000000=????????
0:000> gn
(1124.1380): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090
eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
fx_client+0x555a:
0040555a 8b0a            mov     ecx,dword ptr [edx]  ds:002b:00000000=????????




--- Debugger Log ---
FAULTING_IP: 
fx_client+555a
0040555a 8b0a            mov     ecx,dword ptr [edx]

EXCEPTION_RECORD:  0018f628 -- (.exr 0x18f628)
ExceptionAddress: 00432ff3 (fx_client+0x00032ff3)
   ExceptionCode: 0018ff88
  ExceptionFlags: 00b443bd
NumberParameters: 112659296
   Parameter[0]: 0018f73c
   Parameter[1]: 0018f668
   Parameter[2]: 0018f674
   Parameter[3]: 00000000
   Parameter[4]: 00000000
   Parameter[5]: 00000000
   Parameter[6]: 77c98799
   Parameter[7]: 0018f73c
   Parameter[8]: 0018ff50
   Parameter[9]: 0018f78c
   Parameter[10]: 0018f710
   Parameter[11]: 0018fea8
   Parameter[12]: 77c987ad
   Parameter[13]: 0018ff50
   Parameter[14]: 0018f724

FAULTING_THREAD:  00001380
PROCESS_NAME:  fx_client.exe
FAULTING_MODULE: 772e0000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP:  4c249454
MODULE_NAME: fx_client
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
READ_ADDRESS:  00000000 

FOLLOWUP_IP: 
fx_client+555a
0040555a 8b0a            mov     ecx,dword ptr [edx]

CONTEXT:  004053b0 -- (.cxr 0x4053b0)
Unable to get program counter
eax=b4502c3d ebx=3d8012eb ecx=80097601 edx=00b45030 esi=0424448b edi=7c7400f8
eip=02044883 esp=82685000 ebp=d9760000 iopl=2 vip     nv dn di pl zr ac pe nc
cs=5756  ss=0010  ds=ffbf  es=5004  fs=8d15  gs=00b4             efl=6a142454
5756:4883 ??              ???
Resetting default scope

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ
DEFAULT_BUCKET_ID:  NULL_POINTER_READ
LAST_CONTROL_TRANSFER:  from 00000000 to 02044883

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0018e0a8 004057bb 0018e598 009684ec 033715c8 fx_client+0x555a
0018e590 004057bb 0018eb8c 005c872e 02fcfb78 fx_client+0x57bb
0018eb84 004057bb 00000000 00432f8e 04a89be0 fx_client+0x57bb
0018f154 00405ba2 0018f1a0 00000000 06de4ab0 fx_client+0x57bb
0018f1a0 77c9876b 0018f268 0018ff78 0018f2b8 fx_client+0x5ba2
0018f250 77c5010f 0018f268 0018f2b8 0018f268 ntdll!LdrRemoveLoadAsDataTable+0x459
0018f5b0 00a3c156 0018ff50 004053b0 0018f628 ntdll!KiUserExceptionDispatcher+0xf
0018f628 00b443bd 00000000 00432ff3 06b70b60 fx_client+0x63c156
0018ff88 772f3677 7efde000 0018ffd4 77c79d42 fx_client+0x7443bd
0018ff94 77c79d42 7efde000 770e7eb1 00000000 kernel32!BaseThreadInitThunk+0x12
0018ffd4 77c79d15 00401000 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0018ffec 00000000 00401000 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36


STACK_COMMAND:  .cxr 004053B0 ; kb ; ~0s ; kb
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  fx_client+555a
FOLLOWUP_NAME:  MachineOwner
BUCKET_ID:  WRONG_SYMBOLS
WATSON_IBUCKET:  1954780755
WATSON_IBUCKETTABLE:  1
IMAGE_NAME:  C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_C:_Users_Rem0ve_AppData_Roaming_GCI_Demo_APP#E59DADAA_fx_client.exe!Unknown
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/fx_client_exe/4_2_0_0/4c249454/fx_client_exe/4_2_0_0/4c249454/c0000005/0000555a.htm?Retriage=1
Followup: MachineOwner


0:000> .cxr 0x4053b0
Unable to get program counter
eax=b4502c3d ebx=3d8012eb ecx=80097601 edx=00b45030 esi=0424448b edi=7c7400f8
eip=02044883 esp=82685000 ebp=d9760000 iopl=2 vip     nv dn di pl zr ac pe nc
cs=5756  ss=0010  ds=ffbf  es=5004  fs=8d15  gs=00b4             efl=6a142454
5756:4883 ??              ???
0:000> lmvm fx_client
start    end        module name
00400000 00fb6000   fx_client   (no symbols)           
    Loaded symbol image file: C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI \\APP#E59DADAA\\fx_client.exe
    Image path: C:\\Users\\\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe
    Image name: fx_client.exe
    Timestamp:        Fri Jun 25 13:34:44 2010 (4C249454)
    CheckSum:         00375E85
    ImageSize:        00BB6000
    File version:     4.2.0.0
    Product version:  4.2.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04e4
    CompanyName:      ACT Forex
    ProductName:      
    InternalName:     
    OriginalFilename: 
    ProductVersion:   1.0.0.0
    FileVersion:      4.2.0.0
    FileDescription:  Forex trading application
    LegalCopyright:   
    LegalTrademarks:  
0:000> .exr 0x18f628
ExceptionAddress: 00432ff3 (fx_client+0x00032ff3)
   ExceptionCode: 0018ff88
  ExceptionFlags: 00b443bd
NumberParameters: 112659296
   Parameter[0]: 0018f73c
   Parameter[1]: 0018f668
   Parameter[2]: 0018f674
   Parameter[3]: 00000000
   Parameter[4]: 00000000
   Parameter[5]: 00000000
   Parameter[6]: 77c98799
   Parameter[7]: 0018f73c
   Parameter[8]: 0018ff50
   Parameter[9]: 0018f78c
   Parameter[10]: 0018f710
   Parameter[11]: 0018fea8
   Parameter[12]: 77c987ad
   Parameter[13]: 0018ff50
   Parameter[14]: 0018f724



--- Crash Report Log ---

Version=1
EventType=APPCRASH
EventTime=129240264855389746
ReportType=2
Consent=1
UploadTime=129240264857769882
ReportIdentifier=4b06b15f-9349-11df-9ca3-b4718ce587c5
IntegratorReportIdentifier=4b06b15e-9349-11df-9ca3-b4718ce587c5
WOW64=1
Response.BucketId=1952508551
Response.BucketTable=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=fx_client.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=4.2.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=4c249454
Sig[3].Name=Fehlermodulname
Sig[3].Value=fx_client.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=4.2.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=4c249454
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=006bee21
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7600.2.0.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=9c34
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=9c348f452d4b0926ce70ba8ed7b65111
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=7d76
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=7d76cfc76e9d714cd4dc22a9a0b2120d
UI[2]=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe
UI[3]=Forex trading application funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe
LoadedModule[1]=C:\\Windows\\SysWOW64\\ntdll.dll
LoadedModule[2]=C:\\Windows\\syswow64\\kernel32.dll
LoadedModule[3]=C:\\Windows\\syswow64\\KERNELBASE.dll
LoadedModule[4]=C:\\Windows\\syswow64\\oleaut32.dll
LoadedModule[5]=C:\\Windows\\syswow64\\ole32.dll
LoadedModule[6]=C:\\Windows\\syswow64\\msvcrt.dll
LoadedModule[7]=C:\\Windows\\syswow64\\GDI32.dll
LoadedModule[8]=C:\\Windows\\syswow64\\USER32.dll
LoadedModule[9]=C:\\Windows\\syswow64\\ADVAPI32.dll
LoadedModule[10]=C:\\Windows\\SysWOW64\\sechost.dll
LoadedModule[11]=C:\\Windows\\syswow64\\RPCRT4.dll
LoadedModule[12]=C:\\Windows\\syswow64\\SspiCli.dll
LoadedModule[13]=C:\\Windows\\syswow64\\CRYPTBASE.dll
LoadedModule[14]=C:\\Windows\\syswow64\\LPK.dll
LoadedModule[15]=C:\\Windows\\syswow64\\USP10.dll
LoadedModule[16]=C:\\Windows\\system32\\msimg32.dll
LoadedModule[17]=C:\\Windows\\system32\\version.dll
LoadedModule[18]=C:\\Windows\\syswow64\\shell32.dll
LoadedModule[19]=C:\\Windows\\syswow64\\SHLWAPI.dll
LoadedModule[20]=C:\\Windows\\system32\\wsock32.dll
LoadedModule[21]=C:\\Windows\\syswow64\\WS2_32.dll
LoadedModule[22]=C:\\Windows\\syswow64\\NSI.dll
LoadedModule[23]=C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\\comctl32.dll
LoadedModule[24]=C:\\Windows\\syswow64\\imm32.dll
LoadedModule[25]=C:\\Windows\\syswow64\\MSCTF.dll
LoadedModule[26]=C:\\Windows\\syswow64\\comdlg32.dll
LoadedModule[27]=C:\\Windows\\system32\\winspool.drv
LoadedModule[28]=C:\\Windows\\system32\\winmm.dll
LoadedModule[29]=C:\\Windows\\system32\\ICMP.DLL
LoadedModule[30]=C:\\Windows\\system32\\iphlpapi.DLL
LoadedModule[31]=C:\\Windows\\system32\\WINNSI.DLL
LoadedModule[32]=C:\\Windows\\system32\\SHFolder.dll
LoadedModule[33]=C:\\PROGRA~2\\KASPER~1\\KASPER~1\\mzvkbd3.dll
LoadedModule[34]=C:\\PROGRA~2\\KASPER~1\\KASPER~1\\sbhook.dll
LoadedModule[35]=C:\\Windows\\system32\\uxtheme.dll
LoadedModule[36]=C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll
LoadedModule[37]=C:\\Windows\\system32\\dwmapi.dll
LoadedModule[38]=C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\\gdiplus.dll
LoadedModule[39]=C:\\Windows\\system32\\oleacc.dll
LoadedModule[40]=C:\\Windows\\system32\\WindowsCodecs.dll
LoadedModule[41]=C:\\Windows\\system32\\olepro32.dll
LoadedModule[42]=C:\\Windows\\syswow64\\psapi.dll
LoadedModule[43]=C:\\Windows\\system32\\netapi32.dll
LoadedModule[44]=C:\\Windows\\system32\\netutils.dll
LoadedModule[45]=C:\\Windows\\system32\\srvcli.dll
LoadedModule[46]=C:\\Windows\\system32\\wkscli.dll
LoadedModule[47]=C:\\Windows\\system32\\SAMCLI.DLL
LoadedModule[48]=C:\\Windows\\system32\\BROWCLI.DLL
LoadedModule[49]=C:\\Windows\\system32\\SCHEDCLI.DLL
LoadedModule[50]=C:\\Windows\\system32\\LOGONCLI.DLL
LoadedModule[51]=C:\\Windows\\system32\\cscapi.dll
LoadedModule[52]=C:\\Windows\\system32\\dhcpcsvc.DLL
LoadedModule[53]=C:\\Windows\\system32\\DNSAPI.dll
LoadedModule[54]=C:\\Windows\\system32\\dhcpcsvc6.DLL
LoadedModule[55]=C:\\Windows\\syswow64\\CLBCatQ.DLL
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Forex trading application
AppPath=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI\\APP#E59DADAA\\fx_client.exe



Notice: After the exploitation the software is broken & needs a repair/recover or new installation!



References:

			[+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0d10623e
			[+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0edf88b2
			[+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_11f6c0a3
			[+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_13a3321a
			[+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0590e919
			[+] some



			[+] Debug-Logs.txt
			[+] Exception_Log1.txt
			[+] Exception_Log2.txt
			[+] Exception_Log3.txt
			[+] Exception_Log4.txt


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local low privileged user accounts & local attackers. 
For demonstration or reproduce ...

			User Name (Benutzername):   	demo756475
			Password (Passwort):   		7293
			Account Type:  			Demo CFD/Aktien-Trading




Pictures:
			../1.png
			../2.png
			../3.png
			../4.png
			../5.png
			../6.png


Security Risk:
==============
The security risk of the local pointer vulnerability on windows is estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory