Vulners
Lucene search
Axence nVision v4.1 - Memory Corruption Vulnerability
🗓️ 01 Sep 2011 00:00:00Reported by Vulnerability Research LaboratoryType 
vulnerlab🔗 www.vulnerability-lab.com👁 54 Views
Document Title:
===============
Axence nVision v4.1 - Memory Corruption Vulnerability
Release Date:
=============
2011-09-01
Vulnerability Laboratory ID (VL-ID):
====================================
6
Product & Service Introduction:
===============================
Proactive network monitoring, hardware and software inventory, user monitoring, protection against data leaks,
remote technical support – in one, centrally managed software! Network module monitors mail servers and Web
addresses, TCP/IP and Windows services, application status and operation, and switches and routers (port mapping
and network traffic). The network is automatically detected and presented on interactive maps. The inventory
module automatically collects the hardware and software information of Windows machines. It enables auditing and
the verification of license usage and offers information about program installation or configuration change.
(Copy of the Vendor Homepage: http://www.axencesoftware.com/index.php?action=nVision)
Abstract Advisory Information:
==============================
The Vulnerability-Lab Research Team discovered a Memory Corruption vulnerability on the Axence nVision 4 monitoring software.
Vulnerability Disclosure Timeline:
==================================
2011-09-01: Discovery by Vulnerability-Lab
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A memory corruption vulnerability is detected on nVision Monitoring Software. A local attacker can create/include
special crafted databases to exploit the software with a stable memory corruption. The bug is located on the size
restriction of the atlas names/description input. The successfully exploitation results in a stable program crash
when the profil is displayed on the software startup.
Vulnerable Module(s):
[+] Atlas Name Description
--- Error Logs ---
date/time : 2010-11-19, 22:27:12, 807ms
computer name : HOSTBUSTER
user name : Rem0ve <admin>
registered owner : Microsoft / Microsoft
operating system : Windows 7 Tablet PC x64 build 7600
system language : English
system up time : 20 days 7 hours
program up time : 7 minutes 26 seconds
processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz
physical memory : 1628/4091 MB (free/total)
free disk space : (C:) 237,61 GB
display mode : 1366x768, 32 bit
process id : $ec8
allocated memory : 118,38 MB
executable : nVision.exe
exec. date/time : 2010-11-19 10:42
version : 4.1.7.6971
compiled with : Delphi 2009
madExcept version : 3.0k
callstack crc : $84cf47d3, $955de112, $276c9974
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 013B63AC in module 'nVision.exe'. Read of address 50534C99.
date/time : 2010-07-19, 22:29:11, 817ms
computer name : HOSTBUSTER
user name : Rem0ve <admin>
registered owner : Microsoft / Microsoft
operating system : Windows 7 Tablet PC x64 build 7600
system language : German
system up time : 20 days 7 hours
program up time : 9 minutes 25 seconds
processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz
physical memory : 1576/4091 MB (free/total)
free disk space : (C:) 237,59 GB
display mode : 1366x768, 32 bit
process id : $ec8
allocated memory : 131,10 MB
executable : nVision.exe
exec. date/time : 2010-02-17 10:42
version : 4.1.7.6971
compiled with : Delphi 2009
madExcept version : 3.0k
callstack crc : $b1862999, $fcd5cb28, $c6969ef8
exception number : 3
exception message : The application seems to be frozen.
----
19.07.2010 22:20:07: Axence WatchDog Initialized
----
Date: 19.07.2010 22:48:07
Restarting application using:
Terminate action: TaxWatchDogCorrectiveActionHardTerminate
Corrective action: TaxWatchDogCorrectiveActionStartProcess
Debug informations:
Is Alive condition checker
--------------------------
Server process ID: 3784
Parameters:
Running as service: False
Service name: Axence nVision
Last tick: 1751043955
Configuration seconds: 1200
Seconds between: 1201
Memory usage condition checker
--------------------------
Couldn't get memory info
//----------------------- nvWMIProvider.exe [1.1.9.6004] / Started 19.03.2010 22:28:37
[2010-07-19 22:38:58.719]($00000BD8) nVision died - terminating...
--- Disassembling ---
[...]
00af390c 558 mov eax, esi
00af390e call -$463 ($af34b0) ; uProcessController.TProcessController.Kill
00af3913 mov ebx, eax
00af3915 jmp loc_af3921
00af3917 560 push $1f4
00af391c > call -$684175 ($46f7ac) ; SysUtils.Sleep
00af3921 559 mov eax, esi
00af3923 call -$48c ($af349c) ; uProcessController.TProcessController.IsRunning_
00af3928 test al, al
00af392a jnz loc_af3917
00af392c 561 mov eax, ebx
--- Debug Log ---
[2010-03-19 22:32:39.450]($000014F0) Duplicate exception filtered
[2010-03-19 22:32:39.750]($000014F0) Tvms_Monitor_Starting_Requests_Thread.ExecuteSlice: EXCEPTION:
Access violation at address 0139E130 in module 'nVision.exe'. Read of address 00000001
005d0374 nVision.exe uInvFatalError 525 +39 InvStdDebugFatalError
013c14cf nVision.exe uDebugFatalError 38 +19 NetVisionDebugFatalError
012b2112 nVision.exe Uvms_Monitor 20 +4 Tvms_Monitor_Starting_Requests_Thread.SyncExc
012b342a nVision.exe Uvms_Monitor 614 +7 Tvms_Monitor.Synchronize_IfNeeded
012b2698 nVision.exe Uvms_Monitor 218 +53 Tvms_Monitor_Starting_Requests_Thread.Execute
7772010a ntdll.dll KiUserExceptionDispatcher
004923e6 nVision.exe Classes ThreadProc
004068c4 nVision.exe System 448 +0 ThreadWrapper
768c3675 kernel32.dll BaseThreadInitThunk
[2010-03-19 22:32:40.073]($000014F0) Duplicate exception filtered
[2010-03-19 22:32:40.439]($000014F0) Duplicate exception filtered
[2010-03-19 22:32:40.759]($000014F0) Tvms_Monitor_Starting_Requests_Thread.ExecuteSlice: EXCEPTION:
Access violation at address 0139E130 in module 'nVision.exe'. Read of address 00000001
StackTrace not generated due to maxstack hit
[2010-03-19 22:32:41.060]($000014F0) Duplicate exception filtered
Pictures:
../1.png
../2.png
../3.png
../4.png
../5.png
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers. For demonstration or reproduce ...
../bugreport.txt
../bugreport_2.txt
../bugreport_p.txt
../nVisionDebug.log
../Setup Log 2010-07-19 #001.txt
Solution - Fix & Patch:
=======================
Bug fixed on v5.0
Security Risk:
==============
The security risk of the vulnerability is estimated as medium because its a stable memory corruption.
Credits & Authors:
==================
Vulnerability Research Laboratory
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: [email protected] - [email protected] - [email protected]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2011 00:00Current
7.1High risk
Vulners AI Score7.1